Azure · eriqua · Dec 19, 2022 · Nov 29, 2022 · Nov 29, 2022 · Nov 30, 2022
diff --git a/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep b/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep
@@ -0,0 +1,87 @@
+@sys.description('Required. The IDs of the principals to assign the role to.')
+param principalIds array
+
+@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
+param roleDefinitionIdOrName string
+
+@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
+param resourceId string
+
+@sys.description('Optional. The principal type of the assigned principal ID.')
+@allowed([
+  'ServicePrincipal'
+  'Group'
+  'User'
+  'ForeignGroup'
+  'Device'
+  ''
+])
+param principalType string = ''
+
+@sys.description('Optional. The description of the role assignment.')
+param description string = ''
+
+@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"')
+param condition string = ''
+
+@sys.description('Optional. Version of the condition.')
+@allowed([
+  '2.0'
+])
+param conditionVersion string = '2.0'
+
+@sys.description('Optional. Id of the delegated managed identity resource.')
+param delegatedManagedIdentityResourceId string = ''
+
+var builtInRoleNames = {
+  'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4f8fab4f-1852-4a58-a46a-8eaf358af14a')
+  'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')
+  'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18ed5180-3e48-46fd-8541-4ea054d57064')
+  'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','1ef6a3be-d0ac-425d-8c01-acb62866290b')
+  Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')
+  'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','959f8984-c045-4866-89c7-12bf9737be2e')
+  'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','489581de-a3bd-480d-9518-53dea7416b33')
+  'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','40c5ff49-9181-41f8-ae61-143b0e78555e')
+  'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a959dbd1-f747-45e3-8ba6-dd80f235f97c')
+  'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','76283e04-6283-4c54-8f91-bcf1374a3c64')
+  'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3e5e47e6-65f7-47ef-90b5-e5dd4d455f24')
+  'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','60fc6e62-5479-42d4-8bf4-67625fcc2840')
+  'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b50d9833-a0cb-478e-945f-707fcc997c13')
+  'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','7efff54f-a5b4-42b5-a1c5-5411624893ce')
+  'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293')
+  'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893')
+  'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e')
+  'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae')
+  'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44')
+  'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa')
+  'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05')
+  Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
+  Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f7b75c60-3036-4b75-91c3-6b41c27c1689')
+  'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608')
+  'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f58310d9-a9f6-439a-9e8d-f62e7b41a168')
+  'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
+  'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','1c0163c0-47e6-4577-8991-ea5c82e286e4')
+  'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','9980e02c-c2be-4d73-94e8-173b1dc7cf3c')
+  'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','fb879df8-f326-4884-b1cf-06f3ad86be52')
+  'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','d24ecba3-c1f4-40fa-a7bb-4588a071e8fd')
+  'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a6333a3e-0164-44c3-b281-7a577aff287f')
+}
+
+resource galleryImage 'Microsoft.Compute/galleries/images@2021-10-01' existing = {
+  name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}'
+}
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
+  name: guid(galleryImage.id, principalId, roleDefinitionIdOrName)
+  properties: {
+    description: description
+    roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
+    principalId: principalId
+    principalType: !empty(principalType) ? any(principalType) : null
+    condition: !empty(condition) ? condition : null
+    conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
+    delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
+  }
+  scope: galleryImage
+}]
diff --git a/modules/Microsoft.Compute/galleries/application/deploy.bicep b/modules/Microsoft.Compute/galleries/application/deploy.bicep
@@ -0,0 +1,100 @@
+@description('Required. Name of the application definition.')
+param name string
+
+@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
+param enableDefaultTelemetry bool = true
+
+@description('Optional. Location for all resources.')
+param location string = resourceGroup().location
+
+@description('Conditional. The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment.')
+@minLength(1)
+param galleryName string
+
+@description('Optional. The description of this gallery Application Definition resource. This property is updatable.')
+param applicationDefinitionDescription string = ''
+
+@description('Optional. The Eula agreement for the gallery Application Definition. Has to be a valid URL.')
+param eula string = ''
+
+@description('Optional. The privacy statement uri. Has to be a valid URL.')
+param privacyStatementUri string = ''
+
+@description('Optional. The release note uri. Has to be a valid URL.')
+param releaseNoteUri string = ''
+
+@description('Optional. This property allows you to specify the supported type of the OS that application is built for.')
+@allowed([
+  'Windows'
+  'Linux'
+])
+param supportedOSType string = 'Windows'
+
+@description('Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z.')
+param endOfLife string = ''
+
+@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
+param roleAssignments array = []
+
+@description('Optional. Tags for all resources.')
+param tags object = {}
+
+@description('Optional. A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application.')
+param customActions object = {}
+
+resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
+  name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+    }
+  }
+}
+
+resource gallery 'Microsoft.Compute/galleries@2022-03-03' existing = {
+  name: galleryName
+}
+
+resource application 'Microsoft.Compute/galleries/applications@2022-03-03' = {
+  name: name
+  parent: gallery
+  location: location
+  tags: tags
+  properties: {
+    customActions: !empty(customActions) ? [ customActions ] : null
+    description: applicationDefinitionDescription
+    endOfLifeDate: endOfLife
+    eula: eula
+    privacyStatementUri: privacyStatementUri
+    releaseNoteUri: releaseNoteUri
+    supportedOSType: supportedOSType
+  }
+}
+
+module galleryApplication_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: {
+  name: '${deployment().name}-Rbac-${index}'
+  params: {
+    description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
+    principalIds: roleAssignment.principalIds
+    principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
+    roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
+    condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : ''
+    delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : ''
+    resourceId: application.id
+  }
+}]
+
+@description('The resource group the image was deployed into.')
+output resourceGroupName string = resourceGroup().name
+
+@description('The resource ID of the image.')
+output resourceId string = application.id
+
+@description('The name of the image.')
+output name string = application.name
+
+@description('The location the resource was deployed into.')
+output location string = application.location