I have a module that assigns the Azure Service Bus Sender role to the managed idenity for an app service. I need to set the scope to the actual instance of the service bus, but it's not in the same resource group as the app service.
Here is my bicep:
param principalId string
param roleDefinitionID string
param serviceBusName string
resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = {
name: serviceBusName
}
resource azureServiceBusDataRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
scope: subscription()
name: roleDefinitionID
}
resource AzureServiceBusRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscription().id, principalId, roleDefinitionID)
scope: serviceBus
properties: {
principalId: principalId
roleDefinitionId: azureServiceBusDataRoleDefinition.id
principalType: 'ServicePrincipal'
}
}
The deployment is running against the resource group that holds to app service, so it can't find the service bus. Therefore, I call the above bicep as a module and set the scope to be the resource group containing the service bus.
module azureServiceBusSenderPremissions './azureServiceBus-roleassignment.bicep' = if (useAzureServiceBus){
name: '${deployment().name}-bbb-${appServiceName}'
scope: resourceGroup(serviceBusResourceGroup)
params:{
principalId: appServicesResource.identity.principalId
roleDefinitionID: '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39'
serviceBusName: serviceBusName
}
}
This doesn't work. It still tries to find the service bus under the wrong resource group. I get this error:
The Resource 'Microsoft.ServiceBus/namespaces/providers' under resource group 'appservice-resourceGroup' was not found.
Your code looks good for assigning the Azure Service Bus Sender
role to the managed identity for an app service existed in another resource group.
Try below steps to resolve the conflict and deploy it successfully:
As pointed by @Thomas, check that the service bus resource group parameter is accurate as the service bus resource existed.
Also try adding the dependsOn
block under the module configuration to avoid these kinds of conflicts as shown below.
Also provide a resource group name parameter separately in the module bicep code to allow the service bus where it is located without any misunderstanding.
After modifying it accordingly with the above slight changes, the deployment was working fine as expected.
module.bicep
:
param useAzureServiceBus bool = true
param serviceBusResourceGroup string = 'caronew'
resource appServicesResource 'Microsoft.Web/sites@2024-04-01' existing = {
name: appServiceName
}
module azureServiceBusSenderPremissions 'appser.bicep' = if (useAzureServiceBus){
name: '${deployment().name}-bbb-${appServiceName}'
scope: resourceGroup(serviceBusResourceGroup)
params:{
principalId: appServicesResource.identity.principalId
roleDefinitionID: '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39'
serviceBusName: serviceBusName
}
dependsOn: [
appServicesResource
]
}
param principalId string
param roleDefinitionID string = '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39'
param serviceBusName string = 'servicebusA'
resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = {
name: serviceBusName
}
resource azureServiceBusDataRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
scope: subscription()
name: roleDefinitionID
}
resource AzureServiceBusRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscription().id, principalId, roleDefinitionID)
scope: serviceBus
properties: {
principalId: principalId
roleDefinitionId: azureServiceBusDataRoleDefinition.id
principalType: 'ServicePrincipal'
}
}
Deployment succeeded: