Philipp Bauknecht GrillPhil

## azurecli.ps1
$customRoleDefinitionJson = $($customRoleDefinition | ConvertTo-Json -Depth 100 -Compress).Replace('"', '\"')

## azurecli.ps1
az role definition create --role-definition $customRoleDefinitionJson

## request-body.json
{
  "IsCustom": true,
  "Name": "test-dev-custom-role",
  "Actions": [
    "Microsoft.Resources/deployments/*",
    "Microsoft.Authorization/*/read"
  ],
  "AssignableScopes": [
    "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-myapp-dev"
  ]

## create-custom-role.ps1
$subscriptionId = "00000000-0000-0000-0000-000000000000"
$resourceGroupName = "rg-myapp-dev"
$project = "myapp"
$env = "dev"
$customRoleDefinitionName = "$($projectName)-$($env)-custom-role"
$customRoleDefinition = @{
    Name = $customRoleDefinitionName
    IsCustom = $true
    AssignableScopes = @(
        "/subscriptions/$($subscriptionId)/resourceGroups/$($resourceGroupName)"

## azure-pipelines.yml
name: secure-ng-demo

trigger:
    branches:
        include:
        - main
    paths:
        exclude:
        - docs/**/*
        - /**/readme.md

## staticwebapp.config.json
{
    "routes": [
        {
            "route": "/*",
            "allowedRoles": [
                "authenticated"
            ]
        }
    ],
    "navigationFallback": {

## run-bicep.ps1
$deploymentResult = az deployment group create `
                    --resource-group $($ENV:AZ_PLATFORM_RESOURCE_GROUP_NAME) `
                    --name $($ENV:DEPLOYMENT_NAME) `
                    --template-file "$($ENV:STAGE_BICEP_PATH)/main.bicep" `
                    --parameters `
                        productPrefix="$($ENV:AZ_DEPLOYMENT_NAME)" `
                        envName="$($ENV:ENV_NAME)" `
                        appClientId="$($ENV:APP_CLIENT_ID)" `
                        appClientSecret="$($ENV:APP_CLIENT_SECRET)" `
                        | ConvertFrom-Json

## main.bicep
param productPrefix string
@allowed([
    'dev'
    'test'
    'prod'
])
param envName string
param location string = resourceGroup().location
param appClientId string
@secure()

## rbac-keyvault.bicep
param keyVaultName string
param principalId string
param roleId string = '4633458b-17de-408a-b874-0445c86b69e6' // Key Vault Secrets User

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: keyVaultName
}

resource keyVaultAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(subscription().subscriptionId, keyVaultName, roleId, principalId)

## keyvault-secret.bicep
param keyVaultName string
param name string
@secure()
param value string

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: keyVaultName
  resource storageSecret 'secrets' = {
    name: name
    properties: {
	{
	"IsCustom": true,
	"Name": "test-dev-custom-role",
	"Actions": [
	"Microsoft.Resources/deployments/*",
	"Microsoft.Authorization/*/read"
	],
	"AssignableScopes": [
	"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-myapp-dev"
	]
	$subscriptionId = "00000000-0000-0000-0000-000000000000"
	$resourceGroupName = "rg-myapp-dev"
	$project = "myapp"
	$env = "dev"
	$customRoleDefinitionName = "$($projectName)-$($env)-custom-role"
	$customRoleDefinition = @{
	Name = $customRoleDefinitionName
	IsCustom = $true
	AssignableScopes = @(
	"/subscriptions/$($subscriptionId)/resourceGroups/$($resourceGroupName)"
	name: secure-ng-demo

	trigger:
	branches:
	include:
	- main
	paths:
	exclude:
	- docs/*/
	- /**/readme.md
	{
	"routes": [
	{
	"route": "/*",
	"allowedRoles": [
	"authenticated"
	]
	}
	],
	"navigationFallback": {
	$deploymentResult = az deployment group create `
	--resource-group $($ENV:AZ_PLATFORM_RESOURCE_GROUP_NAME) `
	--name $($ENV:DEPLOYMENT_NAME) `
	--template-file "$($ENV:STAGE_BICEP_PATH)/main.bicep" `
	--parameters `
	productPrefix="$($ENV:AZ_DEPLOYMENT_NAME)" `
	envName="$($ENV:ENV_NAME)" `
	appClientId="$($ENV:APP_CLIENT_ID)" `
	appClientSecret="$($ENV:APP_CLIENT_SECRET)" `
	\| ConvertFrom-Json
	param productPrefix string
	@allowed([
	'dev'
	'test'
	'prod'
	])
	param envName string
	param location string = resourceGroup().location
	param appClientId string
	@secure()
	param keyVaultName string
	param principalId string
	param roleId string = '4633458b-17de-408a-b874-0445c86b69e6' // Key Vault Secrets User

	resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
	name: keyVaultName
	}

	resource keyVaultAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
	name: guid(subscription().subscriptionId, keyVaultName, roleId, principalId)
	param keyVaultName string
	param name string
	@secure()
	param value string

	resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
	name: keyVaultName
	resource storageSecret 'secrets' = {
	name: name
	properties: {