Updates to example for deployifnotexists-policy-with-initiative-and-a…

…ssignment (#1953)

* add role assignment for policy assignment identity

* fix incorrect parameter reference

* bicep formatting

* improve readme explanation of modules/usage

* Update test baselines

Co-authored-by: Bicep Automation <[email protected]>

docs/examples/301/deployifnotexists-policy-with-initiative-and-assignment/README.md

@@ -1,14 +1,46 @@
 # DeployIfNotExists Policy with Initiative and Assignment
 
-Resources Deployed:
-* 1x Resource Group
-* 1x Action Group
-* 1x Policy Definition with DeployIfNotExists effect for a Metric Alert v2 (Load Balancer - DipAvailability)
-* 1x Policy Initiative (policyset)
-* 1x Policy Assignment
+### Deployment Summary
+Resources Deployed | Bicep File
+:----------|:-----
+1x Resource Group | main.bicep
+1x Action Group | actionGroup.bicep
+1x Policy Definition with DeployIfNotExists effect for a Metric Alert v2 (Load Balancer - DipAvailability) | policyDefinition.bicep
+1x Policy Initiative (policyset) | policyDefinition.bicep
+1x Policy Assignment + 1x Role Assignment | policyAssignment.bicep
+------------------------
+
+### Input Summary
+Parameter | Type | Default Value
+:----------|:-----|:--------
+resourceGroupName | string | 'BicepExampleRG'
+resourceGrouplocation | string |'australiaeast'
+actionGroupName | string |'BicepExampleAG'
+actionGroupEnabled | bool |true
+actionGroupShortName | string |'bicepag'
+actionGroupEmailName | string |'jloudon'
+actionGroupEmail | string |'[email protected]'
+actionGroupAlertSchema | bool | true
+metricAlertResourceNamespace | string | 'Microsoft.Network/loadBalancers'
+metricAlertName | string | 'DipAvailability'
+metricAlertDimension1 | string | 'ProtocolType'
+metricAlertDimension2 | string | 'FrontendIPAddress'
+metricAlertDimension3 | string | 'BackendIPAddress'
+metricAlertDescription | string | 'Average Load Balancer health probe status per time duration'
+metricAlertSeverity | string | '2'
+metricAlertEnabled | string | 'true'
+metricAlertEvaluationFrequency | string | 'PT15M'
+metricAlertWindowSize | string |'PT1H'
+metricAlertSensitivity | string | 'Medium'
+metricAlertOperator | string | 'LessThan'
+metricAlertTimeAggregation | string | 'Average'
+metricAlertCriterionType | string | 'DynamicThresholdCriterion'
+metricAlertAutoMitigate | string | 'true'
+assignmentEnforcementMode | string | 'Default'
+-----------------------------
 
 Authored & Tested with:
-* azure-cli version 2.20.0
+* [azure-cli](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) version 2.20.0
 * bicep cli version 0.3.1 (d0f5c9b164)
 * bicep 0.3.1 vscode extension
 
@@ -17,4 +49,5 @@ Example Deployment steps
 az login
 az bicep build -f ./main.bicep
 az deployment sub create -f ./main.bicep -l australiaeast
+az policy state trigger-scan
 ```

docs/examples/301/deployifnotexists-policy-with-initiative-and-assignment/main.json

@@ -437,7 +437,7 @@
                                 "location": "global",
                                 "properties": {
                                   "description": "[parameters('metricAlertDescription')]",
-                                  "severity": "[parameters('metricAlertResourceNamespace')]",
+                                  "severity": "[parameters('metricAlertSeverity')]",
                                   "enabled": "[parameters('metricAlertEnabled')]",
                                   "scopes": [
                                     "[[parameters('resourceId')]"
@@ -623,6 +623,18 @@
                   }
                 ]
               }
+            },
+            {
+              "type": "Microsoft.Authorization/roleAssignments",
+              "apiVersion": "2020-04-01-preview",
+              "name": "[guid('bicepExampleAssignment', 'Microsoft.Authorization/policyAssignments', subscription().subscriptionId)]",
+              "properties": {
+                "principalId": "[reference(subscriptionResourceId('Microsoft.Authorization/policyAssignments', 'bicepExampleAssignment'), '2020-09-01', 'full').identity.principalId]",
+                "roleDefinitionId": "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
+              },
+              "dependsOn": [
+                "[subscriptionResourceId('Microsoft.Authorization/policyAssignments', 'bicepExampleAssignment')]"
+              ]
             }
           ]
         }
@@ -636,7 +648,7 @@
     "_generator": {
       "name": "bicep",
       "version": "dev",
-      "templateHash": "4580082864238332171"
+      "templateHash": "16787100480694204241"
     }
   }
 }

docs/examples/301/deployifnotexists-policy-with-initiative-and-assignment/policyAssignment.bicep

@@ -28,3 +28,11 @@ resource bicepExampleAssignment 'Microsoft.Authorization/policyAssignments@2020-
     ]
   }
 }
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
+  name: guid(bicepExampleAssignment.name, bicepExampleAssignment.type, subscription().subscriptionId)
+  properties: {
+    principalId: bicepExampleAssignment.identity.principalId
+    roleDefinitionId: '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' // contributor RBAC role for deployIfNotExists effect
+  }
+}

docs/examples/301/deployifnotexists-policy-with-initiative-and-assignment/policyAssignment.json

@@ -37,13 +37,25 @@
           }
         ]
       }
+    },
+    {
+      "type": "Microsoft.Authorization/roleAssignments",
+      "apiVersion": "2020-04-01-preview",
+      "name": "[guid('bicepExampleAssignment', 'Microsoft.Authorization/policyAssignments', subscription().subscriptionId)]",
+      "properties": {
+        "principalId": "[reference(subscriptionResourceId('Microsoft.Authorization/policyAssignments', 'bicepExampleAssignment'), '2020-09-01', 'full').identity.principalId]",
+        "roleDefinitionId": "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
+      },
+      "dependsOn": [
+        "[subscriptionResourceId('Microsoft.Authorization/policyAssignments', 'bicepExampleAssignment')]"
+      ]
     }
   ],
   "metadata": {
     "_generator": {
       "name": "bicep",
       "version": "dev",
-      "templateHash": "7970689130777253340"
+      "templateHash": "10551989971160582139"
     }
   }
 }

docs/examples/301/deployifnotexists-policy-with-initiative-and-assignment/policyDefinition.bicep

@@ -136,7 +136,7 @@ resource bicepExampleDINEpolicy 'Microsoft.Authorization/policyDefinitions@2020-
                     location: 'global'
                     properties: {
                       description: metricAlertDescription
-                      severity: metricAlertResourceNamespace
+                      severity: metricAlertSeverity
                       enabled: metricAlertEnabled
                       scopes: [
                         '[parameters(\'resourceId\')]'

docs/examples/301/deployifnotexists-policy-with-initiative-and-assignment/policyDefinition.json

@@ -173,7 +173,7 @@
                         "location": "global",
                         "properties": {
                           "description": "[parameters('metricAlertDescription')]",
-                          "severity": "[parameters('metricAlertResourceNamespace')]",
+                          "severity": "[parameters('metricAlertSeverity')]",
                           "enabled": "[parameters('metricAlertEnabled')]",
                           "scopes": [
                             "[[parameters('resourceId')]"
@@ -297,7 +297,7 @@
     "_generator": {
       "name": "bicep",
       "version": "dev",
-      "templateHash": "16786590810543776581"
+      "templateHash": "17787732071681606443"
     }
   }
 }