Public/New-FMTFlexVnetRole.ps1
|
function New-FMTFlexVnetRole { param( [parameter()] [string] $name = "flex-vnet-contributor", [parameter()] [string] $description = 'Needed permissions for Silk Flex to operate inside an existing VNET' ) $azcontext = Get-AzContext $scope = [System.Collections.ArrayList]@() $scopestring = "/subscriptions/" + $azcontext.Subscription $scope.Add($scopestring) # $rolescope = New-Object psobject $rolescope = New-Object Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition <# $actions = @( "Microsoft.Network/loadBalancers/read" "Microsoft.Network/loadBalancers/write" "Microsoft.Network/loadBalancers/delete" "Microsoft.Network/loadBalancers/backendAddressPools/read" "Microsoft.Network/loadBalancers/backendAddressPools/write" "Microsoft.Network/loadBalancers/backendAddressPools/delete" "Microsoft.Network/loadBalancers/backendAddressPools/join/action" "Microsoft.Network/loadBalancers/backendAddressPools/backendPoolAddresses/read" "Microsoft.Network/loadBalancers/frontendIPConfigurations/read" "Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action" "Microsoft.Network/virtualNetworks/read" "Microsoft.Network/virtualNetworks/write" "Microsoft.Network/virtualNetworks/joinLoadBalancer/action" "Microsoft.Network/virtualNetworks/join/action" "Microsoft.Network/virtualNetworks/peer/action" "Microsoft.Network/virtualNetworks/subnets/read" "Microsoft.Network/virtualNetworks/subnets/write" "Microsoft.Network/virtualNetworks/subnets/delete" "Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action" "Microsoft.Network/virtualNetworks/subnets/join/action" "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action" "Microsoft.Network/networkSecurityGroups/read" "Microsoft.Network/networkSecurityGroups/write" "Microsoft.Network/networkSecurityGroups/delete" "Microsoft.Network/networkSecurityGroups/join/action" "Microsoft.Network/networkInterfaces/read" "Microsoft.Network/networkInterfaces/write" "Microsoft.Network/networkInterfaces/join/action" "Microsoft.Network/networkInterfaces/delete" "Microsoft.Network/networkInterfaces/effectiveRouteTable/action" "Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action" ) # Removing the load balancer actions below as they are no longer required. #> $actions = @( "Microsoft.Network/virtualNetworks/read" "Microsoft.Network/virtualNetworks/write" "Microsoft.Network/virtualNetworks/join/action" "Microsoft.Network/virtualNetworks/peer/action" "Microsoft.Network/virtualNetworks/subnets/read" "Microsoft.Network/virtualNetworks/subnets/write" "Microsoft.Network/virtualNetworks/subnets/delete" "Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action" "Microsoft.Network/virtualNetworks/subnets/join/action" "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action" "Microsoft.Network/networkSecurityGroups/read" "Microsoft.Network/networkSecurityGroups/write" "Microsoft.Network/networkSecurityGroups/delete" "Microsoft.Network/networkSecurityGroups/join/action" "Microsoft.Network/networkInterfaces/read" "Microsoft.Network/networkInterfaces/write" "Microsoft.Network/networkInterfaces/join/action" "Microsoft.Network/networkInterfaces/delete" "Microsoft.Network/networkInterfaces/effectiveRouteTable/action" "Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action" ) $rolescope.Name = $name $rolescope.IsCustom = $true $rolescope.Description = $description $rolescope.Actions = $actions $rolescope.AssignableScopes = $scope $rolescope | write-verbose New-AzRoleDefinition -Role $rolescope } |