From b8eb1d808599d0495a4394f19fb6b6e148c80ed3 Mon Sep 17 00:00:00 2001 From: Henrik Jess Nielsen Date: Tue, 19 May 2026 14:27:00 +0200 Subject: [PATCH] feat(bicep): add all 682 Azure roles from rbaclookup module MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces hardcoded 38 roles with complete list extracted from bicep/lookup/rbaclookup:2.x module. Changes: - Add scripts/extract_roles_from_rbaclookup.py to parse rbacLookup.bicep - Generate ilsp/bicep_lsp/azure_roles.json with 682 role names - Load roles dynamically in modules.py from JSON file - Now supports ALL Azure built-in roles for autocomplete Benefits: - Complete Azure RBAC coverage (682 vs 38 roles) - Easy to update when new roles are added to rbaclookup module - Cleaner code (no giant hardcoded list in modules.py) Usage to update roles: python3 scripts/extract_roles_from_rbaclookup.py /path/to/rbacLookup.bicep 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- ilsp/bicep_lsp/azure_roles.json | 684 +++++++++++++++++++++++ ilsp/bicep_lsp/modules.py | 81 +-- scripts/extract_roles_from_rbaclookup.py | 70 +++ 3 files changed, 766 insertions(+), 69 deletions(-) create mode 100644 ilsp/bicep_lsp/azure_roles.json create mode 100755 scripts/extract_roles_from_rbaclookup.py diff --git a/ilsp/bicep_lsp/azure_roles.json b/ilsp/bicep_lsp/azure_roles.json new file mode 100644 index 0000000..34673d6 --- /dev/null +++ b/ilsp/bicep_lsp/azure_roles.json @@ -0,0 +1,684 @@ +[ + "ACCESS_REVIEW_OPERATOR_SERVICE_ROLE", + "ACRDELETE", + "ACRIMAGESIGNER", + "ACRPULL", + "ACRPUSH", + "ACRQUARANTINEREADER", + "ACRQUARANTINEWRITER", + "ADVISOR_RECOMMENDATIONS_CONTRIBUTOR_ASSESSMENTS_AND_REVIEWS", + "ADVISOR_REVIEWS_CONTRIBUTOR", + "ADVISOR_REVIEWS_READER", + "AGENTLESS_SCANNING_FOR_SERVERLESS_SCANNER_SERVICE_ROLE", + "AGFOOD_PLATFORM_DATASET_ADMIN", + "AGFOOD_PLATFORM_SENSOR_PARTNER_CONTRIBUTOR", + "AGFOOD_PLATFORM_SERVICE_ADMIN", + "AGFOOD_PLATFORM_SERVICE_CONTRIBUTOR", + "AGFOOD_PLATFORM_SERVICE_READER", + "ANYBUILD_BUILDER", + "API_MANAGEMENT_DEVELOPER_PORTAL_CONTENT_EDITOR", + "API_MANAGEMENT_SERVICE_CONTRIBUTOR", + "API_MANAGEMENT_SERVICE_OPERATOR_ROLE", + "API_MANAGEMENT_SERVICE_READER_ROLE", + "API_MANAGEMENT_SERVICE_WORKSPACE_API_DEVELOPER", + "API_MANAGEMENT_SERVICE_WORKSPACE_API_PRODUCT_MANAGER", + "API_MANAGEMENT_WORKSPACE_API_DEVELOPER", + "API_MANAGEMENT_WORKSPACE_API_PRODUCT_MANAGER", + "API_MANAGEMENT_WORKSPACE_CONTRIBUTOR", + "API_MANAGEMENT_WORKSPACE_READER", + "APPGW_FOR_CONTAINERS_CONFIGURATION_MANAGER", + "APPLICATION_GROUP_CONTRIBUTOR", + "APPLICATION_INSIGHTS_COMPONENT_CONTRIBUTOR", + "APPLICATION_INSIGHTS_SNAPSHOT_DEBUGGER", + "APP_COMPLIANCE_AUTOMATION_ADMINISTRATOR", + "APP_COMPLIANCE_AUTOMATION_READER", + "APP_CONFIGURATION_CONTRIBUTOR", + "APP_CONFIGURATION_DATA_OWNER", + "APP_CONFIGURATION_DATA_READER", + "APP_CONFIGURATION_DATA_SAS_USER", + "APP_CONFIGURATION_READER", + "APP_SERVICE_ENVIRONMENT_CONTRIBUTOR", + "ARC_GATEWAY_MANAGER", + "ATTESTATION_CONTRIBUTOR", + "ATTESTATION_READER", + "AUTOMATION_CONTRIBUTOR", + "AUTOMATION_JOB_OPERATOR", + "AUTOMATION_OPERATOR", + "AUTOMATION_RUNBOOK_OPERATOR", + "AUTONOMOUS_DEVELOPMENT_PLATFORM_DATA_CONTRIBUTOR_PREVIEW", + "AUTONOMOUS_DEVELOPMENT_PLATFORM_DATA_OWNER_PREVIEW", + "AUTONOMOUS_DEVELOPMENT_PLATFORM_DATA_READER_PREVIEW", + "AUTO_ACTIONS_CONTRIBUTOR", + "AVERE_CONTRIBUTOR", + "AVERE_OPERATOR", + "AVS_ON_FLEET_VIS_ROLE", + "AVS_ORCHESTRATOR_ROLE", + "AZUREML_COMPUTE_OPERATOR", + "AZUREML_DATA_SCIENTIST", + "AZUREML_METRICS_WRITER_PREVIEW", + "AZUREML_REGISTRY_USER", + "AZURE_AI_ACCOUNT_OWNER", + "AZURE_AI_ADMINISTRATOR", + "AZURE_AI_DEVELOPER", + "AZURE_AI_ENTERPRISE_NETWORK_CONNECTION_APPROVER", + "AZURE_AI_INFERENCE_DEPLOYMENT_OPERATOR", + "AZURE_AI_PROJECT_MANAGER", + "AZURE_AI_SAFETY_EVALUATOR", + "AZURE_AI_USER", + "AZURE_API_CENTER_COMPLIANCE_MANAGER", + "AZURE_API_CENTER_CREDENTIAL_ACCESS_READER", + "AZURE_API_CENTER_DATA_READER", + "AZURE_API_CENTER_SERVICE_CONTRIBUTOR", + "AZURE_API_CENTER_SERVICE_READER", + "AZURE_ARC_ENABLED_KUBERNETES_CLUSTER_USER_ROLE", + "AZURE_ARC_KUBERNETES_ADMIN", + "AZURE_ARC_KUBERNETES_CLUSTER_ADMIN", + "AZURE_ARC_KUBERNETES_VIEWER", + "AZURE_ARC_KUBERNETES_WRITER", + "AZURE_ARC_SCVMM_ADMINISTRATOR_ROLE", + "AZURE_ARC_SCVMM_PRIVATE_CLOUDS_ONBOARDING", + "AZURE_ARC_SCVMM_PRIVATE_CLOUD_USER", + "AZURE_ARC_SCVMM_VM_CONTRIBUTOR", + "AZURE_ARC_VMWARE_ADMINISTRATOR_ROLE", + "AZURE_ARC_VMWARE_PRIVATE_CLOUDS_ONBOARDING", + "AZURE_ARC_VMWARE_PRIVATE_CLOUD_USER", + "AZURE_ARC_VMWARE_VM_CONTRIBUTOR", + "AZURE_AUTOMANAGE_CONTRIBUTOR", + "AZURE_BACKUP_SNAPSHOT_CONTRIBUTOR", + "AZURE_BATCH_ACCOUNT_CONTRIBUTOR", + "AZURE_BATCH_ACCOUNT_READER", + "AZURE_BATCH_DATA_CONTRIBUTOR", + "AZURE_BATCH_JOB_SUBMITTER", + "AZURE_BATCH_SERVICE_ORCHESTRATION_ROLE", + "AZURE_BOT_SERVICE_CONTRIBUTOR_ROLE", + "AZURE_CENTER_FOR_SAP_SOLUTIONS_ADMINISTRATOR", + "AZURE_CENTER_FOR_SAP_SOLUTIONS_MANAGEMENT_ROLE", + "AZURE_CENTER_FOR_SAP_SOLUTIONS_READER", + "AZURE_CENTER_FOR_SAP_SOLUTIONS_SERVICE_ROLE", + "AZURE_CENTER_FOR_SAP_SOLUTIONS_SERVICE_ROLE_FOR_MANAGEMENT", + "AZURE_CONNECTED_MACHINE_ONBOARDING", + "AZURE_CONNECTED_MACHINE_RESOURCE_ADMINISTRATOR", + "AZURE_CONNECTED_MACHINE_RESOURCE_MANAGER", + "AZURE_CONNECTED_SQL_SERVER_ONBOARDING", + "AZURE_CONTAINERAPPS_SESSION_EXECUTOR", + "AZURE_CONTAINER_INSTANCES_CONTRIBUTOR_ROLE", + "AZURE_CONTAINER_REGISTRY_SECURE_SUPPLY_CHAIN_OPERATOR_SERVICE_ROLE", + "AZURE_CONTAINER_STORAGE_CONTRIBUTOR", + "AZURE_CONTAINER_STORAGE_OPERATOR", + "AZURE_CONTAINER_STORAGE_OWNER", + "AZURE_CUSTOMER_LOCKBOX_APPROVER_FOR_SUBSCRIPTION", + "AZURE_DEPLOYMENT_STACK_CONTRIBUTOR", + "AZURE_DEPLOYMENT_STACK_OWNER", + "AZURE_DEVICE_ONBOARDING_DISCOVERY_CONTRIBUTOR", + "AZURE_DEVICE_UPDATE_AGENT", + "AZURE_DIGITAL_TWINS_DATA_OWNER", + "AZURE_DIGITAL_TWINS_DATA_READER", + "AZURE_EDGE_HARDWARE_CENTER_ADMINISTRATOR", + "AZURE_EDGE_ON_SITE_DEPLOYMENT_ENGINEER", + "AZURE_EVENT_HUBS_DATA_OWNER", + "AZURE_EVENT_HUBS_DATA_RECEIVER", + "AZURE_EVENT_HUBS_DATA_SENDER", + "AZURE_EXTENSION_FOR_SQL_SERVER_DEPLOYMENT", + "AZURE_FILE_SYNC_ADMINISTRATOR", + "AZURE_FILE_SYNC_READER", + "AZURE_FRONT_DOOR_DOMAIN_CONTRIBUTOR", + "AZURE_FRONT_DOOR_DOMAIN_READER", + "AZURE_FRONT_DOOR_PROFILE_READER", + "AZURE_FRONT_DOOR_SECRET_CONTRIBUTOR", + "AZURE_FRONT_DOOR_SECRET_READER", + "AZURE_HYBRID_DATABASE_ADMINISTRATOR_READ_ONLY_SERVICE_ROLE", + "AZURE_IMPACT_INSIGHT_READER", + "AZURE_KUBERNETES_FLEET_MANAGER_CONTRIBUTOR_ROLE", + "AZURE_KUBERNETES_FLEET_MANAGER_HUB_AGENT_ROLE", + "AZURE_KUBERNETES_FLEET_MANAGER_RBAC_ADMIN", + "AZURE_KUBERNETES_FLEET_MANAGER_RBAC_CLUSTER_ADMIN", + "AZURE_KUBERNETES_FLEET_MANAGER_RBAC_CLUSTER_READER", + "AZURE_KUBERNETES_FLEET_MANAGER_RBAC_CLUSTER_WRITER", + "AZURE_KUBERNETES_FLEET_MANAGER_RBAC_READER", + "AZURE_KUBERNETES_FLEET_MANAGER_RBAC_WRITER", + "AZURE_KUBERNETES_SERVICE_AGENT_POOL_MANAGER_ROLE", + "AZURE_KUBERNETES_SERVICE_ARC_CLUSTER_ADMIN_ROLE", + "AZURE_KUBERNETES_SERVICE_ARC_CLUSTER_USER_ROLE", + "AZURE_KUBERNETES_SERVICE_ARC_CONTRIBUTOR_ROLE", + "AZURE_KUBERNETES_SERVICE_CLUSTER_ADMIN_ROLE", + "AZURE_KUBERNETES_SERVICE_CLUSTER_MONITORING_USER", + "AZURE_KUBERNETES_SERVICE_CLUSTER_USER_ROLE", + "AZURE_KUBERNETES_SERVICE_CONTRIBUTOR_ROLE", + "AZURE_KUBERNETES_SERVICE_HYBRID_CLUSTER_ADMIN_ROLE", + "AZURE_KUBERNETES_SERVICE_HYBRID_CLUSTER_USER_ROLE", + "AZURE_KUBERNETES_SERVICE_HYBRID_CONTRIBUTOR_ROLE", + "AZURE_KUBERNETES_SERVICE_POLICY_ADD_ON_DEPLOYMENT", + "AZURE_KUBERNETES_SERVICE_RBAC_ADMIN", + "AZURE_KUBERNETES_SERVICE_RBAC_CLUSTER_ADMIN", + "AZURE_KUBERNETES_SERVICE_RBAC_READER", + "AZURE_KUBERNETES_SERVICE_RBAC_WRITER", + "AZURE_MACHINE_LEARNING_WORKSPACE_CONNECTION_SECRETS_READER", + "AZURE_MANAGED_GRAFANA_WORKSPACE_CONTRIBUTOR", + "AZURE_MAPS_CONTRIBUTOR", + "AZURE_MAPS_DATA_CONTRIBUTOR", + "AZURE_MAPS_DATA_READER", + "AZURE_MAPS_DATA_READ_AND_BATCH_ROLE", + "AZURE_MAPS_SEARCH_AND_RENDER_DATA_READER", + "AZURE_MESSAGING_CATALOG_DATA_OWNER", + "AZURE_MESSAGING_CONNECTORS_OWNER", + "AZURE_MONITOR_DASHBOARDS_WITH_GRAFANA_CONTRIBUTOR", + "AZURE_PROGRAMMABLE_CONNECTIVITY_GATEWAY_DATAPLANE_USER", + "AZURE_PROGRAMMABLE_CONNECTIVITY_GATEWAY_USER", + "AZURE_RED_HAT_OPENSHIFT_CLOUD_CONTROLLER_MANAGER", + "AZURE_RED_HAT_OPENSHIFT_CLUSTER_INGRESS_OPERATOR", + "AZURE_RED_HAT_OPENSHIFT_DISK_STORAGE_OPERATOR", + "AZURE_RED_HAT_OPENSHIFT_FEDERATED_CREDENTIAL", + "AZURE_RED_HAT_OPENSHIFT_FILE_STORAGE_OPERATOR", + "AZURE_RED_HAT_OPENSHIFT_HOSTED_CONTROL_PLANES_CLUSTER_API_PROVIDER", + "AZURE_RED_HAT_OPENSHIFT_HOSTED_CONTROL_PLANES_CONTROL_PLANE_OPERATOR", + "AZURE_RED_HAT_OPENSHIFT_HOSTED_CONTROL_PLANES_SERVICE_MANAGED_IDENTITY", + "AZURE_RED_HAT_OPENSHIFT_IMAGE_REGISTRY_OPERATOR", + "AZURE_RED_HAT_OPENSHIFT_MACHINE_API_OPERATOR", + "AZURE_RED_HAT_OPENSHIFT_NETWORK_OPERATOR", + "AZURE_RED_HAT_OPENSHIFT_SERVICE_OPERATOR", + "AZURE_RELAY_LISTENER", + "AZURE_RELAY_OWNER", + "AZURE_RELAY_SENDER", + "AZURE_RESOURCE_BRIDGE_DEPLOYMENT_ROLE", + "AZURE_RESOURCE_NOTIFICATIONS_SYSTEM_TOPICS_SUBSCRIBER", + "AZURE_SERVICE_BUS_DATA_OWNER", + "AZURE_SERVICE_BUS_DATA_RECEIVER", + "AZURE_SERVICE_BUS_DATA_SENDER", + "AZURE_SPHERE_CONTRIBUTOR", + "AZURE_SPHERE_OWNER", + "AZURE_SPHERE_PUBLISHER", + "AZURE_SPHERE_READER", + "AZURE_SPRING_APPS_APPLICATION_CONFIGURATION_SERVICE_CONFIG_FILE_PATTERN_READER_ROLE", + "AZURE_SPRING_APPS_APPLICATION_CONFIGURATION_SERVICE_LOG_READER_ROLE", + "AZURE_SPRING_APPS_CONNECT_ROLE", + "AZURE_SPRING_APPS_JOB_EXECUTION_INSTANCE_LIST_ROLE", + "AZURE_SPRING_APPS_JOB_LOG_READER_ROLE", + "AZURE_SPRING_APPS_MANAGED_COMPONENTS_LOG_READER_ROLE", + "AZURE_SPRING_APPS_REMOTE_DEBUGGING_ROLE", + "AZURE_SPRING_APPS_SPRING_CLOUD_CONFIG_SERVER_LOG_READER_ROLE", + "AZURE_SPRING_APPS_SPRING_CLOUD_GATEWAY_LOG_READER_ROLE", + "AZURE_SPRING_CLOUD_CONFIG_SERVER_CONTRIBUTOR", + "AZURE_SPRING_CLOUD_CONFIG_SERVER_READER", + "AZURE_SPRING_CLOUD_DATA_READER", + "AZURE_SPRING_CLOUD_SERVICE_REGISTRY_CONTRIBUTOR", + "AZURE_SPRING_CLOUD_SERVICE_REGISTRY_READER", + "AZURE_STACK_HCI_ADMINISTRATOR", + "AZURE_STACK_HCI_CONNECTED_INFRAVMS", + "AZURE_STACK_HCI_DEVICE_MANAGEMENT_ROLE", + "AZURE_STACK_HCI_EDGE_MACHINE_CONTRIBUTOR_ROLE", + "AZURE_STACK_HCI_VM_CONTRIBUTOR", + "AZURE_STACK_HCI_VM_READER", + "AZURE_STACK_REGISTRATION_OWNER", + "AZURE_USAGE_BILLING_DATA_SENDER", + "AZURE_VM_MANAGED_IDENTITIES_RESTORE_CONTRIBUTOR", + "BACKUP_CONTRIBUTOR", + "BACKUP_MUA_ADMIN", + "BACKUP_MUA_OPERATOR", + "BACKUP_OPERATOR", + "BACKUP_READER", + "BAYER_AG_POWERED_SERVICES_CROP_ID_SOLUTION_USER_ROLE", + "BAYER_AG_POWERED_SERVICES_CWUM_SOLUTION", + "BAYER_AG_POWERED_SERVICES_FIELD_IMAGERY_SOLUTION_SERVICE_ROLE", + "BAYER_AG_POWERED_SERVICES_GDU_SOLUTION", + "BAYER_AG_POWERED_SERVICES_HISTORICAL_WEATHER_DATA_SOLUTION_USER_ROLE", + "BAYER_AG_POWERED_SERVICES_IMAGERY_SOLUTION", + "BAYER_AG_POWERED_SERVICES_SMART_BOUNDARY_SOLUTION_USER_ROLE", + "BILLING_READER", + "BIZTALK_CONTRIBUTOR", + "BLOCKCHAIN_MEMBER_NODE_ACCESS_PREVIEW", + "BLUEPRINT_CONTRIBUTOR", + "BLUEPRINT_OPERATOR", + "CARBON_OPTIMIZATION_READER", + "CDN_ENDPOINT_CONTRIBUTOR", + "CDN_ENDPOINT_READER", + "CDN_PROFILE_CONTRIBUTOR", + "CDN_PROFILE_READER", + "CHAOS_STUDIO_EXPERIMENT_CONTRIBUTOR", + "CHAOS_STUDIO_OPERATOR", + "CHAOS_STUDIO_READER", + "CHAOS_STUDIO_TARGET_CONTRIBUTOR", + "CLASSIC_NETWORK_CONTRIBUTOR", + "CLASSIC_STORAGE_ACCOUNT_CONTRIBUTOR", + "CLASSIC_STORAGE_ACCOUNT_KEY_OPERATOR_SERVICE_ROLE", + "CLASSIC_VIRTUAL_MACHINE_CONTRIBUTOR", + "CLEARDB_MYSQL_DB_CONTRIBUTOR", + "CLOUDTEST_CONTRIBUTOR_ROLE", + "COGNITIVE_SEARCH_SERVERLESS_DATA_CONTRIBUTOR_DEPRECATED", + "COGNITIVE_SEARCH_SERVERLESS_DATA_READER_DEPRECATED", + "COGNITIVE_SERVICES_CONTRIBUTOR", + "COGNITIVE_SERVICES_CUSTOM_VISION_CONTRIBUTOR", + "COGNITIVE_SERVICES_CUSTOM_VISION_DEPLOYMENT", + "COGNITIVE_SERVICES_CUSTOM_VISION_LABELER", + "COGNITIVE_SERVICES_CUSTOM_VISION_READER", + "COGNITIVE_SERVICES_CUSTOM_VISION_TRAINER", + "COGNITIVE_SERVICES_DATA_CONTRIBUTOR_PREVIEW", + "COGNITIVE_SERVICES_DATA_READER", + "COGNITIVE_SERVICES_FACE_CONTRIBUTOR", + "COGNITIVE_SERVICES_FACE_RECOGNIZER", + "COGNITIVE_SERVICES_IMMERSIVE_READER_USER", + "COGNITIVE_SERVICES_LANGUAGE_OWNER", + "COGNITIVE_SERVICES_LANGUAGE_READER", + "COGNITIVE_SERVICES_LANGUAGE_WRITER", + "COGNITIVE_SERVICES_LUIS_OWNER", + "COGNITIVE_SERVICES_LUIS_READER", + "COGNITIVE_SERVICES_LUIS_WRITER", + "COGNITIVE_SERVICES_METRICS_ADVISOR_ADMINISTRATOR", + "COGNITIVE_SERVICES_METRICS_ADVISOR_USER", + "COGNITIVE_SERVICES_OPENAI_CONTRIBUTOR", + "COGNITIVE_SERVICES_OPENAI_USER", + "COGNITIVE_SERVICES_QNA_MAKER_EDITOR", + "COGNITIVE_SERVICES_QNA_MAKER_READER", + "COGNITIVE_SERVICES_SPEECH_CONTRIBUTOR", + "COGNITIVE_SERVICES_SPEECH_USER", + "COGNITIVE_SERVICES_USAGES_READER", + "COGNITIVE_SERVICES_USER", + "COLLABORATIVE_DATA_CONTRIBUTOR", + "COLLABORATIVE_RUNTIME_OPERATOR", + "COMMUNICATION_AND_EMAIL_SERVICE_OWNER", + "COMMUNITY_CONTRIBUTOR_ROLE", + "COMMUNITY_OWNER_ROLE", + "COMMUNITY_READER_ROLE", + "COMPUTE_DIAGNOSTICS_ROLE", + "COMPUTE_FLEET_CONTRIBUTOR", + "COMPUTE_GALLERY_ARTIFACTS_PUBLISHER", + "COMPUTE_GALLERY_IMAGE_READER", + "COMPUTE_GALLERY_SHARING_ADMIN", + "COMPUTE_RECOMMENDATIONS_ROLE", + "CONNECTED_CLUSTER_MANAGED_IDENTITY_CHECKACCESS_READER", + "CONNECTOR_READER", + "CONTAINERAPP_READER", + "CONTAINER_APPS_CONNECTEDENVIRONMENTS_CONTRIBUTOR", + "CONTAINER_APPS_CONNECTEDENVIRONMENTS_READER", + "CONTAINER_APPS_CONTRIBUTOR", + "CONTAINER_APPS_JOBS_CONTRIBUTOR", + "CONTAINER_APPS_JOBS_OPERATOR", + "CONTAINER_APPS_JOBS_READER", + "CONTAINER_APPS_MANAGEDENVIRONMENTS_CONTRIBUTOR", + "CONTAINER_APPS_MANAGEDENVIRONMENTS_READER", + "CONTAINER_APPS_OPERATOR", + "CONTAINER_APPS_SESSIONPOOLS_CONTRIBUTOR", + "CONTAINER_APPS_SESSIONPOOLS_READER", + "CONTAINER_INSTANCES_CONTRIBUTOR", + "CONTAINER_REGISTRY_CACHE_RULE_ADMINISTRATOR", + "CONTAINER_REGISTRY_CACHE_RULE_READER", + "CONTAINER_REGISTRY_CONFIGURATION_READER_AND_DATA_ACCESS_CONFIGURATION_READER", + "CONTAINER_REGISTRY_CONTRIBUTOR_AND_DATA_ACCESS_CONFIGURATION_ADMINISTRATOR", + "CONTAINER_REGISTRY_CREDENTIAL_SET_ADMINISTRATOR", + "CONTAINER_REGISTRY_CREDENTIAL_SET_READER", + "CONTAINER_REGISTRY_DATA_IMPORTER_AND_DATA_READER", + "CONTAINER_REGISTRY_REPOSITORY_CATALOG_LISTER", + "CONTAINER_REGISTRY_REPOSITORY_CONTRIBUTOR", + "CONTAINER_REGISTRY_REPOSITORY_READER", + "CONTAINER_REGISTRY_REPOSITORY_WRITER", + "CONTAINER_REGISTRY_TASKS_CONTRIBUTOR", + "CONTAINER_REGISTRY_TRANSFER_PIPELINE_CONTRIBUTOR", + "CONTRIBUTOR", + "COSMOSBACKUPOPERATOR", + "COSMOSRESTOREOPERATOR", + "COSMOS_DB_ACCOUNT_READER_ROLE", + "COSMOS_DB_OPERATOR", + "COST_MANAGEMENT_CONTRIBUTOR", + "COST_MANAGEMENT_READER", + "CROSSCONNECTIONMANAGER", + "CROSSCONNECTIONREADER", + "CUSTOM_AUTOMATION_ROLE_ROOT", + "DATA_BOUNDARY_TENANT_ADMINISTRATOR", + "DATA_BOX_CONTRIBUTOR", + "DATA_BOX_READER", + "DATA_FACTORY_CONTRIBUTOR", + "DATA_LABELING_LABELER", + "DATA_LAKE_ANALYTICS_DEVELOPER", + "DATA_OPERATOR_FOR_MANAGED_DISKS", + "DATA_PURGER", + "DEDICATED_HOST_CONTRIBUTOR_ROLE", + "DEFENDER_CSPM_STORAGE_DATA_SCANNER", + "DEFENDER_CSPM_STORAGE_SCANNER_OPERATOR", + "DEFENDER_FOR_STORAGE_DATA_SCANNER", + "DEFENDER_FOR_STORAGE_SCANNER_OPERATOR", + "DEFENDER_KUBERNETES_AGENT_OPERATOR", + "DEID_BATCH_DATA_OWNER", + "DEID_BATCH_DATA_READER", + "DEID_DATA_OWNER", + "DEID_REALTIME_DATA_USER", + "DEPLOYMENT_ENVIRONMENTS_READER", + "DEPLOYMENT_ENVIRONMENTS_USER", + "DESKTOP_VIRTUALIZATION_APPLICATION_GROUP_CONTRIBUTOR", + "DESKTOP_VIRTUALIZATION_APPLICATION_GROUP_READER", + "DESKTOP_VIRTUALIZATION_APP_ATTACH_CONTRIBUTOR", + "DESKTOP_VIRTUALIZATION_CONTRIBUTOR", + "DESKTOP_VIRTUALIZATION_HOST_POOL_CONTRIBUTOR", + "DESKTOP_VIRTUALIZATION_HOST_POOL_READER", + "DESKTOP_VIRTUALIZATION_POWER_ON_CONTRIBUTOR", + "DESKTOP_VIRTUALIZATION_POWER_ON_OFF_CONTRIBUTOR", + "DESKTOP_VIRTUALIZATION_READER", + "DESKTOP_VIRTUALIZATION_SESSION_HOST_OPERATOR", + "DESKTOP_VIRTUALIZATION_USER", + "DESKTOP_VIRTUALIZATION_USER_SESSION_OPERATOR", + "DESKTOP_VIRTUALIZATION_VIRTUAL_MACHINE_CONTRIBUTOR", + "DESKTOP_VIRTUALIZATION_WORKSPACE_CONTRIBUTOR", + "DESKTOP_VIRTUALIZATION_WORKSPACE_READER", + "DEVCENTER_DEV_BOX_USER", + "DEVCENTER_PROJECT_ADMIN", + "DEVICE_PROVISIONING_SERVICE_DATA_CONTRIBUTOR", + "DEVICE_PROVISIONING_SERVICE_DATA_READER", + "DEVICE_UPDATE_ADMINISTRATOR", + "DEVICE_UPDATE_CONTENT_ADMINISTRATOR", + "DEVICE_UPDATE_CONTENT_READER", + "DEVICE_UPDATE_DEPLOYMENTS_ADMINISTRATOR", + "DEVICE_UPDATE_DEPLOYMENTS_READER", + "DEVICE_UPDATE_READER", + "DEVTEST_LABS_USER", + "DICOM_DATA_OWNER", + "DICOM_DATA_READER", + "DISK_BACKUP_READER", + "DISK_ENCRYPTION_SET_OPERATOR_FOR_MANAGED_DISKS", + "DISK_POOL_OPERATOR", + "DISK_RESTORE_OPERATOR", + "DISK_SNAPSHOT_CONTRIBUTOR", + "DNS_RESOLVER_CONTRIBUTOR", + "DNS_ZONE_CONTRIBUTOR", + "DOCUMENTDB_ACCOUNT_CONTRIBUTOR", + "DOMAIN_SERVICES_CONTRIBUTOR", + "DOMAIN_SERVICES_READER", + "DURABLE_TASK_DATA_CONTRIBUTOR", + "DURABLE_TASK_DATA_READER", + "DURABLE_TASK_WORKER", + "EDGE_MANAGEMENT_COPILOT_USER", + "ELASTIC_SAN_NETWORK_ADMIN", + "ELASTIC_SAN_OWNER", + "ELASTIC_SAN_READER", + "ELASTIC_SAN_SNAPSHOT_EXPORTER", + "ELASTIC_SAN_VOLUME_GROUP_OWNER", + "ELASTIC_SAN_VOLUME_IMPORTER", + "ENCLAVE_APPROVER_ROLE", + "ENCLAVE_CONTRIBUTOR_ROLE", + "ENCLAVE_OWNER_ROLE", + "ENCLAVE_READER_ROLE", + "EVENTGRID_CONTRIBUTOR", + "EVENTGRID_DATA_CONTRIBUTOR", + "EVENTGRID_DATA_RECEIVER", + "EVENTGRID_DATA_SENDER", + "EVENTGRID_EVENTSUBSCRIPTION_CONTRIBUTOR", + "EVENTGRID_EVENTSUBSCRIPTION_READER", + "EVENTGRID_TOPICSPACES_PUBLISHER", + "EVENTGRID_TOPICSPACES_SUBSCRIBER", + "EXPERIMENTATION_ADMINISTRATOR", + "EXPERIMENTATION_CONTRIBUTOR", + "EXPERIMENTATION_METRIC_CONTRIBUTOR", + "EXPERIMENTATION_READER", + "FHIR_DATA_CONTRIBUTOR", + "FHIR_DATA_CONVERTER", + "FHIR_DATA_EXPORTER", + "FHIR_DATA_IMPORTER", + "FHIR_DATA_READER", + "FHIR_DATA_WRITER", + "FHIR_SMART_USER", + "FIRMWARE_ANALYSIS_ADMIN", + "FLUX_CONFIGURATIONS_CONTRIBUTOR", + "GEOCATALOG_ADMINISTRATOR", + "GEOCATALOG_READER", + "GITOPS_LZ_LIST_ACTIONS", + "GRAFANA_ADMIN", + "GRAFANA_EDITOR", + "GRAFANA_LIMITED_VIEWER", + "GRAFANA_VIEWER", + "GRAPH_OWNER", + "GROUPQUOTA_READER", + "GROUPQUOTA_REQUEST_OPERATOR", + "GUEST_CONFIGURATION_RESOURCE_CONTRIBUTOR", + "HDINSIGHT_CLUSTER_ADMIN", + "HDINSIGHT_CLUSTER_OPERATOR", + "HDINSIGHT_DOMAIN_SERVICES_CONTRIBUTOR", + "HDINSIGHT_ON_AKS_CLUSTER_ADMIN", + "HDINSIGHT_ON_AKS_CLUSTER_OPERATOR", + "HDINSIGHT_ON_AKS_CLUSTER_POOL_ADMIN", + "HEALTHCARE_AGENT_ADMIN", + "HEALTHCARE_AGENT_EDITOR", + "HEALTHCARE_AGENT_READER", + "HEALTH_SAFEGUARDS_DATA_USER", + "HIERARCHY_SETTINGS_ADMINISTRATOR", + "HYBRIDCOMPUTE_MACHINE_LISTACCESSDETAILS_ACTION_IN_BUILT_ROLE", + "HYBRID_SERVER_ONBOARDING", + "HYBRID_SERVER_RESOURCE_ADMINISTRATOR", + "IMPACT_READER", + "IMPACT_REPORTER", + "INTEGRATION_SERVICE_ENVIRONMENT_CONTRIBUTOR", + "INTEGRATION_SERVICE_ENVIRONMENT_DEVELOPER", + "INTELLIGENT_SYSTEMS_ACCOUNT_CONTRIBUTOR", + "IOT_HUB_DATA_CONTRIBUTOR", + "IOT_HUB_DATA_READER", + "IOT_HUB_REGISTRY_CONTRIBUTOR", + "IOT_HUB_TWIN_CONTRIBUTOR", + "IPAM_POOL_USER", + "ISSUE_CONTRIBUTOR", + "KEY_VAULT_ADMINISTRATOR", + "KEY_VAULT_CERTIFICATES_OFFICER", + "KEY_VAULT_CERTIFICATE_USER", + "KEY_VAULT_CONTRIBUTOR", + "KEY_VAULT_CRYPTO_OFFICER", + "KEY_VAULT_CRYPTO_SERVICE_ENCRYPTION_USER", + "KEY_VAULT_CRYPTO_SERVICE_RELEASE_USER", + "KEY_VAULT_CRYPTO_USER", + "KEY_VAULT_DATA_ACCESS_ADMINISTRATOR", + "KEY_VAULT_PURGE_OPERATOR", + "KEY_VAULT_READER", + "KEY_VAULT_SECRETS_OFFICER", + "KEY_VAULT_SECRETS_USER", + "KNOWLEDGE_CONSUMER", + "KOSTNER_DFS_BASE_ROLE", + "KUBERNETESRUNTIME_LOAD_BALANCER_CONTRIBUTOR_ROLE", + "KUBERNETES_AGENTLESS_OPERATOR", + "KUBERNETES_AGENT_OPERATOR", + "KUBERNETES_AGENT_SUBSCRIPTION_LEVEL_OPERATOR", + "KUBERNETES_CLUSTER_AZURE_ARC_ONBOARDING", + "KUBERNETES_EXTENSION_CONTRIBUTOR", + "KUBERNETES_NAMESPACE_USER", + "KUBERNETES_RUNTIME_STORAGE_CLASS_CONTRIBUTOR_ROLE", + "LAB_ASSISTANT", + "LAB_CONTRIBUTOR", + "LAB_CREATOR", + "LAB_OPERATOR", + "LAB_SERVICES_CONTRIBUTOR", + "LAB_SERVICES_READER", + "LANDING_ZONE_ACCOUNT_OWNER", + "LANDING_ZONE_ACCOUNT_READER", + "LANDING_ZONE_MANAGEMENT_OWNER", + "LANDING_ZONE_MANAGEMENT_READER", + "LOAD_TEST_CONTRIBUTOR", + "LOAD_TEST_OWNER", + "LOAD_TEST_READER", + "LOCALNGFIREWALLADMINISTRATOR_ROLE", + "LOCALRULESTACKSADMINISTRATOR_ROLE", + "LOCKS_CONTRIBUTOR", + "LOGIC_APPS_STANDARD_CONTRIBUTOR_PREVIEW", + "LOGIC_APPS_STANDARD_DEVELOPER_PREVIEW", + "LOGIC_APPS_STANDARD_OPERATOR_PREVIEW", + "LOGIC_APPS_STANDARD_READER_PREVIEW", + "LOGIC_APP_CONTRIBUTOR", + "LOGIC_APP_OPERATOR", + "LOG_ANALYTICS_CONTRIBUTOR", + "LOG_ANALYTICS_READER", + "MANAGED_APPLICATION_CONTRIBUTOR_ROLE", + "MANAGED_APPLICATION_OPERATOR_ROLE", + "MANAGED_APPLICATION_PUBLISHER_OPERATOR", + "MANAGED_HSM_CONTRIBUTOR", + "MANAGED_IDENTITY_CONTRIBUTOR", + "MANAGED_IDENTITY_FEDERATED_IDENTITY_CREDENTIAL_CONTRIBUTOR", + "MANAGED_IDENTITY_OPERATOR", + "MANAGED_SERVICES_REGISTRATION_ASSIGNMENT_DELETE_ROLE", + "MANAGEMENT_GROUP_CONTRIBUTOR", + "MANAGEMENT_GROUP_READER", + "MEDIA_SERVICES_ACCOUNT_ADMINISTRATOR", + "MEDIA_SERVICES_LIVE_EVENTS_ADMINISTRATOR", + "MEDIA_SERVICES_MEDIA_OPERATOR", + "MEDIA_SERVICES_POLICY_ADMINISTRATOR", + "MEDIA_SERVICES_STREAMING_ENDPOINTS_ADMINISTRATOR", + "MICROSOFT_EDGE_WINFIELDS_FEDERATED_SUBSCRIPTION_READ_ACCESS_ROLE", + "MICROSOFT_KUBERNETES_CONNECTED_CLUSTER_ROLE", + "MICROSOFT_POWERBI_TENANT_OPERATIONS_ROLE", + "MICROSOFT_SENTINEL_AUTOMATION_CONTRIBUTOR", + "MICROSOFT_SENTINEL_BUSINESS_APPLICATIONS_AGENT_OPERATOR", + "MICROSOFT_SENTINEL_CONTRIBUTOR", + "MICROSOFT_SENTINEL_PLAYBOOK_OPERATOR", + "MICROSOFT_SENTINEL_READER", + "MICROSOFT_SENTINEL_RESPONDER", + "MONITORING_CONTRIBUTOR", + "MONITORING_DATA_READER", + "MONITORING_METRICS_PUBLISHER", + "MONITORING_READER", + "MYSQL_BACKUP_AND_EXPORT_OPERATOR", + "NETWORK_CONTRIBUTOR", + "NEW_RELIC_APM_ACCOUNT_CONTRIBUTOR", + "NEXUS_NETWORK_FABRIC_SERVICE_READER", + "NEXUS_NETWORK_FABRIC_SERVICE_WRITER", + "OBJECT_ANCHORS_ACCOUNT_OWNER", + "OBJECT_ANCHORS_ACCOUNT_READER", + "OBJECT_UNDERSTANDING_ACCOUNT_OWNER", + "OBJECT_UNDERSTANDING_ACCOUNT_READER", + "ONLINE_EXPERIMENTATION_CONTRIBUTOR", + "ONLINE_EXPERIMENTATION_DATA_OWNER", + "ONLINE_EXPERIMENTATION_DATA_READER", + "ONLINE_EXPERIMENTATION_READER", + "OPENCOST_RATE_CARD_READER", + "OPERATOR_NEXUS_COMPUTE_CONTRIBUTOR_ROLE_PREVIEW", + "OPERATOR_NEXUS_KEY_VAULT_WRITER_SERVICE_ROLE_PREVIEW", + "OPERATOR_NEXUS_OWNER_PREVIEW", + "ORACLE_DATABASE_AUTONOMOUS_DATABASE_ADMINISTRATOR", + "ORACLE_DATABASE_EXADATA_INFRASTRUCTURE_ADMINISTRATOR_BUILT_IN_ROLE", + "ORACLE_DATABASE_EXASCALE_STORAGE_VAULT_ADMINISTRATOR", + "ORACLE_DATABASE_EXASCALE_VMCLUSTER_ADMINISTRATOR", + "ORACLE_DATABASE_OWNER_BUILT_IN_ROLE", + "ORACLE_DATABASE_READER_BUILT_IN_ROLE", + "ORACLE_DATABASE_VMCLUSTER_ADMINISTRATOR_BUILT_IN_ROLE", + "ORACLE_SUBSCRIPTIONS_MANAGER_BUILT_IN_ROLE", + "OWNER", + "PLAYFAB_CONTRIBUTOR", + "PLAYFAB_READER", + "POLICY_INSIGHTS_DATA_WRITER_PREVIEW", + "PORTAL_DASHBOARD_WRITER_SERVICE_ROLE", + "POSTGRESQL_FLEXIBLE_SERVER_LONG_TERM_RETENTION_BACKUP_ROLE", + "POWER_PLATFORM_ACCOUNT_CONTRIBUTOR", + "POWER_PLATFORM_ENTERPRISE_POLICY_CONTRIBUTOR", + "PRIVATE_DNS_ZONE_CONTRIBUTOR", + "PROCUREMENT_CONTRIBUTOR", + "PROJECT_BABYLON_DATA_CURATOR", + "PROJECT_BABYLON_DATA_READER", + "PROJECT_BABYLON_DATA_SOURCE_ADMINISTRATOR", + "PROVIDERHUB_CONTRIBUTOR", + "PROVIDERHUB_READER", + "QUANTUM_WORKSPACE_DATA_CONTRIBUTOR", + "QUOTA_REQUEST_OPERATOR", + "READER", + "READER_AND_DATA_ACCESS", + "REDIS_CACHE_CONTRIBUTOR", + "REMOTE_RENDERING_ADMINISTRATOR", + "REMOTE_RENDERING_CLIENT", + "RESERVATION_PURCHASER", + "RESOURCE_POLICY_CONTRIBUTOR", + "ROLE_BASED_ACCESS_CONTROL_ADMINISTRATOR", + "SAAS_HUB_CONTRIBUTOR", + "SAVINGS_PLAN_PURCHASER", + "SCHEDULED_EVENTS_CONTRIBUTOR", + "SCHEDULED_PATCHING_CONTRIBUTOR", + "SCHEDULER_JOB_COLLECTIONS_CONTRIBUTOR", + "SCHEMA_REGISTRY_CONTRIBUTOR", + "SCHEMA_REGISTRY_READER", + "SEARCH_INDEX_DATA_CONTRIBUTOR", + "SEARCH_INDEX_DATA_READER", + "SEARCH_PARAMETER_MANAGER", + "SEARCH_SERVICE_CONTRIBUTOR", + "SECRETS_STORE_EXTENSION_OWNER", + "SECURE_SCORE_READER", + "SECURITY_ADMIN", + "SECURITY_ASSESSMENT_CONTRIBUTOR", + "SECURITY_DETONATION_CHAMBER_PUBLISHER", + "SECURITY_DETONATION_CHAMBER_READER", + "SECURITY_DETONATION_CHAMBER_SUBMISSION_MANAGER", + "SECURITY_DETONATION_CHAMBER_SUBMITTER", + "SECURITY_MANAGER_LEGACY", + "SECURITY_READER", + "SERVICES_HUB_OPERATOR", + "SERVICE_CONNECTOR_CONTRIBUTOR", + "SERVICE_FABRIC_CLUSTER_CONTRIBUTOR", + "SERVICE_FABRIC_MANAGED_CLUSTER_CONTRIBUTOR", + "SERVICE_GROUP_READER", + "SIGNALR_ACCESSKEY_READER", + "SIGNALR_APP_SERVER", + "SIGNALR_REST_API_OWNER", + "SIGNALR_REST_API_READER", + "SIGNALR_SERVICE_OWNER", + "SIGNALR_WEB_PUBSUB_CONTRIBUTOR", + "SITE_RECOVERY_CONTRIBUTOR", + "SITE_RECOVERY_OPERATOR", + "SITE_RECOVERY_READER", + "SPATIALMAPSACCOUNTS_ACCOUNT_OWNER", + "SPATIAL_ANCHORS_ACCOUNT_CONTRIBUTOR", + "SPATIAL_ANCHORS_ACCOUNT_OWNER", + "SPATIAL_ANCHORS_ACCOUNT_READER", + "SQLDB_MIGRATION_ROLE", + "SQLMI_MIGRATION_ROLE", + "SQLVM_MIGRATION_ROLE", + "SQL_DB_CONTRIBUTOR", + "SQL_MANAGED_INSTANCE_CONTRIBUTOR", + "SQL_SECURITY_MANAGER", + "SQL_SERVER_CONTRIBUTOR", + "SSH_PUBLICKEYS_CONTRIBUTOR_ROLE", + "SSH_PUBLICKEYS_READER_ROLE", + "STANDBY_CONTAINER_GROUP_POOL_CONTRIBUTOR", + "STORAGE_ACCOUNT_BACKUP_CONTRIBUTOR", + "STORAGE_ACCOUNT_CONTRIBUTOR", + "STORAGE_ACCOUNT_ENCRYPTION_SCOPE_CONTRIBUTOR_ROLE", + "STORAGE_ACCOUNT_KEY_OPERATOR_SERVICE_ROLE", + "STORAGE_BLOB_DATA_CONTRIBUTOR", + "STORAGE_BLOB_DATA_OWNER", + "STORAGE_BLOB_DATA_READER", + "STORAGE_BLOB_DELEGATOR", + "STORAGE_FILE_DATA_PRIVILEGED_CONTRIBUTOR", + "STORAGE_FILE_DATA_PRIVILEGED_READER", + "STORAGE_FILE_DATA_SMB_SHARE_CONTRIBUTOR", + "STORAGE_FILE_DATA_SMB_SHARE_ELEVATED_CONTRIBUTOR", + "STORAGE_FILE_DATA_SMB_SHARE_READER", + "STORAGE_QUEUE_DATA_CONTRIBUTOR", + "STORAGE_QUEUE_DATA_MESSAGE_PROCESSOR", + "STORAGE_QUEUE_DATA_MESSAGE_SENDER", + "STORAGE_QUEUE_DATA_READER", + "STORAGE_TABLE_DATA_CONTRIBUTOR", + "STORAGE_TABLE_DATA_READER", + "STREAM_ANALYTICS_CONTRIBUTOR", + "STREAM_ANALYTICS_QUERY_TESTER", + "STREAM_ANALYTICS_READER", + "SUBSCRIPTION_CREATOR", + "SUBSCRIPTION_CREATOR_OLD", + "SUPPORT_REQUEST_CONTRIBUTOR", + "TAG_CONTRIBUTOR", + "TAG_READER", + "TEMPLATE_SPEC_CONTRIBUTOR", + "TEMPLATE_SPEC_READER", + "TEST_BASE_READER", + "TOOLCHAINORCHESTRATOR_ADMIN_ROLE", + "TOOLCHAINORCHESTRATOR_VIEWER_ROLE", + "TRAFFIC_MANAGER_CONTRIBUTOR", + "TRANSPARENCY_LOGS_OWNER", + "TRUSTED_SIGNING_CERTIFICATE_PROFILE_SIGNER", + "TRUSTED_SIGNING_IDENTITY_VERIFIER", + "USAGE_BILLING_CONTRIBUTOR", + "USER_ACCESS_ADMINISTRATOR", + "VIDEO_INDEXER_RESTRICTED_VIEWER", + "VIRTUAL_MACHINE_ADMINISTRATOR_LOGIN", + "VIRTUAL_MACHINE_CONTRIBUTOR", + "VIRTUAL_MACHINE_DATA_ACCESS_ADMINISTRATOR_PREVIEW", + "VIRTUAL_MACHINE_LOCAL_USER_LOGIN", + "VIRTUAL_MACHINE_USER_LOGIN", + "VM_RESTORE_OPERATOR", + "VM_SCANNER_OPERATOR", + "WEBSITE_CONTRIBUTOR", + "WEB_PLAN_CONTRIBUTOR", + "WEB_PUBSUB_SERVICE_OWNER", + "WEB_PUBSUB_SERVICE_READER", + "WINDOWS_ADMIN_CENTER_ADMINISTRATOR_LOGIN", + "WORKBOOK_CONTRIBUTOR", + "WORKBOOK_READER", + "WORKLOADBUILDER_MIGRATION_AGENT_ROLE", + "WORKLOAD_ORCHESTRATION_IT_ADMIN", + "WORKLOAD_ORCHESTRATION_SOLUTION_EXTERNAL_VALIDATOR" +] \ No newline at end of file diff --git a/ilsp/bicep_lsp/modules.py b/ilsp/bicep_lsp/modules.py index 43766ef..664b8d6 100644 --- a/ilsp/bicep_lsp/modules.py +++ b/ilsp/bicep_lsp/modules.py @@ -18,77 +18,20 @@ from typing import Any logger = logging.getLogger(__name__) # Known Azure enum values not always captured in the catalog schema +def _load_azure_roles() -> list[str]: + """Load Azure roles from azure_roles.json (generated from bicep/lookup/rbaclookup).""" + roles_file = pathlib.Path(__file__).parent / "azure_roles.json" + if roles_file.exists(): + try: + return json.loads(roles_file.read_text()) + except Exception as e: + logger.warning("Failed to load azure_roles.json: %s", e) + return [] + _KNOWN_ENUMS: dict[str, list[str]] = { "principalType": ["User", "Group", "ServicePrincipal", "Device", "ForeignGroup"], - "roles": [ - # Key Vault roles - "KEY_VAULT_ADMINISTRATOR", - "KEY_VAULT_CERTIFICATES_OFFICER", - "KEY_VAULT_CRYPTO_OFFICER", - "KEY_VAULT_CRYPTO_SERVICE_ENCRYPTION_USER", - "KEY_VAULT_CRYPTO_USER", - "KEY_VAULT_READER", - "KEY_VAULT_SECRETS_OFFICER", - "KEY_VAULT_SECRETS_USER", - # Storage roles - "STORAGE_BLOB_DATA_CONTRIBUTOR", - "STORAGE_BLOB_DATA_OWNER", - "STORAGE_BLOB_DATA_READER", - "STORAGE_QUEUE_DATA_CONTRIBUTOR", - "STORAGE_QUEUE_DATA_READER", - "STORAGE_TABLE_DATA_CONTRIBUTOR", - "STORAGE_TABLE_DATA_READER", - # Common Azure roles - "CONTRIBUTOR", - "OWNER", - "READER", - "USER_ACCESS_ADMINISTRATOR", - # App/Function roles - "WEBSITE_CONTRIBUTOR", - # Monitoring roles - "MONITORING_CONTRIBUTOR", - "MONITORING_METRICS_PUBLISHER", - "MONITORING_READER", - "LOG_ANALYTICS_CONTRIBUTOR", - "LOG_ANALYTICS_READER", - # SQL roles - "SQL_DB_CONTRIBUTOR", - "SQL_MANAGED_INSTANCE_CONTRIBUTOR", - "SQL_SECURITY_MANAGER", - "SQL_SERVER_CONTRIBUTOR", - ], - "roleDefinitionIds": [ - # Same list for roleDefinitionIds parameter - "KEY_VAULT_ADMINISTRATOR", - "KEY_VAULT_CERTIFICATES_OFFICER", - "KEY_VAULT_CRYPTO_OFFICER", - "KEY_VAULT_CRYPTO_SERVICE_ENCRYPTION_USER", - "KEY_VAULT_CRYPTO_USER", - "KEY_VAULT_READER", - "KEY_VAULT_SECRETS_OFFICER", - "KEY_VAULT_SECRETS_USER", - "STORAGE_BLOB_DATA_CONTRIBUTOR", - "STORAGE_BLOB_DATA_OWNER", - "STORAGE_BLOB_DATA_READER", - "STORAGE_QUEUE_DATA_CONTRIBUTOR", - "STORAGE_QUEUE_DATA_READER", - "STORAGE_TABLE_DATA_CONTRIBUTOR", - "STORAGE_TABLE_DATA_READER", - "CONTRIBUTOR", - "OWNER", - "READER", - "USER_ACCESS_ADMINISTRATOR", - "WEBSITE_CONTRIBUTOR", - "MONITORING_CONTRIBUTOR", - "MONITORING_METRICS_PUBLISHER", - "MONITORING_READER", - "LOG_ANALYTICS_CONTRIBUTOR", - "LOG_ANALYTICS_READER", - "SQL_DB_CONTRIBUTOR", - "SQL_MANAGED_INSTANCE_CONTRIBUTOR", - "SQL_SECURITY_MANAGER", - "SQL_SERVER_CONTRIBUTOR", - ], + "roles": _load_azure_roles(), + "roleDefinitionIds": _load_azure_roles(), # alias for roles } # Catalog is baked into the image root at /bicep_modules_catalog.json diff --git a/scripts/extract_roles_from_rbaclookup.py b/scripts/extract_roles_from_rbaclookup.py new file mode 100755 index 0000000..f2690c0 --- /dev/null +++ b/scripts/extract_roles_from_rbaclookup.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 +""" +Extract all Azure role names from rbacLookup.bicep and generate Python code +for _KNOWN_ENUMS in modules.py. + +Usage: + python3 scripts/extract_roles_from_rbaclookup.py /path/to/rbacLookup.bicep +""" + +import re +import sys +from pathlib import Path + + +def extract_role_names(bicep_file: Path) -> list[str]: + """Extract all role names from the rbacLookup.bicep var roles = {...} block.""" + content = bicep_file.read_text() + + # Find the "var roles = {" block + roles_match = re.search(r'@export\(\)\s*var\s+roles\s*=\s*\{(.+?)\n\}', content, re.DOTALL) + if not roles_match: + raise ValueError("Could not find 'var roles = {' block in Bicep file") + + roles_block = roles_match.group(1) + + # Extract all role names (keys before the colon) + # Pattern: " ROLE_NAME: 'guid'" + role_names = re.findall(r'^\s+([A-Z_]+):', roles_block, re.MULTILINE) + + return sorted(role_names) + + +def generate_python_code(role_names: list[str]) -> str: + """Generate Python code for _KNOWN_ENUMS["roles"].""" + lines = ['_KNOWN_ENUMS = {'] + lines.append(' "roles": [') + + for role in role_names: + lines.append(f' "{role}",') + + lines.append(' ],') + lines.append(' "roleDefinitionIds": [ # alias for roles') + + for role in role_names: + lines.append(f' "{role}",') + + lines.append(' ],') + lines.append('}') + + return '\n'.join(lines) + + +if __name__ == "__main__": + if len(sys.argv) < 2: + print("Usage: extract_roles_from_rbaclookup.py /path/to/rbacLookup.bicep", file=sys.stderr) + sys.exit(1) + + bicep_path = Path(sys.argv[1]) + if not bicep_path.exists(): + print(f"Error: File not found: {bicep_path}", file=sys.stderr) + sys.exit(1) + + try: + roles = extract_role_names(bicep_path) + print(f"# Extracted {len(roles)} roles from {bicep_path.name}") + print(f"# Generated: {Path(__file__).name}\n") + print(generate_python_code(roles)) + except Exception as e: + print(f"Error: {e}", file=sys.stderr) + sys.exit(1)