azure bicep rbac

rbac.ps1

@description('Location of service resource')
param location string

@description('Name of the service resource')
param name string

@description('Current time set by system')
param currentTime string = utcNow()

resource script 'Microsoft.Resources/deploymentScripts@2019-10-01-preview' = {
  name: 'script-${name}'
  location: location
  kind: 'AzurePowerShell'
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${resourceId('app-reg-automation', 'Microsoft.ManagedIdentity/userAssignedIdentities', 'AppRegCreator')}': {}
    }
  }
  properties: {
    azPowerShellVersion: '5.0'
    arguments: '-resourceName "${name}"'
    scriptContent: '''
      param([string] $resourceName)            
      $app = (az ad sp create-for-rbac --name $resourceName --output json | convertfrom-json)
      $sp = (az ad sp show --id $app.appId --output json | convertfrom-json).id       
      $DeploymentScriptOutputs = @{
        tenantId = $app.tenant
        clientId = $app.appId
        clientSecret = $app.password
        objectId = $sp.id
      }
    '''
    cleanupPreference: 'OnSuccess'
    retentionInterval: 'P1H'
    forceUpdateTag: currentTime // ensures script will run every time
  }
}

@description('Resource ID of the tenant')
output tenantId string = script.properties.outputs.tenantId

@description('Resource ID of the application')
output clientId string = script.properties.outputs.clientId

@description('Password of the application')
output clientSecret string = script.properties.outputs.clientSecret

@description('Resource ID of the service principal')
output objectId string = script.properties.outputs.objectId