Add support for ARM role targeting assigned to groups
johnthebrit opened this issue · 4 comments
For a large-scale deployment of a template in an organization with many subscriptions the recipient will vary based on the subscription. The best way would be to allow specific roles to be selected, for example Owner and/or Contributor. This can easily be changed per the existing, e.g.
"armRoleReceivers": [
{
"name": "Email Owner",
"roleId": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"useCommonAlertSchema": true
},
{
"name": "Email Contrib",
"roleId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"useCommonAlertSchema": true
}
However, this only works with users assigned the role. Our best practice would be to assign users to groups and assign the group the role. Therefore, we also require the Action Group to support emailing a mail-enabled group (or, enumerate the group at alert time and email the individuals within).
This would make the solution truly enterprise ready.
Using a static email and asking each subscription is unlikely to work as it would require actions from each subscription team which is very hard to co-ordinate in most companies.
Thanks for sharing this @johnthebrit, as discussed when we met yesterday I've initiated a conversation with the Action Group PM, once we have direction on support for this capability we'll look to plan this into the AMBA solution.
This would make the solution truly enterprise ready.
But of course, an enterprise would/should also be using PIM to only elevate their admin accounts into those high value roles/role groups as required? So, they wouldn't generally receive those alerts since they don't hold the role full time?
@SteveBurkettNZ thats a good point and one for consideration, thanks for sharing
@johnthebrit we're archiving this repo so if it is still required please could you add an issue on our new repo https://github.com/Azure/azure-monitor-baseline-alerts/issues as we unfortunately cannot transfer issues between repos and this will allow for you to get notifications. @SteveBurkettNZ