From 927c88414553698388cf1f3f038e9a905095ada0 Mon Sep 17 00:00:00 2001
From: Gerd Oberlechner <goberlec@redhat.com>
Date: Fri, 29 Nov 2024 10:16:49 +0100
Subject: [PATCH] deploy token-mgmt-role to subscription

Signed-off-by: Gerd Oberlechner <goberlec@redhat.com>
---
 dev-infrastructure/modules/acr/acr.bicep      | 25 +++----------------
 .../modules/acr/token-mgmt-role.bicep         | 25 +++++++++++++++++++
 2 files changed, 28 insertions(+), 22 deletions(-)
 create mode 100644 dev-infrastructure/modules/acr/token-mgmt-role.bicep

diff --git a/dev-infrastructure/modules/acr/acr.bicep b/dev-infrastructure/modules/acr/acr.bicep
index 753263eb4..a2659fa09 100644
--- a/dev-infrastructure/modules/acr/acr.bicep
+++ b/dev-infrastructure/modules/acr/acr.bicep
@@ -57,26 +57,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   }
 }
 
-resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
-  name: guid(resourceGroup().id, 'token-creation-role')
-  properties: {
-    roleName: 'ACR Manage Tokens'
-    type: 'customRole'
-    assignableScopes: [
-      subscription().id
-    ]
-    description: 'This role allows the management of tokens in the ACR'
-    permissions: [
-      {
-        actions: [
-          'Microsoft.ContainerRegistry/registries/tokens/read'
-          'Microsoft.ContainerRegistry/registries/tokens/write'
-          'Microsoft.ContainerRegistry/registries/tokens/delete'
-          'Microsoft.ContainerRegistry/registries/generateCredentials/action'
-          'Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read'
-          'Microsoft.ContainerRegistry/registries/scopeMaps/read'
-        ]
-      }
-    ]
-  }
+module tokenMgmtRole 'token-mgmt-role.bicep' = {
+  name: 'acr-token-mgmt-role'
+  scope: subscription()
 }
diff --git a/dev-infrastructure/modules/acr/token-mgmt-role.bicep b/dev-infrastructure/modules/acr/token-mgmt-role.bicep
new file mode 100644
index 000000000..386c427c8
--- /dev/null
+++ b/dev-infrastructure/modules/acr/token-mgmt-role.bicep
@@ -0,0 +1,25 @@
+targetScope = 'subscription'
+
+resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
+  name: guid('token-mgmt-role')
+  properties: {
+    roleName: 'ACR Manage Tokens'
+    type: 'customRole'
+    assignableScopes: [
+      subscription().id
+    ]
+    description: 'This role allows the management of tokens in the ACR'
+    permissions: [
+      {
+        actions: [
+          'Microsoft.ContainerRegistry/registries/tokens/read'
+          'Microsoft.ContainerRegistry/registries/tokens/write'
+          'Microsoft.ContainerRegistry/registries/tokens/delete'
+          'Microsoft.ContainerRegistry/registries/generateCredentials/action'
+          'Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read'
+          'Microsoft.ContainerRegistry/registries/scopeMaps/read'
+        ]
+      }
+    ]
+  }
+}