Exploring the new Deployer() function in Bicep

Stephen Tulp
January 15, 2025

3 minutes to read

Tags: azureiacBicep

Introduction

Bicep continues to evolve with new features that simplify and enhance the deployment of resources into Azure. One of the latest additions to version v0.32.4, is the deployer() function. This function provides information about the identity deploying the resources, which can provide useful metadata for the deployment.

What is the deployer() Function?

The deployer() function in Bicep returns details about the identity that is executing the deployment. At present this includes the object ID and tenant ID as values.

// Outputs
output deployer object = deployer()

The output of the above command would be.

{
  "objectId":"aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",
  "tenantId":"aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
}

Example - Resource Tagging

Understanding the who, what and when something was created in Azure is valuable and provides context and details on the deployment. While the approach below isn’t full-proof it provides a great way to provide metadata to a deployment.

If we look at the tagging object below, there are mandatory tags names and associated values defined within the object.

@description('Optional. An object of tag key & value pairs.')
param tags type.tagsType = {
  environment: envPrefix
  applicationName: 'Insight Path for AI'
  owner: 'Platform Team'
  criticality: 'Tier3'
  costCenter: '1234'
  contactEmail: 'test@outlook.com'
  dataClassification: 'Internal'
  iac: 'Bicep'
  deployedBy: deployer().objectId
  lastUpdated utcNow()
}

The deployer().objectId value is used to tag the deployed resource with the objectId of the deploying identity, now we have the Who as metadata on the resource. To compliment this, we can also use the UTCNow() function to have the When as a timestamp as well.

If we look at the tags applied to the resource we will see the following;

The ObjectId is the GUID for my Microsoft Entra user identity and the timestamp is the deployment date defined in ISO 8601 format.

Example - Role Assignments

The other use case for the deployer() function is adding the objectId to role assignments. In the code below we are using the objectId to assign Reader permissions at the Subscription scope.

@description('Resource: Reader Role Assignment @ the Subscription Scope')
resource readerRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (deployManagedIdentity) {
  name: guid(subscription().id, 'readerRoleAssignment')
  properties: {
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      'acdd72a7-3385-48ef-bd42-f606fba81ae7' // Reader
    )
    principalId: deployer().objectId
    principalType: 'User'
  }
}

If we look at the IAM section within the portal we can see the assignment at the Subscription scope for my identity.

Conclusion

The deployer() function is a welcome addition to Bicep, offering enhanced capabilities for identity-based customisation, security, and auditing. As Bicep continues to evolve, features like these make it an increasingly robust IaC tool for managing Azure resources.

I would love to see other attributes become available to the deployer() function, including UPN, Display Name etc, to make the values more readable so something to raise with the product team.

Share on Twitter (X) Share on LinkedIn RSS Feed