How to check multiple conditions in ARM Template variables/parameters

I need to modify an ARM template in a way that the user will have 3 options to select for a parameter during the deployment, each one for a specific Azure RBAC built-in role (Owner, Contributor or Reader). Then I need to correlate each role to the respective role ID, that are unique in Azure. I want to avoid the user having to select from the roleID´s, as they are obviously not descritive, but the assignment in this case must be done by the roleID, just the name of the role definition is not sufficient to make the assignment directly.

The template below was simplified with just the logic that I need to implement, however it´s checking just one value for the parameter (Contributor). So I need to do same but for the 3 different values. If it was just 2 possible values I could change the "json('null')" to the other RoleID, but with 3 values it gets more complex.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "exampleParameter": {
            "defaultValue": "Contributor",
            "allowedValues": [
                "Contributor",
                "Owner",
                "Reader"
            ],
            "type": "String",
            "metadata": {
                "description": "Test parameter"
            }
        }
    },
    "variables": {
        "exampleVariable": "[if(equals(parameters('exampleParameter'), 'Contributor'), 'ContributorRoleID', json('null'))]"
    },
    "resources": [],
    "outputs": {
        "exampleOutput": {
            "type": "String",
            "value": "[variables('exampleVariable')]"
        }
    }
}

I´ve got some references from this question, but I really didnt´t únderstand the example in the end, as even though it uses the OR condition, I didn´t noticed how to pass the value for true and false evaluation, as in the example above with a single value. Then I have tried different ways to adjust it for my needs, but I really couldn´t find a way of solving that as I couldn´t find any valid sintaxe to use this same logic with multiple values.

I apologize for creating a new topic for that, but I couldn´t make a comment in the original question.

Note: if there any other solution to achieve the same result, please feel free to suggest. My question is about the conditions in variables/parameters because it´s the only way that I could imagine to make this association, but I am not an expert in ARM templates, maybe there is another simple solution for my use case.

I appreciate if someone can help me. Thanks!

>I need to correlate each role to the respective role ID, that are unique in Azure.

• It is not possible to directly assign an (Role-Based Access Control) role to a specific resource in an ARM template. Azure RBAC roles can only be assigned at the management group, subscription, or resource group level, and not directly to individual resources like virtual networks.

• To assign role to a specific resource you need to use Azure Policy, Azure Policy allows you to configure like RBAC role assignments on resources.

Create a resource that shouldn't have any RBAC role assigned directly.

Create an Azure Policy definition to assign the RBAC role assignment based on the selected role name and Role ID.

{
  "properties": {
    "displayName": "Enforce RBAC Role Assignment",
    "description": "Enforce RBAC role assignment based on the selected role name.",
    "mode": "Indexed",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Authorization/roleAssignments"
          },
          {
            "field": "Microsoft.Authorization/roleAssignments/principalId",
            "equals": "[field('Microsoft.Network/virtualNetworks/identity/principalId')]"
          }
        ]
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Authorization/roleAssignments",
          "roleDefinitionId": "[variables('selectedRoleID')]",
          "principalId": "[field('Microsoft.Network/virtualNetworks/identity/principalId')]",
          "scope": "[field('Microsoft.Network/virtualNetworks/id')]"
        }
      }
    },
    "parameters": {}
  }
}

Below is the template to handle the correlation between the role names and their respective Role IDs.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "exampleParameter": {
      "defaultValue": "Contributor",
      "allowedValues": ["Contributor", "Owner", "Reader"],
      "type": "String",
      "metadata": {
        "description": "Select the role for the deployment."
      }
    }
  },
  "variables": {
    "roleMappings": {
      "Contributor": "b24988ac-6180-4783-ad44-20f7382dd24c", // Duplicate Contributor Role ID
      "Owner": "8s7hf657-a8ff-443c-a75c-2fe8c4cjve635",       // Duplicate Owner Role ID
      "Reader": "acvg80a7-3385-48ef-bd02-f685gda81ae7"      // Duplicate Reader Role ID
    },
    "selectedRoleID": "[variables('roleMappings')[parameters('exampleParameter')]]"
  },
  "resources": [],
  "outputs": {
    "exampleOutput": {
      "type": "String",
      "value": "[variables('selectedRoleID')]"
    }
  }
}

Parameters as per the requirement.

• During the deployment the user can select the role name (Owner, Contributor, or Reader).

You need to use an Azure Policy definition with Azure Policy's built-in policy rule types, specifically "Role-Based Access Control (RBAC) Role Assignment" policies.