Bug regarding Role Assignment with the scope of RG while deploying new RG to a subscription #6073
Comments
|
I'm in your situation (bicep deployment at scubscription level) and role assignment at resource group scope. I had to use a main file and a module scoped for the resource group. In this module, when creating the roleassignment I set the scope to resourcegroup() //MAIN: param RoleId_ProjectAdmin string
param DevGroupID string
resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: 'xyz'
location: deployment_location
}
module rgRoleAdminstration 'General/AAD/rgRoleAdministration.bicep' = {
name: 'rgRoleAdminstration'
scope: rg
params: {
DevGroupID: DevGroupID
resource_group: rg.name
projectAdmin_RoleID: RoleId_ProjectAdmin
}
}//MODULE:
param DevGroupID string
param projectAdmin_RoleID string
param resource_group string
resource projectAdmin 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(DevGroupID, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', projectAdmin_RoleID))
**scope: resourceGroup()**
properties: {
principalId: DevGroupID
principalType: 'Group'
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', projectAdmin_RoleID)
}
} |
|
Hi Bancho, |
|
@alex-frankel: Hi Alex, thx for your support. I checked the role assignments of the RG after the deployment was completed and noticed that it hasn't been configured. |
|
Current state of role assignments can be cached for up to 30 minutes. Are you able to share the output of the deployment? That would list all the resources that were created or updated. |
|
Sry for the delay. Six days ago i retried it multiple times and the role assignment was just skipped or better said module executed without role assignment. Until today i was busy, so i tried the deployment again to send you the logs now.. Anyhow. Big Thanks for your support. Solution for someone who is also confused: //MAIN: //MODULE: |
ghost
locked as resolved and limited conversation to collaborators
StephenWeatherford
added
Needs: Author Feedback
Bicep version
Bicep CLI version 0.4.1008
Describe the bug
Bug appears while executing our new deployment framework. We want to initialize a resource group with a predefined and configured set of services to a subscription. Therefore we also want to assign different roles to AD-Groups / MSIs / SPNs. The problem we are facing is, that we are currently not able to assign a role with the scope of the recently deployed resource group within the same IaC-Deployment. We tried to assign the role within the main.bicep and within a module - nothing worked so far. Every other role assignment is executable via bicep (Assignment of roles of MSI/SPNs/AD-Groups to different scopes like ADLS, ADB, AKVs and so on..)
To Reproduce
A resource's scope must match the scope of the Bicep file for it to be deployable. You must use modules to deploy resources to a different scope.bicep(BCP139)
The property "scope" expected a value of type "resource | tenant" but the provided value is of type "string".bicep(BCP036)
No error but no execution of the role assignment while deploying the code
A resource's scope must match the scope of the Bicep file for it to be deployable. You must use modules to deploy resources to a different scope.bicep(BCP139)
Seems like there is no way to set the scope appropriately within the bicep deployment, so in the meantime we are using a deployment-script module and adjust the roleAssignment with CLI-Commands. But maybe we miss sth?
With Best Regards
The text was updated successfully, but these errors were encountered: