Bug regarding Role Assignment with the scope of RG while deploying new RG to a subscription #6073
Description
Bicep version
Bicep CLI version 0.4.1008
Describe the bug
Bug appears while executing our new deployment framework. We want to initialize a resource group with a predefined and configured set of services to a subscription. Therefore we also want to assign different roles to AD-Groups / MSIs / SPNs. The problem we are facing is, that we are currently not able to assign a role with the scope of the recently deployed resource group within the same IaC-Deployment. We tried to assign the role within the main.bicep and within a module - nothing worked so far. Every other role assignment is executable via bicep (Assignment of roles of MSI/SPNs/AD-Groups to different scopes like ADLS, ADB, AKVs and so on..)
To Reproduce
- Trying to assign the role within the main.bicep:
//MAIN:
param RoleId_ProjectAdmin string
param DevGroupID string
resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: 'xyz'
location: deployment_location
}
resource projectAdmin 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(DevGroupID, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', RoleId_ProjectAdmin))
scope: rg
properties: {
principalId: DevGroupID
principalType: 'Group'
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', RoleId_ProjectAdmin)
}
}A resource's scope must match the scope of the Bicep file for it to be deployable. You must use modules to deploy resources to a different scope.bicep(BCP139)
- Trying to assign the role within its own module and setting the scope within the module appropriately
//MAIN:
param RoleId_ProjectAdmin string
param DevGroupID string
resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: 'xyz'
location: deployment_location
}
module rgRoleAdminstration 'General/AAD/rgRoleAdministration.bicep' = {
name: 'rgRoleAdminstration'
scope: rg
params: {
DevGroupID: DevGroupID
resource_group: rg.name
projectAdmin_RoleID: RoleId_ProjectAdmin
}
}//MODULE:
param DevGroupID string
param projectAdmin_RoleID string
param resource_group string
resource projectAdmin 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(DevGroupID, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', projectAdmin_RoleID))
scope: resource_group
properties: {
principalId: DevGroupID
principalType: 'Group'
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', projectAdmin_RoleID)
}
}The property "scope" expected a value of type "resource | tenant" but the provided value is of type "string".bicep(BCP036)
- Trying to assign the role within its own module but only setting the scope in the module declaration in the main - not in the resource RoleAssignment itself
//MAIN:
param RoleId_ProjectAdmin string
param DevGroupID string
resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: 'xyz'
location: deployment_location
}
module rgRoleAdminstration 'General/AAD/rgRoleAdministration.bicep' = {
name: 'rgRoleAdminstration'
scope: rg
params: {
DevGroupID: DevGroupID
resource_group: rg.name
projectAdmin_RoleID: RoleId_ProjectAdmin
}
}
//MODULE:
param DevGroupID string
param projectAdmin_RoleID string
param resource_group string
resource projectAdmin 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(DevGroupID, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', projectAdmin_RoleID))
properties: {
principalId: DevGroupID
principalType: 'Group'
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', projectAdmin_RoleID)
}
}No error but no execution of the role assignment while deploying the code
- Trying to assign the role within its own module and setting the scope in the module declaration in the main with the reference of an existing resource group
MAIN:
param RoleId_ProjectAdmin string
param DevGroupID string
param rl_subscriptionId string
resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: 'xyz'
location: deployment_location
}
module rgRoleAdminstration 'General/AAD/rgRoleAdministration.bicep' = {
name: 'rgRoleAdminstration'
scope: rg
params: {
DevGroupID: DevGroupID
resource_group: rg.name
projectAdmin_RoleID: RoleId_ProjectAdmin
subscription_id: rl_subscriptionId
}
}MODULE:
param DevGroupID string
param projectAdmin_RoleID string
param resource_group string
param subscription_id string
resource rg_link 'Microsoft.Resources/resourceGroups@2021-04-01' existing = {
name: resource_group
scope: subscription(subscription_id)
}
resource projectAdmin 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(DevGroupID, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', projectAdmin_RoleID))
scope: rg_link
properties: {
principalId: DevGroupID
principalType: 'Group'
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', projectAdmin_RoleID)
}
}A resource's scope must match the scope of the Bicep file for it to be deployable. You must use modules to deploy resources to a different scope.bicep(BCP139)
Seems like there is no way to set the scope appropriately within the bicep deployment, so in the meantime we are using a deployment-script module and adjust the roleAssignment with CLI-Commands. But maybe we miss sth?
With Best Regards