Bug: Failure for role assignment during Deploy-Accelerator

[anwather]

Getting the error below for each role:

module.azure[0].azurerm_role_assignment.alz["apply-alz_subscription_owner-682b6e81-71c4-4e70-b27c-a2ff4f84880e"]: Creating...
module.azure[0].azurerm_role_assignment.alz["apply-alz_subscription_owner-a8731f51-d9fe-45e8-8c2b-cccee4a27190"]: Creating...
module.azure[0].azurerm_role_assignment.alz["apply-alz_subscription_owner-8da8d616-a90e-446a-9098-ad7381ce56a7"]: Creating...
module.azure[0].azurerm_role_assignment.alz["plan-alz_subscription_reader-682b6e81-71c4-4e70-b27c-a2ff4f84880e"]: Creating...
module.azure[0].azurerm_role_assignment.alz["plan-alz_subscription_reader-8da8d616-a90e-446a-9098-ad7381ce56a7"]: Creating...
module.azure[0].azurerm_role_assignment.alz["plan-alz_subscription_reader-a8731f51-d9fe-45e8-8c2b-cccee4a27190"]: Creating...

Error Output:

╷
│ Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="RoleAssignmentScopeNotAssignableToRoleDefinition" Message="The role Azure Landing Zones Subscription Owner (alz-mgmt) is not available for assignment at the requested scope."
│
│   with module.azure[0].azurerm_role_assignment.alz["apply-alz_subscription_owner-a8731f51-d9fe-45e8-8c2b-cccee4a27190"],
│   on ..\..\modules\azure\role_assignments.tf line 27, in resource "azurerm_role_assignment" "alz":
│   27: resource "azurerm_role_assignment" "alz" {
│
╵

Steps to Reproduce

1. Trying to generate local file system using Bicep

input.yaml

# Basic Inputs
iac: "bicep"
bootstrap: "alz_local"
starter: "complete"

# Shared Interface Inputs
bootstrap_location: "australiaeast"
starter_location: "australiaeast"
root_parent_management_group_id: "contoso"
subscription_id_management: "8da8d616-a90e-446a-9098-ad7381ce56a7"
subscription_id_identity: "a8731f51-d9fe-45e8-8c2b-cccee4a27190"
subscription_id_connectivity: "682b6e81-71c4-4e70-b27c-a2ff4f84880e"

# Bootstrap Inputs
target_directory: ""
create_bootstrap_resources_in_azure: "true"
bootstrap_subscription_id: ""
service_name: "alz"
environment_name: "mgmt"
postfix_number: "1"

# Starter Module Specific Variables
Prefix: "alz"
Location: "australiaeast"
Environment: "live"
networkType: "vwanConnectivity"
SecurityContact: "removed"

[robpitcher]

I had this same issue yesterday. The issue was because my subscriptions were not under the root_parent_management_group_id that I had specified (which is where the custom role is created).

I manually moved the subscriptions to the root_parent_management_group_id, re-ran the pipeline, and then it was successful.

[oZakari]

Thanks for sharing that insight @robpitcher! @anwather, to confirm, are your subscriptions also not in the root?

I will put a note in the doc to make sure they reside there before deploying the accelerator.

[anwather]

Mine definately weren't - haven't tested again but I think the fix above would make sense.

[jaredfholgate]

Its worth noting that the subscription can be placed in an intermediate management group and you can deploy your landing zone under that intermediate management group if you specify the id of the intermediate management group in root_parent_management_group_id.

However, I don't think that was the desired outcome here?

[jaredfholgate]

Closing for now, but can re-open if action is required.