search

Azure / arm-template-whatif

A repository to track issues related to what-if noise suppression
MIT License
91 stars 14 forks source link

Noise with Storage principalId property #334

Open Philippe85 opened 1 year ago

Philippe85 commented 1 year ago

Describe the noise

The azure resource is upt-to-date. But I get always the same What-If report. The principal Id exists and is good. But the role is indefinitely added to this principal Id.

Resource type (i.e. Microsoft.Storage/storageAccounts) Microsoft.Storage/storageAccounts

apiVersion (i.e. 2019-04-01) Latest : 2022-09-01

Client (PowerShell, Azure CLI, or API) PowerShell

Relevant ARM Template code (we only need the resource object for the above resourceType and apiVersion, but if it's easier you can include the entire template

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {        
        "location": {
            "type": "string",
            "metadata": { "description": "Resources location" },
            "defaultValue": "francecentral"
        },
        "tags": {
            "type": "object",
            "metadata": { "description": "List of tags to apply to ressources" }
        },
        "storageAccountName": {
            "type": "string",
            "metadata": { "description": "Name of the Storage Account" },            
            "maxLength": 24
        },
        "storageAccountSKU": {
            "type": "string",
            "metadata": { "description": "SKU of the Storage Account" },
            "allowedValues": [
                "Standard_LRS", 
                "Standard_GRS", 
                "Standard_RAGRS", 
                "Standard_ZRS", 
                "Premium_LRS", 
                "Premium_ZRS", 
                "Standard_GZRS", 
                "Standard_RAGZRS"
            ]
        },
        "storageAccountTier": {
            "type": "string",
            "metadata": { "description": "Tier of the Storage Account" },
            "allowedValues": [
                "Standard",
                "Premium"
            ]
        },
        "principalId": {
            "type": "string",
            "metadata": { "description": "A principal Id used to identify the user identity" }
        },
        "rgGuid": {
            "type": "string",
            "metadata": { "description": "A new GUID used to identify the role assignment. this solution to put resource group id is found to skip the problem of managed identity already exist in case of new guid id" },
            "defaultValue": "[guid(resourceGroup().id, variables('storageAccountName'))]"
        }
    },
    "variables": {
        "storageAccountName": "[parameters('storageAccountName')]"
    },
    "resources": [       
        {
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2022-09-01",
            "name": "[parameters('storageAccountName')]",
            "location": "[parameters('location')]",
            "tags": "[parameters('tags')]",
            "sku": {
                "name": "[parameters('storageAccountSKU')]",
                "tier": "[parameters('storageAccountTier')]"
            },
            "kind": "StorageV2",
            "properties": {
                "minimumTlsVersion": "TLS1_2"
            }
        },
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2022-04-01",
            "name":"[parameters('rgGuid')]",
            "scope": "[concat('Microsoft.Storage/storageAccounts', '/', parameters('storageAccountName'))]",
            "dependsOn": [
                "[parameters('storageAccountName')]"
            ],
            "properties": {
                "roleDefinitionId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
                "principalId": "[parameters('principalId')]"
            }
        }   
    ],
    "outputs": {}
}

Expected response (i.e. "I expected no noise since the template has not been modified since the resources were deployed) Nothing. No changes.

Current (noisy) response (either include a screenshot of the what-if output, or copy/paste the text)

  ~ Microsoft.Storage/storageAccounts/mystorage/providers/Microsoft.Authorization/roleAssignments/b6566b6e-8104-5178-a942-3445b71c66f5 [2022-04-01]
    - properties.principalId: "01234567-zzzz-yyyy-xxxx-000000000000"
Philippe85 commented 1 year ago

Can you deal with this noise?

alex-frankel commented 1 year ago

Hi @Philippe85 - At this time, we are working on redesigning the what-if API to better handle noise issues more generally and are not addressing individual noise issues at this time. Most what-if noise issues are issues with individual Resource Providers not properly modelling their API in their REST API specification, so you are encouraged to open a support ticket with the individual Resource Provider team for anything urgent.