search

Azure / aztfexport

A tool to bring existing Azure resources under Terraform's management
https://azure.github.io/aztfexport/
Mozilla Public License 2.0
1.63k stars 190 forks source link

--include-role-assignment not working #573

Closed giuliohome closed 2 weeks ago

giuliohome commented 2 weeks ago

I have tried 

aztfexport rg --include-role-assignment my-rg

and I've found no role assignment in the generated main.tf

while they are present and I can see them from az role assignment list --resource-group my-rg and they are directly assigned to the resource group.

giuliohome commented 2 weeks ago

Repro:

Image

$ aztfexport rg --include-role-assignment --output-dir tf_test -n my-rg 
$ cat tf_test/main.tf 
resource "azurerm_resource_group" "res-0" {
  location = "westeurope"
  name     = "my-rg"
}
giuliohome commented 2 weeks ago

Also this command returns all the info about the role assignment

az graph query -q "AuthorizationResources 
    | where type == 'microsoft.authorization/roleassignments' 
    and properties.scope == '/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}'"
giuliohome commented 2 weeks ago

Thank you very much for the prompt support!

giuliohome commented 2 weeks ago

The role assignment is still missing after the fix, if the resource group is empty, in that case the list of resources contains the rg but not the ra.

$ aztfexport rg --append --include-role-assignment --output-dir tf_test
_fix -n my-rg
⣯  Importing resources...
(1/1) Importing /subscriptions/53695a56-bab1-42e1-b477-56901ef22e79/resourceGroups/my-rg as azurerm_resource_group.res-0

On the other side I confirm the same role assignment is exported when the resource group is not empty, so the root cause has been identified somehow. I think the issue should be reopened, thanks.

giuliohome commented 2 weeks ago

I believe the issue is that, when the resource group is empty, azlist currently needs the --authorization-scope-filter flag (e.g. "AtScopeAboveAndBelow") and --arg-table "AuthorizationResources" to retrieve role assignments. These flags aren’t included when using rg instead of query.

In fact, the following command works:

$ aztfexport query --arg-authorization-scope-filter "AtScopeAboveAndBelow" --include-role-assignment --arg-table "AuthorizationResources" --output-dir tf_test -n "properties.scope == '/subscriptions/53695a56-bab1-42e1-b477-56901ef22e79/resourcegroups/my-rg'"

The output file tf_test/main.aztfexport.tf contains the expected azurerm_role_assignment resource in that case.

When resources are present, azlist may capture role assignments due to broader enumeration within the resource group. Therefore, instead of programmatically adding the resource group after receiving an empty result (which is too late in the process), a more reliable fix would be to adjust azlist to ensure it includes the resource group scope directly. This would make azlist consistently retrieve role assignments at the group level, regardless of content.

Fundamentally, a resource group belongs to ResourceContainers not to Resources.

$ azlist -s '53695a56-bab1-42e1-b477-56901ef22e79' --extension Microsoft.Authorization/roleAssignments  --table ResourceContainers 'name == "my-rg"'
/subscriptions/53695a56-bab1-42e1-b477-56901ef22e79/resourceGroups/my-rg
/subscriptions/53695a56-bab1-42e1-b477-56901ef22e79/resourceGroups/my-rg/providers/Microsoft.Authorization/roleAssignments/7706404e-2d54-48c6-ba34-08ec3b0d5335
magodo commented 2 weeks ago

@giuliohome You're right! I missed the case that an empty resource group case.