Azure.Provisioning.{Resource}.CreateRoleAssignment(Role, ManagedIdentity) creates invalid bicep when managed identity in same deployment

[davidfowl]

var identity = new UserAssignedIdentity("managedIdentity")
{
};

infra.Add(identity);

var account = new StorageAccount("sa2")
{
    Sku = new() { Name = StorageSkuName.StandardLrs },
    Kind = StorageKind.StorageV2
};

infra.Add(account);
infra.Add(account.CreateRoleAssignment(StorageBuiltInRole.StorageBlobDataContributor, identity));

This creates invalid bicep:

resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: take('managedIdentity-${uniqueString(resourceGroup().id)}', 128)
  location: location
  tags: tags
}

resource sa2 'Microsoft.Storage/storageAccounts@2024-01-01' = {
  name: take('sa2${uniqueString(resourceGroup().id)}', 24)
  kind: 'StorageV2'
  location: location
  sku: {
    name: 'Standard_LRS'
  }
}

resource sa2_managedIdentity_StorageBlobDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(sa2.id, managedIdentity.properties.principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'))
  properties: {
    principalId: managedIdentity.properties.principalId
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
    principalType: 'ServicePrincipal'
  }
  scope: sa2
}

Which results in the following error:

This expression is being used in an assignment to the "name" property of the "Microsoft.Authorization/roleAssignments" type, which requires a value that can be calculated at the start of the deployment. Properties of managedIdentity which can be calculated at the start include "apiVersion", "id", "name", "type".bicep[BCP120](https://aka.ms/bicep/core-diagnostics#BCP120)

[github-actions[bot]]

Thank you for your feedback. Tagging and routing to the team member best able to assist.