search

Azure / bicep-types-az

Bicep type definitions for ARM resources
MIT License
86 stars 27 forks source link

roleEligibilityScheduleRequest resource is not idempotent, causing deployments to fail #1956

Open mattias-fjellstrom opened 12 months ago

mattias-fjellstrom commented 12 months ago

Bicep version Bicep CLI version 0.23.1 (b02de2da48)

Describe the bug The resource type Microsoft.Authorization/roleEligibilityScheduleRequests is not idempotent. This means if you create this resource with Bicep the first deployment will succeed, but the following deployments will fail with an error similar to A role assignment request with Id: 4e97234e-8d73-55c8-8472-853f6b754ee0 already exists

To Reproduce Create main.bicep with the following content:

targetScope = 'subscription'

param principalId string

var userAccessAdministratorRoleId = '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'

resource access 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
  name: guid(subscription().subscriptionId, principalId, userAccessAdministratorRoleId)
  properties: {
    principalId: principalId 
    requestType: 'AdminAssign'
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', userAccessAdministratorRoleId)
    scheduleInfo: {
      expiration: {
        type: 'AfterDuration'
        duration: 'P365D'
      }
    }
  }
}

Deploy the template to a subscription, e.g.:

$ principalId=<valid principal-id of a user/group/etc>
$ subscriptionId=<my subscription id>
$ location=<my azure location>
$
$ az account set -s $subscriptionId
$ az deployment sub create -n bug -f main.bicep -l westeurope --parameters principalId=$principalId

Note that your role management policies might block the deployment, this depends on your settings but my example should be valid for the default settings for any subscription.

Additional context The underlying API (as documented here) has the same non-idempotent behavior. Since this is a PUT endpoint I expect that I should be able to call it again and again with idempotent behavior.

ewaldwijnen commented 12 months ago

Hi, Mattias,

I have got it working in an onacceptabel way like this:

targetScope = 'subscription'

param principalId string

param name string = newGuid()

var userAccessAdministratorRoleId = '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'

resource access 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
  name: name
  properties: {
    principalId: principalId 
    requestType: 'AdminAssign'
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', userAccessAdministratorRoleId)
    scheduleInfo: {
      expiration: {
        type: 'AfterDuration'
        duration: 'P365D'
      }
    }
  }
}

Now it will work every time but you will get al lot of requests which is undesirable. We are not using this.

mattias-fjellstrom commented 12 months ago

@ewaldwijnen Thank you for the suggestion, but since as you say new requests are created each time this is undesirable.

aucampia commented 10 months ago

What is the ETA of fixing this?

ErHaWi commented 8 months ago

Requesting a fix for this aswell. We're trying to provision PIM eligibility for our product teams subscriptions.

aucampia commented 8 months ago

Requesting a fix for this aswell. We're trying to provision PIM eligibility for our product teams subscriptions.

I solved this by abandoning Bicep.

microsoft-github-policy-service[bot] commented 8 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @darshanhs90, @AshishGargMicrosoft. Please see https://aka.ms/biceptypesinfo for troubleshooting help.

Dylan-Prins commented 4 months ago

is there a follow up?

duanany commented 1 month ago

Fix this please :)

alflig commented 1 month ago

Please fix??