Second deployment of roleDefinition fails

[vRune4]

Describe the bug First deployment works fine, but subsequent deployments fail.

Workaround: Revert to 'az deployment'.

To Reproduce Steps to reproduce the behavior:

1. Define a 'Microsoft.Authorization/roleDefinitions@2022-04-01' resource in main.bicep
2. az stack sub create --name testdeployment --template-file .\main.bicep --location "norway east" --output table --deny-settings-mode none
3. Repeat step 2!
4. See error

Expected behavior Second deploy should work just fine

Actual behavior

(DeploymentStackDeploymentFailed) One or more resources could not be deployed. Correlation id: 'a1f35cc3-b718-4255-8daf-3deaf35cd090'.
Code: DeploymentStackDeploymentFailed
Message: One or more resources could not be deployed. Correlation id: 'a1f35cc3-b718-4255-8daf-3deaf35cd090'.
Exception Details:      (DeploymentFailed) At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.
        Code: DeploymentFailed
        Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.
        Target: /subscriptions/d3bf3458-9766-4f50-9a38-898234c72bfe/providers/Microsoft.Resources/deployments/testdeployment-24040513fz7r2
        Exception Details:      (LinkedAuthorizationFailed) The client 'XXXXXXXX-YYYY-YYYY-YYYY-b1ce8853fba3' with object id 'XXXXXXXX-YYYY-YYYY-YYYY-b1ce8853fba3' has permission to perform action 'Microsoft.Authorization/roleDefinitions/write' on scope '/subscriptions/XXXXXXXX-YYYY-YYYY-YYYY-ZZZZZZZZZZZZ/providers/Microsoft.Authorization/roleDefinitions/83d8bcd4-ba85-52f2-9f6c-0b14be9a5fe6'; however, it does not have permission to perform action(s) 'Microsoft.Authorization/roleDefinitions/write' on the linked scope(s) '/subscriptions/XXXXXXXX-YYYY-YYYY-YYYY-ZZZZZZZZZZZZ (respectively) or the linked scope(s) are invalid.
                Code: LinkedAuthorizationFailed
                Message: The client 'XXXXXXXX-YYYY-YYYY-YYYY-b1ce8853fba3' with object id 'XXXXXXXX-YYYY-YYYY-YYYY-b1ce8853fba3' has permission to perform action 'Microsoft.Authorization/roleDefinitions/write' on scope '/subscriptions/XXXXXXXX-YYYY-YYYY-YYYY-ZZZZZZZZZZZZ/providers/Microsoft.Authorization/roleDefinitions/83d8bcd4-ba85-52f2-9f6c-0b14be9a5fe6'; however, it does not have permission to perform action(s) 'Microsoft.Authorization/roleDefinitions/write' on the linked scope(s) '/subscriptions/XXXXXXXX-YYYY-YYYY-YYYY-ZZZZZZZZZZZZ' (respectively) or the linked scope(s) are invalid.

Repro Environment Host OS: Windows Powershell Version: 7.4.1 { "azure-cli": "2.59.0", "azure-cli-core": "2.59.0", "azure-cli-telemetry": "1.1.0", "extensions": { "account": "0.2.5", "aks-preview": "0.5.161", "alb": "0.2.0", "azure-devops": "0.26.0" } }

Server Debugging Information Correlation ID: ed669ed5-9399-4607-aff0-6fa6fbc6129c Tenant ID: Timestamp of issue (please include time zone): 2024-04-05 16:09 CEST Data Center (eg, West Central US, West Europe): norway east

Additional context Works fine when not using stacks.

main.bicep:

targetScope = 'subscription'

var roleName = 'Custom Role - Deployment Contributor'
resource roleDeploymentContributor 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
  name: guid(roleName)
  properties: {
    description: 'Allows writing to the deployment'
    permissions: [{ actions: ['Microsoft.Resources/deployments/write'] }]
    roleName: roleName
    assignableScopes: [subscription().id]
  }
}

[azcloudfarmer]

Hello @vRune4 - thanks for the details. We will investigate on our end and get back to you in this thread.

[azcloudfarmer]

Hello @vRune4 - a fix has been merged and deployed for this and we should expect it to reflect in the next week

[snarkywolverine]

Hi @vRune4 - The change has now been released to all regions. Can you please verify?