search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
415 stars 222 forks source link

Add Microsoft.Authorization/roleAssignments/read #497

Closed benjaminpieplow closed 6 months ago

benjaminpieplow commented 6 months ago

Fixes #496, I'm fairly sure I caught all references.

The sc-pac-plan App Registration (Via) does not receive the Microsoft.Authorization/roleAssignments/read role when given the custom EPAC Resource Policy Reader Role (Via), which is required to list role assignments on management groups. This causes the Plan stage to fail enumerating role assignments, leading to a warning during Plan, and always requiring the Deploy Roles stage to run when using a more advanced pipeline.

This role is defined in documentation in,

https://azure.github.io/enterprise-azure-policy-as-code/ci-cd-app-registrations/#custom-epac-resource-policy-reader-role https://azure.github.io/enterprise-azure-policy-as-code/create-policy-reader-role/

benjaminpieplow commented 6 months ago

@microsoft-github-policy-service agree