Describe the bug
The custom role EPAC Resource Policy Reader defined in App Registrations Setup does not define a permission to read resource groups. This causes the plan stage to see zero Resource Groups:
This introduces further downstream issues planning dynamic notScopes as they require a list of resource groups to calculate
To Reproduce
This should be reproducible in all greenfield deployments, unless additional permissions were granted to the sc-pac-plan service connections/App Registrations.
Expected behavior
Scope tree should include Resource group count >0
Next Steps
I think the easiest way to resolve this would be to add the previously mentioned permission to documentation, very similar to #496. I was able to resolve the issue by assigning the Microsoft.Resources/subscriptions/resourceGroups/read permission to the EPAC Resource Policy Reader custom role.
EPAC Version
Version of EPAC module you are using.
techlake
commented
7 months ago
Describe the bug The custom role EPAC Resource Policy Reader defined in App Registrations Setup does not define a permission to read resource groups. This causes the plan stage to see zero Resource Groups:
This introduces further downstream issues planning dynamic notScopes as they require a list of resource groups to calculate
To Reproduce This should be reproducible in all greenfield deployments, unless additional permissions were granted to the sc-pac-plan service connections/App Registrations.
Expected behavior Scope tree should include Resource group count >0
Next Steps I think the easiest way to resolve this would be to add the previously mentioned permission to documentation, very similar to #496. I was able to resolve the issue by assigning the
Microsoft.Resources/subscriptions/resourceGroups/readpermission to the EPAC Resource Policy Reader custom role.EPAC Version Version of EPAC module you are using.