3

If I use Azure Pipelines to do an 'Incremental' 'Resource Group' scoped deployment of an ARM template containing Role Assignments, it seems I can't rerun/redeploy the pipeline without receiving an error on the Role Assignment resource:

RoleAssignmentUpdateNotPermitted: Tenant ID, application ID, principal ID, and scope are not allowed to be updated.

This looks like an obvious issue that must have a common workaround? I'm I expected to break-out the Role Assignments into a separate template, and perhaps delete and re-create the role assignments on each deployment?

JohnKoz
  • 908
  • 11
  • 21

1 Answers1

5

Incremental redeployment of an ARM Template with Role Assignments throws an error

Just as you said, this is an obvious issue. For the same scope or resource, you can only assign the same role to a service principal once.

So, there is existing role assignment with the same name that you are trying to create through this template and it ends up giving the error for "RoleAssignmentUpdateNotPermitted".

To resolve this issue, we need ensure that each deployment to a different resource group uses a different GUID for the role assignment, but at the same time, ensure that the same one is used when deploying to the same resource group.

We could use the guid function! It takes one or more strings that are used to calculate a hash, very much like the uniquestring function; only this one generates a string in GUID format instead:

{
  "type": "Microsoft.Authorization/roleAssignments",
  "name": "[guid(resourceGroup().id, 'monitoringUsers')]"
}

You could refer the document Defining RBAC Role Assignments in ARM Templates for some more details.

Leo Liu
  • 71,098
  • 10
  • 114
  • 135
  • 2
    Thank you Leo. Just to clarify, in my case I'm deploying the identical arm template to the same resource group. The GUID is hard-coded (for testing) so the name is the same, the role is the same, the resource is the same, etc. And I still get get the above error. Are you saying I should not? – JohnKoz Feb 15 '21 at 23:33
  • @JohnKoz, Yes, According to the documentation, for the same scope or resource, you can only assign the same role to a service principal once. – Leo Liu Feb 16 '21 at 01:44
  • 1
    Thanks Leo. So how would I re-run an existing pipeline without error? The "incremental" deployment mode has ignored ARM Resources if no changes were made. A CI/CD pipeline may run often without change. Should I add a step to my pipeline to delete all role assignments, so that the pipeline can re-create them? If this is the case, the "incremental" nature of a roleAssignment ARM template seems broken? – JohnKoz Feb 16 '21 at 22:56
  • FYI, i've done some additional testing and i'm not getting errors now, suggesting it may be possible. Not sure what to believe now, but I'll continue forward. I'll mark this as an answer for the helpfulness (think you). – JohnKoz Feb 17 '21 at 12:59
  • I am getting this same error now for Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments I even use the same exact settings from the ARM template and still happens. – tank104 Sep 21 '21 at 01:30
  • This doesn't answer the question. The OP is trying to run an incremental update, Bicep/ARM should be idempotent but role assignments apparently aren't in some cases. I think its a bug. Also I am running into the same problem! – RichyRoo Feb 16 '23 at 10:34