Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SMB File Share Role Assignment Failing: modules/storage/storage-account/file-service/share #4346

Closed
DanGiffen opened this issue Dec 5, 2023 · 6 comments · Fixed by #4391
Closed

SMB File Share Role Assignment Failing: modules/storage/storage-account/file-service/share #4346

DanGiffen opened this issue Dec 5, 2023 · 6 comments · Fixed by #4391
Assignees
@AlexanderSehr
Labels
bug Something isn't working

Comments

@DanGiffen
Copy link

Describe the bug

Deployment of a new SMB file share to an existing storage account completes successfully. The deployment in the resource group reports succeeded including the share role assignment operation too however no IAM\Role assignment is implemented.

image

To reproduce

Create a template to deploy a new SMB file share to an existing storage account. Pass role assignment array properties in with a parameter file

Code snippet

module storageAccount1Share '../../bicep/carml0.11.0/storage/storage-account/file-service/share/main.bicep' = if(deployStorageAccount1Share) {
  scope: resourceGroup(resourceGroupStorageAccount1Name)
  name: '${uniqueString(deployment().name, location)}-deploy-sa1-share'
  params: {
    name: storageAccount1ShareName
    storageAccountName: existingStorageAccount1Name
    fileServicesName: fileServicesName
    accessTier: accessTier
    roleAssignments: storageAccount1ShareRoleAssignments
    enableDefaultTelemetry: enableDefaultTelemetry
  }
}

    "storageAccount1ShareRoleAssignments": {
      "value": [
        {
          "roleDefinitionIdOrName": "Storage File Data SMB Share Contributor",
          "description": "Storage File Data SMB Share Contributor Allows for read, write, and delete access in Azure Storage file shares over SMB",
          "principalId": "123-456-789-abcdef-ghijklmnopqrstuvwxyz"
        },
        {
          "roleDefinitionIdOrName": "Storage File Data SMB Share Contributor",
          "description": "Storage File Data SMB Share Contributor Allows for read, write, and delete access in Azure Storage file shares over SMB",
          "principalId": "123-456-789-abcdef-ghijklmnopqrstuvwxyz"
        }
      ]
    }

Relevant log output

No response
@DanGiffen DanGiffen added the bug Something isn't working label Dec 5, 2023
@github-project-automation github-project-automation bot moved this to Needs triage in Bug board Dec 5, 2023
@AlexanderSehr AlexanderSehr self-assigned this Dec 15, 2023
@AlexanderSehr
Copy link
Contributor

Hey @DanGiffen,
thanks for raising this and sorry for not coming around sooner. I'll look into this as soon as I can, but likely not before mid next week.

@DanGiffen
Copy link
Author

No problem and thanks @AlexanderSehr

@AlexanderSehr
Copy link
Contributor

AlexanderSehr commented Dec 20, 2023
edited
Loading

Hey @DanGiffen,

I'm still looking into this but it's a curious case in which this is what the dpeloyment ID is
/subscriptions/.../resourceGroups/alsehr-sa-role-test-rg/providers/Microsoft.Storage/storageAccounts/.../fileServices/default/shares/automatedshare/providers/Microsoft.Authorization/roleAssignments/8245c551-44fc-5777-83b0-f14b16a2e6a9

and this is what the id is when deployed via the portal (fetching the REST payload)
/subscriptions/.../resourceGroups/alsehr-sa-role-test-rg/providers/Microsoft.Storage/storageAccounts/.../fileServices/default/fileshares/automatedshare/providers/Microsoft.Authorization/roleAssignments/20dcf0a3-fc5f-4fae-bd58-951a2b6a693e?api-version=2020-04-01-preview

The most notable difference: In the first case its

  • fileServices/default/shares while in the second it's
  • fileServices/default/fileShares.

However, a resource provider called 'fileShares` doens't actually exist (as you can also see here). Not quite sure what to make of it right now, but I'll keep looking.

@AlexanderSehr
Copy link
Contributor

Soo... yeah ... I did some research and found this little nugget of an issue: Azure/bicep-types-az#1532

Turns out, it's a provider bug. There is a workaround suggested that essentially forces a deployment object into the Bicep template, mimicing ARM, but it's not great. I'll go ahead and implement that and try to reach out to the Product Group too.

@AlexanderSehr AlexanderSehr moved this from Needs triage to High priority in Bug board Dec 20, 2023
@AlexanderSehr AlexanderSehr mentioned this issue Dec 20, 2023
Open
@AlexanderSehr AlexanderSehr linked a pull request Dec 20, 2023 that will close this issue
[Module] Implemented workaround for fileShare role assignment #4391
Merged
4 tasks
@github-project-automation github-project-automation bot moved this from High priority to Closed in Bug board Dec 21, 2023
@DanGiffen
Copy link
Author

DanGiffen commented Dec 23, 2023 via email

@AlexanderSehr
Copy link
Contributor

Trying to get a response already 😊

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AlexanderSehr AlexanderSehr

Labels
bug Something isn't working
Projects
Bug board
Status: Closed
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Module] Implemented workaround for fileShare role assignment Azure/ResourceModules
2 participants
@AlexanderSehr @DanGiffen