Support for Role Assignments

[steve-twin-tech]

While reviewing our use case and working through poc, I am having troubles with role assignments. I see a note in Microsoft documentation of known limitations regarding the scope of the export which references role assignments. What this isn't clear on, is if there is a way to utilize aztfexport that would support role assignments.

If there's somewhere other than issues for me to submit simple questions like this, please let me know.

[magodo]

The role assignment resource should be able to export via azexport resource mode. Whilst it won't be covered by the other modes like rg or query. Especially, for query mode, that is because the role assignment resource is not a trakced resource that is identified by ARG, so it won't be listed.

[steve-twin-tech]

Thank you. I tried a couple of different things, but I'm still not getting it.

1. First, I ran aztfexport resource for a resource group and a resource. The primary TF generated was correct, but did not include role assignments.

2. Second, I tried to run aztfexport similar to how you retrieve these through the API, received an error instead.

• API calls using GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01 are successful.
• Export ran as aztfexport resource /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Authorization/roleAssignments fails with Error: invalid resource id: missing sub-type name.

[steve-twin-tech]

Thank you. I tried a couple of different things, but I'm still not getting it.

1. First, I ran aztfexport resource for a resource group and a resource. The primary TF generated was correct, but did not include role assignments.
2. Second, I tried to run aztfexport similar to how you retrieve these through the API, received an error instead.

• API calls using GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01 are successful.
• Export ran as aztfexport resource /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}/providers/Microsoft.Authorization/roleAssignments fails with Error: invalid resource id: missing sub-type name.

Update: I may have found it. In the API output there is a guid after roleAssignments in the ID of the assignment. It looks like I'll need to retrieve unique assignments through az cli or similar to get the full IDs. Then I can potentially loop the results and run an aztfexport resource --append for each.

[DJ4ddi]

Importing the role assignments with aztfexport resource --append isn't really useful. It requires more steps than writing the resource yourself:

• Querying the assignment ID(s) using Azure CLI.
• Merging the additional .tf and .tfstate files.
• Changing the resource name because the command doesn't support name patterns.
• Adding a role_definition_id and/or role_definition_name, one of which is required to create a valid assignment.
• Adding a dependency for the principal that it references.
• Changing the principal ID to reference the service represented by the identity.

I feel like this should be covered by the initial import or at least require less manual work to append later.