Menu
If I use Azure Pipelines to do an 'Incremental' 'Resource Group' scoped deployment of an ARM template containing Role Assignments, it seems I can't rerun/redeploy the pipeline without receiving an error on the Role Assignment resource:
RoleAssignmentUpdateNotPermitted: Tenant ID, application ID, principal ID, and scope are not allowed to be updated.
This looks like an obvious issue that must have a common workaround? I'm I expected to break-out the Role Assignments into a separate template, and perhaps delete and re-create the role assignments on each deployment?
975
Incremental redeployment of an ARM Template with Role Assignments throws an error
Just as you said, this is an obvious issue. For the same scope or resource, you can only assign the same role to a service principal once.
So, there is existing role assignment with the same name that you are trying to create through this template and it ends up giving the error for "RoleAssignmentUpdateNotPermitted".
To resolve this issue, we need ensure that each deployment to a different resource group uses a different GUID for the role assignment, but at the same time, ensure that the same one is used when deploying to the same resource group.
We could use the guid function! It takes one or more strings that are used to calculate a hash, very much like the uniquestring function; only this one generates a string in GUID format instead:
{
"type": "Microsoft.Authorization/roleAssignments",
"name": "[guid(resourceGroup().id, 'monitoringUsers')]"
}
You could refer the document Defining RBAC Role Assignments in ARM Templates for some more details.
63
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
