Menu
I am doing an incremental ARM Template update as below and the first time I run it, it works, and every subsequent deployment I get this error:
Updating SQL Role Assignment Scope is not permitted. You may only update the associated Role Definition
I have even changed the ARM Template to use the exact ARM code that is already there and generated from the Azure Portal script and it still throws the same error.
I have seen this ticket: Incremental redeployment of an ARM Template with Role Assignments throws an error, but the answer isn't helpful, so wonder if this is different since it relates to CosmosDB
"variables": {
"cosmosDatabaseRoleDefinitionName": "[format('{0}_{1}_{2}_readwrite', parameters('cosmosDatabaseAccountName'), parameters('cosmosDatabaseId'), parameters('cosmosDatabaseContainerId'))]",
"cosmosDatabaseRoleDefinitionId": "[guid(variables('cosmosDatabaseRoleDefinitionName'))]",
"cosmosDatabaseRoleAssignmentId": "[guid(variables('cosmosDatabaseRoleDefinitionName'), parameters('appServiceName'))]"
},
// lots of other resources
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "AddAppToComosDb",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
"apiVersion": "2021-06-15",
"name": "[format('{0}/{1}', parameters('cosmosDatabaseAccountName'), variables('cosmosDatabaseRoleAssignmentId'))]",
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions',parameters('cosmosDatabaseAccountName'), variables('cosmosDatabaseRoleDefinitionId'))]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', parameters('appServiceName')), '2019-08-01', 'full').identity.principalId]",
"scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts/dbs/colls', parameters('cosmosDatabaseAccountName'), parameters('cosmosDatabaseId'), parameters('cosmosDatabaseContainerId'))]"
},
"dependsOn": [
"[resourceId(parameters('sharedResourceGroupName'), 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers', parameters('cosmosDatabaseAccountName'), parameters('cosmosDatabaseId'), parameters('cosmosDatabaseContainerId'))]",
"[resourceId(parameters('sharedResourceGroupName'), 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('cosmosDatabaseAccountName'), variables('cosmosDatabaseRoleDefinitionId'))]"
]
}
},
"resourceGroup": "[parameters('sharedResourceGroupName')]"
}
]
}
922
Ok sorted this.
It appears it will create the assignment fine as is, but for updating you have to have the subscription ID specified in roleDefinitionId and principalId.
To me, it seems a bug that one works and the other doesn't
"properties": {
"roleDefinitionId": "[resourceId(parameters('sharedResourceGroupName'), 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions',parameters('cosmosDatabaseAccountName'), variables('cosmosDatabaseRoleDefinitionId'))]",
"principalId": "[reference(resourceId('Microsoft.Web/sites', parameters('appServiceName')), '2019-08-01', 'full').identity.principalId]",
"scope": "[resourceId(parameters('sharedResourceGroupName'), 'Microsoft.DocumentDB/databaseAccounts/dbs/colls', parameters('cosmosDatabaseAccountName'), parameters('cosmosDatabaseId'), parameters('cosmosDatabaseContainerId'))]"
},
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With