--include-role-assignment not working

[giuliohome]

I have tried

aztfexport rg --include-role-assignment my-rg

and I've found no role assignment in the generated main.tf

while they are present and I can see them from az role assignment list --resource-group my-rg and they are directly assigned to the resource group.

[giuliohome]

Repro:

• create my-rg resource group
• assign the owner as shown in the screenshot, from Access control (IAM) > Role assignements
• run the command reported below
• check the main.tf

$ aztfexport rg --include-role-assignment --output-dir tf_test -n my-rg 
$ cat tf_test/main.tf 

resource "azurerm_resource_group" "res-0" {
  location = "westeurope"
  name     = "my-rg"
}

[giuliohome]

Also this command returns all the info about the role assignment

az graph query -q "AuthorizationResources 
    | where type == 'microsoft.authorization/roleassignments' 
    and properties.scope == '/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}'"

[giuliohome]

Thank you very much for the prompt support!

[giuliohome]

The role assignment is still missing after the fix, if the resource group is empty, in that case the list of resources contains the rg but not the ra.

$ aztfexport rg --append --include-role-assignment --output-dir tf_test
_fix -n my-rg
⣯  Importing resources...
(1/1) Importing /subscriptions/53695a56-bab1-42e1-b477-56901ef22e79/resourceGroups/my-rg as azurerm_resource_group.res-0

On the other side I confirm the same role assignment is exported when the resource group is not empty, so the root cause has been identified somehow.
I think the issue should be reopened, thanks.

[giuliohome]

I believe the issue is that, when the resource group is empty, azlist currently needs the --authorization-scope-filter flag (e.g. "AtScopeAboveAndBelow" ) and --arg-table "AuthorizationResources" to retrieve role assignments. These flags aren’t included when using rg instead of query.

In fact, the following command works:

$ aztfexport query --arg-authorization-scope-filter "AtScopeAboveAndBelow" --include-role-assignment --arg-table "AuthorizationResources" --output-dir tf_test -n "properties.scope == '/subscriptions/53695a56-bab1-42e1-b477-56901ef22e79/resourcegroups/my-rg'"

The output file tf_test/main.aztfexport.tf contains the expected azurerm_role_assignment resource in that case.

When resources are present, azlist may capture role assignments due to broader enumeration within the resource group. Therefore, instead of programmatically adding the resource group after receiving an empty result (which is too late in the process), a more reliable fix would be to adjust azlist to ensure it includes the resource group scope directly. This would make azlist consistently retrieve role assignments at the group level, regardless of content.

Fundamentally, a resource group belongs to ResourceContainers not to Resources.

$ azlist -s '53695a56-bab1-42e1-b477-56901ef22e79' --extension Microsoft.Authorization/roleAssignments  --table ResourceContainers 'name == "my-rg"'
/subscriptions/53695a56-bab1-42e1-b477-56901ef22e79/resourceGroups/my-rg
/subscriptions/53695a56-bab1-42e1-b477-56901ef22e79/resourceGroups/my-rg/providers/Microsoft.Authorization/roleAssignments/7706404e-2d54-48c6-ba34-08ec3b0d5335

[magodo]

@giuliohome You're right! I missed the case that an empty resource group case.