resourceArmRoleAssignment: Allow /providers/Micrososoft.Capacity, /providers/BillingBenefits and / as scope value

[tiwood]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

To allow principals to manage reservation orders, savings plans or global roles at / we have to assign the appropriate roles to global provider scopes like /providers/Micrososoft.Capacity.

This PR adds this string als valid scope in the resource azurerm_role_assignment.

Example:

RoleAssignmentName : 32ff27f5-1b27-46c1-bd2e-16b9f7a23d9e
RoleAssignmentId   : /providers/microsoft.capacity/providers/Microsoft.Authorization/roleAssignments/32ff27f5-1b27-46c1
                     -bd2e-16b9f7a23d9e
Scope              : /providers/microsoft.capacity
DisplayName        : SomeAdmins
SignInName         :
RoleDefinitionName : Reservations Administrator
RoleDefinitionId   : a8889054-8d42-49c9-bc1c-52486c10e7cd
ObjectId           : 00000000-0000-0000-0000-000000000000
ObjectType         : Group
CanDelegate        : False
Description        :
ConditionVersion   :
Condition          :

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
  For example: “resource_name_here - description of change e.g. adding property new_property_name_here”

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevent documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_role_assignment - support for using /providers/Micrososoft.Capacity in the scope property [GH-00000]

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #0000

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[catriona-m]

Thanks for adding this @tiwood, this looks good but could we add a test to ensure this works as expected? Thanks!

[tiwood]

Hi @catriona-m,
I've added a test.

[catriona-m]

Thanks @tiwood, I ran the tests and it is failing with this error:

------- Stdout: -------
=== RUN   TestAccRoleAssignment_capacityProviderScoped
=== PAUSE TestAccRoleAssignment_capacityProviderScoped
=== CONT  TestAccRoleAssignment_capacityProviderScoped
    testcase.go:113: Step 1/2 error: Error running apply: exit status 1
        Error: loading Role Definition List: unexpected status 404 (404 Not Found) with error: InvalidResourceNamespace: The resource namespace 'Micrososoft.Capacity' is invalid.
          with azurerm_role_assignment.test,
          on terraform_plugin_test.tf line 27, in resource "azurerm_role_assignment" "test":
          27: resource "azurerm_role_assignment" "test" {
--- FAIL: TestAccRoleAssignment_capacityProviderScoped (20.46s)
FAIL

If we can get this fixed up we can take another look at this. Thanks!

[tiwood]

Hi @catriona-m,

thats because the Microsoft.Capacity provider is not registered at tenant/root management group level on your side.
This is a one time action, which currently can't be done with the azurerm provider.

If you ask me, it would be better to exclude this test as the impact/issues trying to get the provider registered outweighs the benefit to verify the regex works.

WDYT?

[stephybun]

@tiwood I checked our subscription and the RP Microsoft.Capacity is registered on it. It looks like the error is being caused by a typo.

[stephybun]

Suggested change

	validation.StringMatch(regexp.MustCompile("/providers/Micrososoft.Capacity"), "Capacity scope is invalid"),
	validation.StringMatch(regexp.MustCompile("/providers/Microsoft.Capacity"), "Capacity scope is invalid"),

[stephybun]

Suggested change

	scope = "/providers/Micrososoft.Capacity"
	scope = "/providers/Microsoft.Capacity"

[tiwood]

@stephybun, you're right, I'm going to fix that. Nevertheless the provider needs to be registered on the global scope (/providers/) not on subscription scope (/subscriptions/.../providers/)

Example:

az rest --method POST --url https://management.azure.com/providers/Microsoft.CostManagementExports/register\?api-version\=2024-03-01

[stephybun]

Thanks @tiwood. We usually try to make sure our tenant/subscription has all the necessary registrations and permissions outside of Terraform to enable thorough testing. Since we lack the permissions to register this on a tenant level the acceptance test probably doesn't make a lot of sense as you say. Could you remove it, this should be good to go then.

[tiwood]

@stephybun , I've removed the tests and also added two additional items to the list of valid scopes (also updated the PR details):

• / for assignments like User Access Administrator
• /providers/Microsoft.BillingBenefits for managing Savings plans

[tiwood]

Hi @stephybun,
can we get this released this week? It would be really helpful for us.

[stephybun]

Posting for transparency, we'll go ahead and merge this without tests since our credentials wouldn't have necessary permissions to run the tests. I'm assuming/hoping you've verified that this works locally for your use case @tiwood.

Thanks @tiwood and LGTM 🦀

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.