Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timing issue between Graph Group and RBAC assignment. #15991

Open
DeeNaxic opened this issue Jan 3, 2025 · 1 comment
Open

Timing issue between Graph Group and RBAC assignment. #15991

DeeNaxic opened this issue Jan 3, 2025 · 1 comment
Labels
Needs: Triage 🔍

Comments

@DeeNaxic
Copy link

DeeNaxic commented Jan 3, 2025

Bicep version
Build on an Azure Build Agent:

  • Task AzureCLI Task Version 2.249.8
  • Bicep version 0.31.92
azure-cli                         2.67.0
core                              2.67.0
telemetry                          1.1.0
azure-devops                       1.0.1
msal                              1.31.0
azure-mgmt-resource               23.1.1

Bicep.config (graph)
"extensions": {
    "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.8-preview"
  }

Describe the bug
In bicep, when deploying a Entra Group, and then immediately assigning RBAC permissions, the group cannot be found. The returned error explains this very issue, and suggests a fix. The CLI error when running a Deploy:

Principal <guid> does not exist in the directory <guid>. Check that you have the correct principal ID. If you are creating this principal and then immediately assigning a role, this error might be related to a replication delay. In this case, set the role assignment principalType property to a value, such as ServicePrincipal, User, or Group.  See https://aka.ms/docs-principaltype (Code:PrincipalNotFound)

This makes sense, the group HAS just been created, however the suggested change to fix it, is already implemented.

..
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  scope       : target
  name        : guid('rbac-${name}-${groupId}-${role}')
  properties  : {
    principalType     : 'Group'
    principalId       : groupId
    roleDefinitionId  : '/providers/Microsoft.Authorization/roleDefinitions/${role}'
  }
}
..

From Googling it appears that other people who ran into this issue, fixed it, by setting the PrincipalType, but all of these have been for UAI and similar, it doesn't work for Groups. When running the code again, everything works as expected, assumingly since the group is now ready.

To Reproduce
Deploy a entra group using the graph bicep modules. Then assign an RBAC role immediately after.
@github-project-automation github-project-automation bot moved this to Todo in Bicep Jan 3, 2025
@jeskew
Copy link
Contributor

jeskew commented Jan 7, 2025

@DeeNaxic I don't think you're doing anything wrong here; RBAC assignments are known to be "eventually consistent" in some cases (i.e., the resource may not be immediately available for use when provisioning is complete). This is one of our main use cases for #1013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Triage 🔍
Projects
Bicep
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeskew @DeeNaxic