We are using below ARM template for role assignement in Appinsights with ADO pipelines, where the template parameters are replacing from ADO pipelines paramters. This worked for one resource deployment and when we tried for multiple resources, ARM template deployment failing with below error.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"RoleDefinitionId": {
"type": "string"
},
"principalId": {
"type": "string"
},
"AppInsightName": {
"type": "string"
}
},
"resources":[
{
"type": "Microsoft.Insights/components/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[concat(parameters('AppInsightName'),'/Microsoft.Authorization/',guid('AppInsightName'))]",
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('RoleDefinitionId'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}
Parameters.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"RoleDefinitionId": {
"value": "#{roleDefinitionId}#"
},
"principalId": {
"value": "#{principalId}#"
},
"AppInsightName": {
"value": "#{appInsightName}#"
}
}
}
Input to devops pipeline yaml
parameters:
roleList:
- rolesname: reader_Appinsight_group1
environment: development
principalType: Group
principalid: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
roleDefinitionId: acdd72axxxxxxxxxxxxxxxxxxxxx
appInsightName: myappinsight1
resourceGroup: myappinsight1-rg
- rolesname: reader_Appinsight_group2
environment: development
principalType: Group
principalid: xxxxxxxxxxxxxxxxxxxxxxxxxx
roleDefinitionId: acdd72axxxxxxxxxxxxxxxxxxxxxxxx
appInsightName: myappinsight1
resourceGroup: myappinsight1-rg
ERROR:
{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"RoleAssignmentUpdateNotPermitted\",\r\n \"message\": \"Tenant ID, application ID, principal ID, and scope are not allowed to be updated.\"\r\n }\r\n}"}]}}
Again I tried with multiple option for the role definition name to be unique, but got different errors
eg:
"resources":[
{
"type": "Microsoft.Insights/components/providers/roleAssignments",
"apiVersion": "2017-05-01",
"name": "[guid(resourceGroup().id, parameters('RoleDefinitionId'), parameters('principalId'))]",
"properties": {
"roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('RoleDefinitionId'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}
Error for the above The template resource 'xxxxxxxxxxxxxxxxxxxxxxxx for type 'Microsoft.Insights/components/providers/roleAssignments' at line '18' and column '71' has incorrect segment lengths
The name of a roleAssignment needs to be a function of the principal, role and scope. Once a role exists for a given principal, role & scope under a given name, nothing can be changed on that role assignment.
In your template your roleAssignment name is just a function of the appInsights resource name, which means you can have exactly one of those roleAssignments. Your guid() function in the name needs to be:
guid(parameters('RoleDefinitionId'), parameters('principalId'), parameters('AppInsightName'))
Note that you may have to remove some previously created roleAssignments (for the given principal, role and scope) if they were not created with the same naming algorithm before that template will successfully deploy.