[Feature Request]: Opt-out creating role assignments

[rswrz]

Feature Description

In certain scenarios, the user or service principal used to install the launchpad may lack permissions to create role assignments. In such cases, the customer might prefer to manually assign roles to the launchpad’s managed identity. To support this, it is useful to have the option to opt out of automatic role assignment creation.

Use Case

• The customer might prefer to manually assign roles to the launchpad’s managed identity

Additional Information

No response

Privacy Statement

• I agree

Code of Conduct

• I agree to follow this repository's Code of Conduct

[rswrz]

Currently, a terraform plan' attempting to create such role assignments will fail on terraform apply' if the Launchpad itself does not have permissions to manage such role assignments on its own resource group.

Plan

Terraform will perform the following actions:

  # module.launchpad.azurerm_role_assignment.resource_specific["key_vault_admin"] will be created
  + resource "azurerm_role_assignment" "resource_specific" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = "00000000-0000-0000-0000-000000000000"
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Key Vault Administrator"
      + scope                            = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-launchpad-prd-euw"
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.launchpad.azurerm_role_assignment.resource_specific["storage_blob_owner"] will be created
  + resource "azurerm_role_assignment" "resource_specific" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = "00000000-0000-0000-0000-000000000000"
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Storage Blob Data Owner"
      + scope                            = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-launchpad-prd-euw"
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.launchpad.azurerm_role_assignment.subscription_owner["00000000-0000-0000-0000-000000000000"] will be created
  + resource "azurerm_role_assignment" "subscription_owner" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = "00000000-0000-0000-0000-000000000000"
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Owner"
      + scope                            = "/subscriptions/00000000-0000-0000-0000-000000000000"
      + skip_service_principal_aad_check = (known after apply)
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Apply

╷
│ Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '00000000-0000-0000-0000-000000000000' with object id '00000000-0000-0000-0000-000000000000' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/1c16eb1b-1615-6d2f-61a8-6cdaa160971a' or the scope is invalid. If access was recently granted, please refresh your credentials."
│ 
│   with module.launchpad.azurerm_role_assignment.subscription_owner["00000000-0000-0000-0000-000000000000"],
│   on .terraform/modules/launchpad/r-identity.tf line 29, in resource "azurerm_role_assignment" "subscription_owner":
│   29: resource "azurerm_role_assignment" "subscription_owner" {
│ 
╵
╷
│ Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '00000000-0000-0000-0000-000000000000' with object id '00000000-0000-0000-0000-000000000000' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-launchpad-prd-euw/providers/Microsoft.Authorization/roleAssignments/2b7333c6-aca0-ae9a-2519-584c3e9cfbf3' or the scope is invalid. If access was recently granted, please refresh your credentials."
│ 
│   with module.launchpad.azurerm_role_assignment.resource_specific["storage_blob_owner"],
│   on .terraform/modules/launchpad/r-identity.tf line 37, in resource "azurerm_role_assignment" "resource_specific":
│   37: resource "azurerm_role_assignment" "resource_specific" {
│ 
╵
╷
│ Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '00000000-0000-0000-0000-000000000000' with object id '00000000-0000-0000-0000-000000000000' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-launchpad-prd-euw/providers/Microsoft.Authorization/roleAssignments/38e73ad4-bd21-a0ba-046f-237d671879de' or the scope is invalid. If access was recently granted, please refresh your credentials."
│ 
│   with module.launchpad.azurerm_role_assignment.resource_specific["key_vault_admin"],
│   on .terraform/modules/launchpad/r-identity.tf line 37, in resource "azurerm_role_assignment" "resource_specific":
│   37: resource "azurerm_role_assignment" "resource_specific" {
│ 
╵

[rswrz]

The same applies for resource locks if the Launchpad managed identity does not have the required permissions:

Plan

 Terraform will perform the following actions:

  # module.launchpad.azurerm_management_lock.storage_account_lock[0] will be created
  + resource "azurerm_management_lock" "storage_account_lock" {
      + id         = (known after apply)
      + lock_level = "CanNotDelete"
      + name       = "storage_account_lock"
      + notes      = "For safety reasons, the Storage Account can not be deleted."
      + scope      = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-launchpad-prd-euw/providers/Microsoft.Storage/storageAccounts/stlaunchpadprdeuw"
    }

 Plan: 1 to add, 0 to change, 0 to destroy.

Apply

╷
│ Error: creating Scoped Lock (Scope: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-launchpad-prd-euw/providers/Microsoft.Storage/storageAccounts/stlaunchpadprdeuw"
│ Lock Name: "storage_account_lock"): unexpected status 403 (403 Forbidden) with error: AuthorizationFailed: The client '00000000-0000-0000-0000-000000000000' with object id '00000000-0000-0000-0000-000000000000' does not have authorization to perform action 'Microsoft.Authorization/locks/write' over scope '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-launchpad-prd-euw/providers/Microsoft.Storage/storageAccounts/stlaunchpadprdeuw/providers/Microsoft.Authorization/locks/storage_account_lock' or the scope is invalid. If access was recently granted, please refresh your credentials.
│ 
│   with module.launchpad.azurerm_management_lock.storage_account_lock[0],
│   on .terraform/modules/launchpad/r-storage-account.tf line 7, in resource "azurerm_management_lock" "storage_account_lock":
│    7: resource "azurerm_management_lock" "storage_account_lock" {
│ 
╵