[Compute] BREAKING CHANGE: az vm/vmss create: Remove the default value Contributor of parameter --role

[zhoxing-ms]

Description

As mentioned in PR #20924 and #21326, we need to remove the default value Contributor of --role.

Testing Guide

Wait for PR #21369 to fix the problems of existing tests, then add tests and re-record related tests

History Notes

[Component Name 1] BREAKING CHANGE: az command a: Make some customer-facing breaking change
[Component Name 2] az command b: Add some customer-facing feature

---

This checklist is used to make sure that common guidelines for a pull request are followed.

• The PR title and description has followed the guideline in Submitting Pull Requests.

• I adhere to the Command Guidelines.

• I adhere to the Error Handling Guidelines.

[jiasli]

How about we put this in the command help? Otherwise, we have to have this text for both --scope and --role.

[zhoxing-ms]

@jiasli Since az vm create and az vmss create commands have too many other parameters and examples, I think it might be a good idea to add the description to both --scope and --role parameters

[zhoxing-ms]

Or maybe we can not include this information in the help description, because we already have verification logic that will tell users that those two parameters need to be passed in at the same time

[jiasli]

Duplication is bad. ad sp create-for-rbac puts this information in command help:

https://github.com/Azure/azure-cli/blob/b86a4ed33317e9b218c84d4c96498f75235df996/src/azure-cli/azure/cli/command_modules/role/_help.py#L392-L393

But I am open to this topic. 😉

[zhoxing-ms]

The situation of these two commands may be different, az vm create command has nearly 100 parameters and too much help information. 😂
Since the --scope and --role are only one of many usage scenarios, I'm not sure whether it's appropriate to put them in a global position in this case. And the help information printed by this command is too long, so users may not notice the description from the command level every time

In order to avoid duplicated prompts, I personally think maybe I can remove this information in the help description, because we already have the verification to tell users that --scope and --role parameters need to be passed in at the same time. What do you think of this idea?

[yonzhan]

Compute

[jiasli]

Together with L1232, for simplicity, why don't we say:

Usage error: To create role assignments, specify both --role and --scopes.

just like #21323

[zhoxing-ms]

In fact, I wanted to be consistent with the error message that the --scope parameter was not passed in the original code https://github.com/Azure/azure-cli/pull/21474/files#r826612256

[jiasli]

namespace.identity_role will never have is_default now, won't it?

[zhoxing-ms]

When from_set_command is True, it indicates that the command is az vm identity assign. At this time, the --role parameter still has the default value Contributor.
Therefore, when the user does not specify the --role parameter, this judgment getattr(namespace.identity_role, 'is_default', None) will be True, otherwise it will be None.

[jiasli]

At this time, the --role parameter still has the default value Contributor.

This is definitely not secure. 🤔

[zhoxing-ms]

Here is the error message that --scope parameter is not passed in

[jiasli]

I mean, I don't like this message either. It is hard to understand.

[wangzelin007]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[jiasli]

For operator precedence, not > and > or, so parentheses are not necessary.

[zhoxing-ms]

Yes, actually I know this. I put parentheses here just for clearer readability~

[zhoxing-ms]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).