From 229646b4ea8e3075cbdde7a4907de8ebc8eb1f1a Mon Sep 17 00:00:00 2001 From: Jesse Squire Date: Thu, 9 Dec 2021 10:14:54 -0500 Subject: [PATCH] Ensure ownership grant The focus of these changes is to ensure that the service principal is explicitly granted the "Owner" role on the active resource group, whether the principal was newly created or a cached instance was used. --- .../TestResources/New-TestResources.ps1 | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/eng/common/TestResources/New-TestResources.ps1 b/eng/common/TestResources/New-TestResources.ps1 index d36693ef9a03..914f68d9a98d 100644 --- a/eng/common/TestResources/New-TestResources.ps1 +++ b/eng/common/TestResources/New-TestResources.ps1 @@ -580,14 +580,18 @@ try { $PSBoundParameters['TestApplicationOid'] = $TestApplicationOid $PSBoundParameters['TestApplicationSecret'] = $TestApplicationSecret - # Grant the test service principal ownership over the resource group. This may fail if the provisioner is a - # service principal without permissions to grant RBAC roles to other service principals. That should not be - # considered a critical failure, as the test application may have subscription-level permissions and not require - # the explicit grant. - # - # Ignore this check if $AzureTestPrincipal is specified as role assignment will already have been attempted on a - # previous run, and these error messages can be misleading for local runs. - if (!$resourceGroupRoleAssigned -and !$AzureTestPrincipal) { + # If the role hasn't been explicitly assigned to the resource group and a cached service principal is in use, + # query to see if the grant is needed. + if (!$resourceGroupRoleAssigned -and $AzureTestPrincipal) { + $roleAssignment = Get-AzRoleAssignment -ObjectId $AzureTestPrincipal.Id -RoleDefinitionName 'Owner' -ResourceGroupName "$ResourceGroupName" -ErrorAction SilentlyContinue + $resourceGroupRoleAssigned = ($roleAssignment.RoleDefinitionName -eq 'Owner') + } + + # If needed, grant the test service principal ownership over the resource group. This may fail if the provisioner + # is a service principal without permissions to grant RBAC roles to other service principals. That should not be + # considered a critical failure, as the test application may have subscription-level permissions and not require + # the explicit grant. + if (!$resourceGroupRoleAssigned) { Log "Attempting to assigning the 'Owner' role for '$ResourceGroupName' to the Test Application '$TestApplicationId'" $principalOwnerAssignment = New-AzRoleAssignment -RoleDefinitionName "Owner" -ApplicationId "$TestApplicationId" -ResourceGroupName "$ResourceGroupName" -ErrorAction SilentlyContinue