From a74a3af3863c11b4a5ad0e57369c8fba1cdc5a74 Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Wed, 4 Jun 2025 22:56:00 -0700
Subject: [PATCH] Skip role assignment handling for emulators

- Updated `BuildRoleAssignmentAnnotations` to skip processing for container emulators.
- Added a new test `DoesNotApplyRoleAssignmentsInRunModeForEmulators` to verify that role assignments are not applied to emulator resources.
---
 .../AzureResourcePreparer.cs                  |  6 +++++
 .../AzureResourcePreparerTests.cs             | 26 +++++++++++++++++--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/src/Aspire.Hosting.Azure/AzureResourcePreparer.cs b/src/Aspire.Hosting.Azure/AzureResourcePreparer.cs
index e6887de2f65..a67efa8371d 100644
--- a/src/Aspire.Hosting.Azure/AzureResourcePreparer.cs
+++ b/src/Aspire.Hosting.Azure/AzureResourcePreparer.cs
@@ -148,6 +148,12 @@ private async Task BuildRoleAssignmentAnnotations(DistributedApplicationModel ap
                         .ToLookup(a => a.Target);
                 foreach (var azureReference in azureReferences.OfType<AzureProvisioningResource>())
                 {
+                    if (azureReference.IsContainer())
+                    {
+                        // Skip emulators
+                        continue;
+                    }
+
                     var roleAssignments = azureReferencesWithRoleAssignments[azureReference];
                     if (roleAssignments.Any())
                     {
diff --git a/tests/Aspire.Hosting.Azure.Tests/AzureResourcePreparerTests.cs b/tests/Aspire.Hosting.Azure.Tests/AzureResourcePreparerTests.cs
index 7ed2543b53e..eb6f0e50c24 100644
--- a/tests/Aspire.Hosting.Azure.Tests/AzureResourcePreparerTests.cs
+++ b/tests/Aspire.Hosting.Azure.Tests/AzureResourcePreparerTests.cs
@@ -71,7 +71,7 @@ public async Task AppliesDefaultRoleAssignmentsInRunModeIfReferenced(bool addCon
 
             var storageRolesManifest = await GetManifestWithBicep(storageRoles, skipPreparer: true);
             await Verify(storageRolesManifest.BicepText, extension: "bicep");
-            
+
         }
         else
         {
@@ -115,7 +115,7 @@ public async Task AppliesRoleAssignmentsInRunMode(DistributedApplicationOperatio
 
             var storageRolesManifest = await GetManifestWithBicep(storageRoles, skipPreparer: true);
             await Verify(storageRolesManifest.BicepText, extension: "bicep");
-            
+
         }
         else
         {
@@ -133,6 +133,28 @@ public async Task AppliesRoleAssignmentsInRunMode(DistributedApplicationOperatio
         }
     }
 
+    [Fact]
+    public async Task DoesNotApplyRoleAssignmentsInRunModeForEmulators()
+    {
+        using var builder = TestDistributedApplicationBuilder.Create(DistributedApplicationOperation.Run);
+        builder.AddAzureContainerAppEnvironment("env");
+
+        builder.AddBicepTemplateString("foo", "");
+
+        var dbsrv = builder.AddAzureSqlServer("dbsrv").RunAsContainer();
+        var db = dbsrv.AddDatabase("db");
+
+        var api = builder.AddProject<Project>("api", launchProfileName: null)
+            .WithReference(db);
+
+        using var app = builder.Build();
+        var model = app.Services.GetRequiredService<DistributedApplicationModel>();
+        await ExecuteBeforeStartHooksAsync(app, default);
+
+        // in RunMode, we skip applying the role assignments to a new 'dbsrv-roles' resource, since the storage is running as emulator.
+        Assert.DoesNotContain(model.Resources.OfType<AzureProvisioningResource>(), r => r.Name == "dbsrv-roles");
+    }
+
     [Fact]
     public async Task FindsAzureReferencesFromArguments()
     {