[Bug Report]: Management Group Deployment not working

[AlexanderSehr]

Describe the bug

The current module implementation does not work as the RBAC deployment assumes that the (to be created) management group already exists when you start the deployment. This already happens with the Test-AzManagementGroupDeployment command.

The error is: ManagementGroupNotFound - The management group 'testMG' cannot be found.

The testMG is the one that is to be deployed as per the parameter file.

The code snipped that produces the error:

module managementGroup_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: {
  name: '${uniqueString(deployment().name)}-ManagementGroup-Rbac-${index}'
  params: {
    description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
    principalIds: roleAssignment.principalIds
    principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
    roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
    resourceId: managementGroup.id
  }
  scope: managementGroup
}]

The nested_rbac.bicep implementation seems fine and matches 1:1 the Microsoft.Authorization/roleAssignments/managementGroup (working) example.

Note: It seems that there might be a Bicep bug in that the language does not understand how to deal with a management group if you set it as the scope. I already tried different solutions like changing the scopes inside & outside the bicep template, using an extra level of nesting to do the same - all to not avail.

To reproduce

Run a Test-AzManagementGroupDeployment

Code snippet

Execute

> Test-AzManagementGroupDeployment -TemplateParameterFile .\Microsoft.Management\managementGroups\.parameters\parameters.json' -TemplateFile '.\Microsoft.Management\managementGroups\deploy.bicep' -Verbose -ManagementGroupId '<<managementGroupId>>' -Location 'WestEurope'

using the standard parameter file.

Relevant log output

No response

[MattLeach25]

Investigated this morning and came to the same conclusion as Alexander. I believe it's an issue with the implicit dependency and the RBAC is trying to deploy before the management group has been created, therefore not being able to find it. If you use a management group that already exists, everything works nicely. Bug raised on the Azure / Bicep Repo - Azure/bicep#6832

[MariusStorhaug]

Is this duplicate of #1320 ?

[eriqua]

Is this issue on the Bicep team? Should we put it as blocked?
Alternatively, if the issue is on the rbac, should we discuss if removing the rbac property for now to have at least the MG module working?

[MattLeach25]

Is this issue on the Bicep team? Should we put it as blocked? Alternatively, if the issue is on the rbac, should we discuss if removing the rbac property for now to have at least the MG module working?

Yeah maybe we should comment out the RBAC bit for now until we get a response back from the Bicep team. @MrMCake are you happy with this approach?

[eriqua]

RBAC has been removed from the module implementation which now deploys fine. I'd suggest to close this bug and open a feature request issue to add the RBAC option back in the module once the Azure/bicep#6832 bug is fixed.

[AlexanderSehr]

@eriqua, agreed.

[eriqua]

The feature request to add RBAC back is already open. Refer to #1543. Closing.