azure_rm_roleassignment fails idempotency test

[redhatstuart]

SUMMARY

When executing azure_rm_roleassignment, if a role assignment already exists, the module throws a fatal error and aborts playbook operation.

ISSUE TYPE

• Bug Report

COMPONENT NAME

azure_rm_roleassignment

ANSIBLE VERSION

ansible 2.9.11
  config file = None
  configured module search path = ['/home/stkirk/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.8/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.8.5 (default, Aug 12 2020, 00:00:00) [GCC 10.2.1 20200723 (Red Hat 10.2.1-1)]

CONFIGURATION

None

OS / ENVIRONMENT

[stkirk@stkirk-fedora ansible-aro]$ pip list |egrep '(azure|ansible)'
ansible 2.9.11
azure-ai-formrecognizer 1.0.0b4
azure-ai-nspkg 1.0.0
azure-ai-textanalytics 1.0.0
azure-appconfiguration 1.0.0
azure-applicationinsights 0.1.0
azure-batch 9.0.0
azure-cli-command-modules-nspkg 2.0.3
azure-cli-core 2.0.35
azure-cli-nspkg 3.0.2
azure-cli-telemetry 1.0.4
azure-cognitiveservices-anomalydetector 0.2.0
azure-cognitiveservices-formrecognizer 0.1.0
azure-cognitiveservices-inkrecognizer 1.0.0b1
azure-cognitiveservices-knowledge-nspkg 3.0.0
azure-cognitiveservices-knowledge-qnamaker 0.2.0
azure-cognitiveservices-language-luis 0.7.0
azure-cognitiveservices-language-nspkg 3.0.1
azure-cognitiveservices-language-spellcheck 2.0.0
azure-cognitiveservices-language-textanalytics 0.2.0
azure-cognitiveservices-nspkg 3.0.1
azure-cognitiveservices-personalizer 0.1.0
azure-cognitiveservices-search-autosuggest 0.2.0
azure-cognitiveservices-search-customimagesearch 0.2.0
azure-cognitiveservices-search-customsearch 0.3.0
azure-cognitiveservices-search-entitysearch 2.0.0
azure-cognitiveservices-search-imagesearch 2.0.0
azure-cognitiveservices-search-newssearch 2.0.0
azure-cognitiveservices-search-nspkg 3.0.1
azure-cognitiveservices-search-videosearch 2.0.0
azure-cognitiveservices-search-visualsearch 0.2.0
azure-cognitiveservices-search-websearch 2.0.0
azure-cognitiveservices-vision-computervision 0.6.0
azure-cognitiveservices-vision-contentmoderator 1.0.0
azure-cognitiveservices-vision-customvision 3.0.0
azure-cognitiveservices-vision-face 0.4.1
azure-cognitiveservices-vision-nspkg 3.0.1
azure-common 1.1.11
azure-core 1.7.0
azure-core-tracing-opencensus 1.0.0b6
azure-core-tracing-opentelemetry 1.0.0b6
azure-cosmos 4.0.0
azure-datalake-store 0.0.48
azure-devtools 1.1.1
azure-eventgrid 1.3.0
azure-eventhub 5.1.0
azure-eventhub-checkpointstoreblob 1.1.0
azure-eventhub-checkpointstoreblob-aio 1.1.0
azure-functions-devops-build 0.0.22
azure-graphrbac 0.61.1
azure-identity 1.3.1
azure-keyvault 1.0.0a1
azure-keyvault-certificates 4.1.0
azure-keyvault-keys 4.1.0
azure-keyvault-nspkg 1.0.0
azure-keyvault-secrets 4.1.0
azure-loganalytics 0.1.0
azure-mgmt-advisor 4.0.0
azure-mgmt-alertsmanagement 0.1.0
azure-mgmt-apimanagement 0.2.0
azure-mgmt-appconfiguration 0.5.0
azure-mgmt-applicationinsights 0.3.0
azure-mgmt-appplatform 0.1.0
azure-mgmt-attestation 0.1.0
azure-mgmt-authorization 0.51.1
azure-mgmt-automation 0.1.1
azure-mgmt-avs 0.1.0
azure-mgmt-azurestack 0.1.0
azure-mgmt-batch 5.0.1
azure-mgmt-batchai 2.0.0
azure-mgmt-billing 0.2.0
azure-mgmt-botservice 0.2.0
azure-mgmt-cdn 3.0.0
azure-mgmt-cognitiveservices 6.2.0
azure-mgmt-commerce 1.0.1
azure-mgmt-common 0.20.0
azure-mgmt-compute 10.0.0
azure-mgmt-consumption 3.0.0
azure-mgmt-containerinstance 1.4.0
azure-mgmt-containerregistry 2.0.0
azure-mgmt-containerservice 9.1.0
azure-mgmt-core 1.2.0
azure-mgmt-cosmosdb 0.5.2
azure-mgmt-costmanagement 0.2.0
azure-mgmt-customproviders 0.1.0
azure-mgmt-databox 0.2.0
azure-mgmt-databoxedge 0.1.0
azure-mgmt-databricks 0.1.0
azure-mgmt-datafactory 0.11.0
azure-mgmt-datalake-analytics 0.6.0
azure-mgmt-datalake-nspkg 3.0.1
azure-mgmt-datalake-store 0.5.0
azure-mgmt-datamigration 4.0.0
azure-mgmt-datashare 0.2.0
azure-mgmt-deploymentmanager 0.2.0
azure-mgmt-devspaces 0.2.0
azure-mgmt-devtestlabs 3.0.0
azure-mgmt-digitaltwins 0.1.0
azure-mgmt-dns 2.1.0
azure-mgmt-documentdb 0.1.3
azure-mgmt-edgegateway 0.1.0
azure-mgmt-eventgrid 2.2.0
azure-mgmt-eventhub 4.0.0
azure-mgmt-frontdoor 0.3.0
azure-mgmt-hanaonazure 0.14.0
azure-mgmt-hdinsight 0.1.0
azure-mgmt-healthcareapis 0.1.0
azure-mgmt-hybridcompute 0.1.1
azure-mgmt-hybridkubernetes 0.1.0
azure-mgmt-imagebuilder 0.4.0
azure-mgmt-iotcentral 3.1.0
azure-mgmt-iothub 0.7.0
azure-mgmt-iothubprovisioningservices 0.2.0
azure-mgmt-keyvault 1.1.0
azure-mgmt-kubernetesconfiguration 0.2.0
azure-mgmt-kusto 0.9.0
azure-mgmt-labservices 0.1.1
azure-mgmt-loganalytics 0.2.0
azure-mgmt-logic 3.0.0
azure-mgmt-machinelearningcompute 0.4.1
azure-mgmt-machinelearningservices 0.1.0
azure-mgmt-managedservices 1.0.0
azure-mgmt-managementgroups 0.2.0
azure-mgmt-maps 0.1.0
azure-mgmt-marketplaceordering 0.1.0
azure-mgmt-media 2.2.0
azure-mgmt-monitor 0.5.2
azure-mgmt-msi 0.2.0
azure-mgmt-netapp 0.8.0
azure-mgmt-network 10.2.0
azure-mgmt-nspkg 2.0.0
azure-mgmt-policyinsights 0.5.0
azure-mgmt-privatedns 0.1.0
azure-mgmt-rdbms 1.4.1
azure-mgmt-recoveryservices 0.4.0
azure-mgmt-recoveryservicesbackup 0.6.0
azure-mgmt-redhatopenshift 0.1.0
azure-mgmt-redis 5.0.0
azure-mgmt-relay 0.1.0
azure-mgmt-reservations 0.6.0
azure-mgmt-resource 2.1.0
azure-mgmt-search 2.1.0
azure-mgmt-security 0.4.1
azure-mgmt-servicebus 0.5.3
azure-mgmt-servicefabric 0.4.0
azure-mgmt-signalr 0.4.0
azure-mgmt-sql 0.10.0
azure-mgmt-sqlvirtualmachine 0.5.0
azure-mgmt-storage 11.1.0
azure-mgmt-trafficmanager 0.50.0
azure-mgmt-web 0.41.0
azure-multiapi-storage 0.3.5
azure-nspkg 2.0.0
azure-storage 0.35.1
azure-storage-common 1.4.2
msrestazure 0.6.2
opencensus-ext-azure 1.0.4

[stkirk@stkirk-fedora ansible-aro]$ uname -a
Linux stkirk-fedora 5.7.11-200.fc32.x86_64 #1 SMP Wed Jul 29 17:15:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

STEPS TO REPRODUCE

  - name: Granting the ARO Resource Provider access to the ARO virtual network
    azure.azcollection.azure_rm_roleassignment:
      scope: "/subscriptions/{{ lookup('env', 'AZURE_SUBSCRIPTION_ID') }}/resourceGroups/{{ resource_group }}/providers/Microsoft.Network/virtualNetworks/{{ aro_vnet }}"
      assignee_object_id: "X"
      role_definition_id: "{{ oid }}"
      state: present

EXPECTED RESULTS

Ansible should detect that the role assignment already exists and is set correctly and thus ignore the task.

ACTUAL RESULTS

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error creating role assignment: Azure Error: RoleAssignmentExists\nMessage: The role assignment already exists."}

[haiyuazhang]

@stuartatmicrosoft the role assignment module use "name", which is actually a GUID, of the role assignment to look up a role assignment. So if you want to keep the property of idempotency , add the name parameter to your playbook.

[paultaiton]

Is anyone actively working on this? I just submitted a PR for improving the roleassignment_info module, and the roleassignment module is next in my sights. I was planning on adding the ability to check for existing assignments matching the role, scope, and assignee, and if they match then consider it existing / no change, this will also make it idempotent if name is omitted and a random guid is created.

[Fred-sun]

Fixed by #296

[paultaiton]

@Fred-sun

Can we please keep this issue open through the weekend? I have a different method for solving this issue that I think will work out better than what #296 implemented, and will be a more compatible fix for #145 . I will try and push a new PR before Monday to review and consider.

[atykhyy]

@haiyuazhang Indeed, for idempotency one must generate the role assigment's name based on input parameters. I do it like this:

vars:
  args:
    scope: ...
    role_definition_id: ...
    assignee_object_id: ...
azure_rm_roleassignment:
  name: "{{args|to_yaml|to_uuid(namespace='aadad312-b179-4ffd-ba9d-10b48708830f')}}"
args: "{{args}}"

However there are more idempotency problems with azure_rm_roleassignment: on creation, if the role assignment already exists, the module does not actually check whether its parameters are the same: if there is a different role assignment with the same name, the task will succeed. And if I set state=absent and the role assignment with the given name does not exist in the given scope, the task fails with

fatal: [xxxxxxxx]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "ad_user": null,
            "adfs_authority_url": null,
            "api_profile": "latest",
            "assignee_object_id": null,
            "auth_source": "auto",
            "cert_validation_mode": null,
            "client_id": null,
            "cloud_environment": "AzureCloud",
            "name": "aadad312-b179-4ffd-ba9d-10b48708830f",
            "password": null,
            "profile": null,
            "role_definition_id": null,
            "scope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxx/providers/Microsoft.Compute/virtualMachines/xxxxxxxxx",
            "secret": null,
            "state": "absent",
            "subscription_id": null,
            "tenant": null
        }
    },
    "msg": "role assignment aadad312-b179-4ffd-ba9d-10b48708830f not exists."
}

This is very annoying.

[paultaiton]

I have just submitted what I believe should fix most existing problems with this module.

@atykhyy ,
If my PR is merged, name is no longer a property that must be supplied for idempotency (and I actually consider it better to not have to manually manage the assignment and tracking of a property that is basically random ).

The three traits that make an assignment unique in Azure are assignee, scope, and role_definition_id . If those three attributes are supplied and match an existing assignment, then the state: present will be considered satisfied, or likewise the assignment will be deleted if state: absent.

I've also fixed and added integration tests for the different methods of identifying a unique assignment so that if state: absent and it doesn't exist, then the task will not fail, since that's the desired state.

[atykhyy]

The three traits that make an assignment unique in Azure are assignee, scope, and role_definition_id.

Yes, I have noticed that if there is an assigment with a different name but the same triplet, then creation fails. But it also fails when an assignment already exists with the same name but a different triplet. So your approach

If those three attributes are supplied and match an existing assignment, then the state: present will be considered satisfied, or likewise the assignment will be deleted if state: absent.

sounds better than the generated-name approach because it can handle existing assignments with names generated in other ways than e.g. what I used above. I hope your PR gets merged soon.

[redhatstuart]

I verified that adding in the "name:" parameter with a bogus UUID will allow the task execution to become idempotent. It sounds like there are other contributions here by @atykhyy and @paultaiton so I do not want to close this issue @haiyuazhang and @Fred-sun however for now my situation is remediated.

[haiyuazhang]

@atykhyy @paultaiton @stuartatmicrosoft Fred and I will review #301, seems that it's a better solution to address this issue. thanks for all your contribution.