@ChrisSidebotham, thanks for submitting this issue for the avm/ptn/lz/sub-vending module!

Hey @ChrisSidebotham thanks for the issue. Its an interesting one and one that im wondering will actually fail pre-flight checks. Have you been able to test a customized version of this module with a customer?

In a way yes, we currently do 2 calls of the sub vending module in the same main.bicep, first call configure the new subscription, move and resources etc. The second utilises the existingSubscriptionId input with an output from the first call, but the second call is only used to configure RBAC for the custom roles

Cool, that would work and pass a pre-flight. Have you been able to test it as one module call as you proposed in the issue?

#RR

Yes, initally we had a customRoleAssignments block, which was being called separately to roleAssignments like how pimRoleAssignments are configured. However as we are not 'inner sourcing' patterns we couldn't continue with this approach

So it did work in a single module call just with the ordering set in the module correctly?

Are you willing to put a PR in for this?

#RR

@jtracey93 / @sebassem - I am working on the PR for this, we have two options and I would like to run it past you, As this is only effected for Subscription level custom role assignments, we either:

Option 1: Add additional parameter for customRoleAssignments which only runs at subscription level (all other levels can be handled if needed but this would duplicate the behaviour of the roleAssignments param. The new param would inherit the roleAssignmentType

Option 2: add a boolean value to the current type for roleAssignmentType to declare if it is a custom role or not, if it is then another filter and resource deployment would be added to deploy the role assignment after the subscription move takes place.

If we can decide this today I can get it in and working by the evening.

@jtracey93 / @sebassem - I am working on the PR for this, we have two options and I would like to run it past you, As this is only effected for Subscription level custom role assignments, we either:

Option 1: Add additional parameter for customRoleAssignments which only runs at subscription level (all other levels can be handled if needed but this would duplicate the behaviour of the roleAssignments param. The new param would inherit the roleAssignmentType

Option 2: add a boolean value to the current type for roleAssignmentType to declare if it is a custom role or not, if it is then another filter and resource deployment would be added to deploy the role assignment after the subscription move takes place.

If we can decide this today I can get it in and working by the evening.

I'm leaning towards option 2 , but we need to make it clear in the description on what that does and maybe add a test to show an example

im happy with option 2 also @ChrisSidebotham

Cool Option 2 is in the PR - I am just having some issues with the creation of a custom role :D