Role assignments are not deleted when using targetScope = 'resourceGroup' and --mode Complete

[aucampia]

Bicep version

$ az bicep version
Bicep CLI version 0.16.2 (de7fdd2b33)

Describe the bug
When I remove a 'Microsoft.Authorization/roleAssignments@2022-04-01' from my Bicep template with targetScope = 'resourceGroup' and deploy using az deployment group create ... --mode Complete the role assignment is not removed.

To Reproduce
Steps to reproduce the behaviour:

• Add a 'Microsoft.Authorization/roleAssignments@2022-04-01' resource to a Bicep template and deploy it using az deployment group create ... --mode Complete.
• Remove the role assignment from the Bicep template and deploy it using az deployment group create ... --mode Complete.
• Check role assignments using Azure CLI or Azure portal.
• Notice that the role assignment was not removed.

Additional context

This fails without even as much as a warning, this should probably be classified as a security vulnerability.

[alex-frankel]

Complete mode is, to be frank, an imperfect solution and this is a known issue.

We are very close to releasing Deployment Stacks (can think of this like complete mode v2) in public preview, which should not have this problem. If you are interested, we can add you to the deployment stacks private preview so you can test out the new functionality.

[aucampia]

@alex-frankel enabling deployment stacks can be pursued separately, I have asked internally at my employer but there has been some controversy since it is not GA and there is a policy against using preview features.

If this is to be handled by deployment stacks, you can close this as a duplicate of #2690.

[aucampia]

For posterity's sake, this is limitation is documented here: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-complete-mode-deletion#microsoftauthorization

[alex-frankel]

Thanks @aucampia - we definitely are excited to GA Stacks ASAP :) I will close this as a duplicate per your suggestion.