target scope for tenant resources and extension resources on tenant resources #18862
Description
Bicep version
Bicep CLI version 0.39.26 (1e90b06)
Describe the bug
I am not sure if this is a bug or intended behavior. Service Groups are tenant scope resource but you can deploy them if you are doing for example subscription scope deployment. However If you try to add role assignment (which is extension resource) to the deployment of the Service Group you will get error like:
Status Message: The role Service Group Administrator is not available for assignment at the requested scope. (Code:RoleAssignmentScopeNotAssignableToRoleDefinition)
So it seems you cannot do this scenario via one template. You could have another module that is at tenant scope and deploy the role assignment but than it beats the purpose of not having to use deployments at tenant scope and give wider tenant scope permissions to the account you are using for the deployment. So my ask is this some kind of a bug that can be fixed or it is limit in the current architecture that is not solvable?
To Reproduce
Can be reproduced with the template below when deployed at subscription:
targetScope = 'subscription'
resource sg1 'Microsoft.Management/serviceGroups@2024-02-01-preview' = {
name: 'Group0001'
scope: tenant()
properties: {
displayName: 'Group0001n'
parent: {
resourceId: tenantResourceId('Microsoft.Management/serviceGroups', subscription().tenantId)
}
}
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(sg1.id, '4e50c84c-c78e-4e37-b47e-e60ffea0a775')
scope: sg1
properties: {
roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions', '4e50c84c-c78e-4e37-b47e-e60ffea0a775')
principalId: '<principal id>'
principalType: 'User'
}
}
Additional context
Add any other context about the problem here.