Add public AzureRoleAssignmentResource type#16888
Merged
Merged
Conversation
Introduce a public AzureRoleAssignmentResource type so callers can inspect role assignments via pipeline steps. Exposes: - TargetAzureResource: the Azure resource roles are assigned on - OwnerResource: the Aspire resource that called WithRoleAssignments (null for global) - IdentityResource: the user-assigned managed identity bearing the principal (null for global) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 16888Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 16888" |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a new public AzureRoleAssignmentResource type in Aspire.Hosting.Azure so role-assignment provisioning resources can be identified and inspected in the distributed application model (including from pipeline steps), instead of appearing as generic AzureProvisioningResource instances.
Changes:
- Add
AzureRoleAssignmentResource(public) to represent role-assignment resources with explicitTargetAzureResource,OwnerResource, andIdentityResourcemetadata. - Update
AzureResourcePreparerto createAzureRoleAssignmentResourceinstances for both targeted and global role-assignment resources. - Update/extend Azure hosting tests and snapshots to assert and validate the new typed role-assignment resources (including pipeline-step inspection after
WellKnownPipelineSteps.BeforeStart).
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureDeployerTests.DeployAsync_WithRedisAccessKeyAuthentication_CreatesCorrectDependencies.verified.txt | Snapshot update to reflect role-assignment steps now referencing AzureRoleAssignmentResource. |
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureDeployerTests.DeployAsync_WithPrivateEndpoints_CreatesCorrectDependencies.verified.txt | Snapshot update to reflect role-assignment resources being typed as AzureRoleAssignmentResource. |
| tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureDeployerTests.DeployAsync_WithAzureResourceDependencies_DoesNotHang_step=diagnostics.verified.txt | Snapshot update to reflect role-assignment resources being typed as AzureRoleAssignmentResource. |
| tests/Aspire.Hosting.Azure.Tests/RoleAssignmentTests.cs | Update assertions to find AzureRoleAssignmentResource and verify TargetAzureResource/OwnerResource wiring. |
| tests/Aspire.Hosting.Azure.Tests/AzureUserAssignedIdentityTests.cs | Update role-assignment resource assertions to the new type and validate target/owner relationships. |
| tests/Aspire.Hosting.Azure.Tests/AzureResourcePreparerTests.cs | Add a regression test demonstrating pipeline-step inspection of role assignments by target resource; update existing assertions to the new type. |
| src/Aspire.Hosting.Azure/RoleAssignmentResourceAnnotation.cs | Tighten annotation type to point to AzureRoleAssignmentResource instead of AzureProvisioningResource. |
| src/Aspire.Hosting.Azure/AzureRoleAssignmentResource.cs | Add the new public resource type and expose target/owner/identity metadata for inspection. |
| src/Aspire.Hosting.Azure/AzureResourcePreparer.cs | Switch role-assignment resource creation to AzureRoleAssignmentResource for both targeted and global role assignments. |
Comment on lines
+22
to
+27
| public sealed class AzureRoleAssignmentResource( | ||
| string name, | ||
| AzureProvisioningResource targetAzureResource, | ||
| IResource? ownerResource, | ||
| AzureUserAssignedIdentityResource? identityResource, | ||
| Action<AzureResourceInfrastructure> configureInfrastructure) |
Member
Author
There was a problem hiding this comment.
Good catch. Added a constructor check that throws ArgumentException when OwnerResource and IdentityResource are not consistently both null (global) or both non-null (targeted), plus a unit test covering both invalid combinations.
Contributor
|
Re-running the failed jobs in the CI workflow for this pull request because 2 jobs were identified as retry-safe transient failures in the CI run attempt.
|
Address PR review feedback: enforce that OwnerResource and IdentityResource must both be null (global) or both be non-null (targeted). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
🎬 CLI E2E Test Recordings — 77 recordings uploaded (commit View all recordings
📹 Recordings uploaded automatically from CI run #25581232608 |
davidfowl
approved these changes
May 9, 2026
aspire-repo-bot Bot
added a commit
to microsoft/aspire.dev
that referenced
this pull request
May 9, 2026
…gnment inspection Add a new section to the Azure role assignments guide documenting the AzureRoleAssignmentResource type introduced in microsoft/aspire#16888. The new section explains: - The three properties exposed by AzureRoleAssignmentResource (TargetAzureResource, OwnerResource, and IdentityResource) - How to enumerate role assignment resources from a pipeline step - The null semantics for global vs. targeted role assignments Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
Pull request created: #896
|
Contributor
|
📝 Documentation has been drafted in microsoft/aspire.dev#896 targeting Added a new "Inspect role assignments programmatically" section to the Manage Azure role assignments guide, documenting the new Note This draft PR needs human review before merging. |
IEvangelist
pushed a commit
to microsoft/aspire.dev
that referenced
this pull request
May 11, 2026
…gnment inspection Add a new section to the Azure role assignments guide documenting the AzureRoleAssignmentResource type introduced in microsoft/aspire#16888. The new section explains: - The three properties exposed by AzureRoleAssignmentResource (TargetAzureResource, OwnerResource, and IdentityResource) - How to enumerate role assignment resources from a pipeline step - The null semantics for global vs. targeted role assignments Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
IEvangelist
pushed a commit
to microsoft/aspire.dev
that referenced
this pull request
May 11, 2026
…signments guide (#896) * docs: document AzureRoleAssignmentResource for programmatic role assignment inspection Add a new section to the Azure role assignments guide documenting the AzureRoleAssignmentResource type introduced in microsoft/aspire#16888. The new section explains: - The three properties exposed by AzureRoleAssignmentResource (TargetAzureResource, OwnerResource, and IdentityResource) - How to enumerate role assignment resources from a pipeline step - The null semantics for global vs. targeted role assignments Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * PR feedback --------- Co-authored-by: aspire-repo-bot[bot] <268009190+aspire-repo-bot[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Eric Erhardt <eric.erhardt@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Introduces a new public
AzureRoleAssignmentResourcetype so callers can inspect role-assignment resources in the application model (e.g. from a pipeline step) and reason about what role assignments target which Azure resource.Previously, role-assignment resources added by
AzureResourcePreparerwere plainAzureProvisioningResourceinstances, which made it impossible to identify them as role assignments or discover their target/owner without inspecting internal annotations.The new type exposes:
TargetAzureResource— the Azure resource that the roles are assigned on (the scope, e.g. aKeyVault,Storage, etc.).OwnerResource— the Aspire resource that owns this set of role assignments (the resource on whichWithRoleAssignments(...)was called).nullfor global role assignments granted to the deployment principal.IdentityResource— the user-assigned managed identity (AzureUserAssignedIdentityResource) whose principal receives the role assignments.nullfor global role assignments granted to the deployment principal.RoleAssignmentResourceAnnotationis also tightened to hold the new typed resource. A regression test is added that uses a pipeline step running afterWellKnownPipelineSteps.BeforeStartto enumerate allAzureRoleAssignmentResources targeting a single Azure resource (a Key Vault).Fixes # (issue)
Checklist
<remarks />and<code />elements on your triple slash comments?