onlyIfNotExists roleAssignment deployment fails despite existing

[acortelyou]

Bicep version 0.38.33

Describe the bug

When using onlyIfNotExists() with roleAssignments, the expected behavior is that the deployment should succeed when the roleAssignment resource already exists and no write action would be necessary.

'User Access Administrator' or 'Owner' etc should only be required when a write action occurs.

To Reproduce

@onlyIfNotExists()
resource acrReader 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(acr.id, identity.id, readerRoleDefinitionId)
  scope: acr
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', readerRoleDefinitionId)
    principalId: identity.properties.principalId
    principalType: 'ServicePrincipal'
  }
}

Authorization failed for template resource '<guid>' of type 'Microsoft.Authorization/roleAssignments'. The client '<user>' with object id '<guid>' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '<roleAssignmentExtensionResource>'

Additional context This would greatly simplify CI/CD in an environment where additional approvals are needed to gain User Access Administrator by skipping the creation of role assignments which already exist.

[lbruck95]

When I heard about this preview feature, this was the exact use case I had in mind. I was disappointed when I tested it out and it didn’t work as expected. Existing role assignments from old ARM templates cause a lot of headaches currently. Having this feature or something similar to skip an existing role assignment with the same properties but a different GUID would be great.

[acortelyou]

something similar to skip an existing role assignment with the same properties but a different GUID would be great.

Agree this would be useful but please create a different issue to track.