azure_rm_roleassignment fails on additional runs

[tlourey]

SUMMARY

When using azure_rm_roleassignment in a playbook, if the role assignment already exists it returns an error and stops, instead of just continuing like all other modules.

ISSUE TYPE

• Bug Report

COMPONENT NAME

azure_rm_roleassignment

ANSIBLE VERSION

ansible 2.10.2
  config file = None
  configured module search path = ['/home/username/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/ansible/lib/python3.7/site-packages/ansible
  executable location = /opt/ansible/bin/ansible
  python version = 3.7.3 (default, Jul 25 2020, 13:03:44) [GCC 8.3.0]

CONFIGURATION

No output

OS / ENVIRONMENT

Azure Cloud Shell
user@Azure:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Cbld
Description: Common Base Linux Delridge (quinault)
Release: 10
Codename: quinault

STEPS TO REPRODUCE

Create playbook that uses azure_rm_roleassignment
Run playbook
Run playbook again

  - name: Create a role assignment
    azure_rm_roleassignment:
        scope: "{{ var.ansible_facts.azure_vm.id }}"
        assignee_object_id: 12345678-abcd-efgh-1234-1234567890ab
        role_definition_id: "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52"

EXPECTED RESULTS

Doesn't error on additional runs

ACTUAL RESULTS

Errors saying role assignment already exists

[Fred-sun]

@tlourey Thank you for raising this question. As the module does not support updating and idempotency, we will investigate again. Thank you very much!

[paultaiton]

@tlourey
Are you using the most recent version of azcollection ? I updated this module to support idempotent operations with these exact parameters, but it was only made available in version 1.3.0 (current is 1.4.0 )

[tlourey]

I was using Azure Cloud shell but have only been trying to use that module since February. I didn't install the azure collection, but everything ran except this. Only way I could get it to run when re-running playbook was remove the IAM assignment first, each time.

[paultaiton]

I was using Azure Cloud shell but have only been trying to use that module since February. I didn't install the azure collection, but everything ran except this. Only way I could get it to run when re-running playbook was remove the IAM assignment first, each time.

@tlourey

I know very little about how the cloud shell operates or what version it's using. Or how you would determine that. Hopefully @Fred-sun has a bit more knowledge of that and can comment.

However what you're describing matches up with issues #145 and #266 which were fixed by PR #301 . I highly suspect that your issue will be fixed by a version update.

[tlourey]

Updated azcollection in Cloud shell to 1.4.0

tim@Azure:~$ ansible-galaxy collection list

# /home/tim/.ansible/collections/ansible_collections
Collection         Version
------------------ -------
ansible.windows    1.4.0  
azure.azcollection 1.4.0
community.windows  1.3.0

Still getting:

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error creating role assignment: Azure Error: RoleAssignmentExists\nMessage: The role assignment already exists."}

[paultaiton]

Does the problem persist if you change to

  - name: Create a role assignment
    azure.azcollection.azure_rm_roleassignment:

??? It may be trying to use an older built in version instead of the fully qualified collection module.

[tlourey]

I know very little about how the cloud shell operates or what version it's using. Or how you would determine that. Hopefully @Fred-sun has a bit more knowledge of that and can comment.

If it helps:

tim@Azure:~$ cat /etc/os-release
PRETTY_NAME="Common Base Linux Delridge (quinault)"
NAME="Common Base Linux Delridge"
VERSION_ID="10"
VERSION="10 (quinault)"
VERSION_CODENAME=quinault
ID=cbld
ID_LIKE=debian
HOME_URL="https://aka.ms/cbld"
SUPPORT_URL="https://aka.ms/cbld"
BUG_REPORT_URL="https://aka.ms/cbld"
tim@Azure:~$ uname -r
4.15.0-1109-azure
tim@Azure:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Cbld
Description:    Common Base Linux Delridge (quinault)
Release:        10
Codename:       quinault

[tlourey]

Does the problem persist if you change to

  - name: Create a role assignment
    azure.azcollection.azure_rm_roleassignment:

??? It may be trying to use an older built in version instead of the fully qualified collection module.

Just tried with this:

  - name: Create a role assignment
    azure.azcollection.azure_rm_roleassignment:

Same result:

TASK [Create a role assignment] *******************************************************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error creating role assignment: Azure Error: RoleAssignmentExists\nMessage: The role assignment already exists."}

[paultaiton]

Alright, I'll have to play around and see if I can replicate. Past my bed time so it'll have to wait till I can take a rigorous look. By your code I'm guessing you're assigning to a VM scope?

[tlourey]

Many thanks. Correct, a VM.

I am also fairly sure it's happening outside of Azure Cloud Shell. I tried another new box using the Microsoft Ansible Quick Start Guide:

NAME="CentOS Linux"
VERSION="7 (Core)"

[azureuser@quickstartansible-vm ~]$ ansible --version
ansible 2.10.7
  config file = /home/azureuser/.ansible.cfg
  configured module search path = ['/home/azureuser/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
[azureuser@quickstartansible-vm ~]$

# /home/azureuser/.ansible/collections/ansible_collections
Collection            Version
--------------------- -------
ansible.windows       1.4.0
chocolatey.chocolatey 1.0.2
community.windows     1.3.0
# /usr/local/lib/python3.6/site-packages/ansible_collections
Collection                    Version
azure.azcollection            1.4.0

Let me know if there is anything else you need.

[paultaiton]

Could you please provide me your whole playbook (or as much as you can provide while keeping out personal details) ? It will help me replicate the issue.

[Fred-sun]

@tlourey Do you want to recreate or update your role? Thank you very much!

[tlourey]

@Fred-sun its trying to create the role assignment. But when it runs a second time it sees that it already exists and errors, instead of just skipping

[tlourey]

@paultaiton https://gist.github.com/tlourey/049ab639f018307301bd7809ac9de5c3. I think I've stripped it out safely.

[paultaiton]

@paultaiton https://gist.github.com/tlourey/049ab639f018307301bd7809ac9de5c3. I think I've stripped it out safely.

Thanks. I'll take a look first chance I get.

[paultaiton]

@tlourey
When the role_definition_id is returned by the Azure API, it is the full fully qualified resource ID. This differs from what you're passing by the '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/' prefix. At the time I wrote the code to handle idempotency, I wasn't aware that you could even pass in a definition ID without that prefix, so I did not add any logic to detect for that condition.
I'm working on a fix to account for this different usage that is according to the Azure API still valid, but in the meantime you can add that prefix, and everything should work.
example:

  - name: Create a role assignment
    azure_rm_roleassignment:
        scope: "{{ var.ansible_facts.azure_vm.id }}"
        assignee_object_id: 12345678-abcd-efgh-1234-1234567890ab
        role_definition_id: "/subscriptions/cd082cc0-a6b8-abcd-1234-feedc0ffee00/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52"

[tlourey]

@paultaiton you are correct. That did resolve the issue. I'm testing a third time to be safe, but it seems to continue normally now.

[Mohammad-Atif-Khan]

@paultaiton this still seems to happen?

- name: "[CRU_] [IAM] Update IAM of given RG"
  azure.azcollection.azure_rm_roleassignment:
    role_definition_id: "{{ role_definition.roledefinitions[0].id }}"
    scope: "{{ rg_info.id }}"
    assignee_object_id: "{{ adgroup_object_id }}"

where role_definition is the output of the azure_rm_roledefinition_info module, containing fully qualified definition ID:

invocation:
  module_args:
      ad_user:
      adfs_authority_url: null 
      api_profile: latest 
      assignee_object_id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 
      auth_source: auto 
      cert_validation_mode: null 
      client_id: null 
      cloud_environment: AzureCloud 
      id: null 
      log_mode: null 
      log_path: null 
      name: null 
      password: null 
      profile: null 
      role_definition_id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 
      scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/RG-Ansible-Resources 
      secret: null 
      state: present 
      subscription_id: null 
      tenant: null 
      thumbprint: null 
      x509_certificate_path: null 
  msg: |- 
    Error creating role assignment: (RoleAssignmentExists) The role assignment already exists.
    Code: RoleAssignmentExists 
    Message: The role assignment already exists.

I'm running v1.14.0 of the collection

Appreciate any guidance

[paultaiton]

@paultaiton this still seems to happen?

- name: "[CRU_] [IAM] Update IAM of given RG"
  azure.azcollection.azure_rm_roleassignment:
    role_definition_id: "{{ role_definition.roledefinitions[0].id }}"
    scope: "{{ rg_info.id }}"
    assignee_object_id: "{{ adgroup_object_id }}"

where role_definition is the output of the azure_rm_roledefinition_info module, containing fully qualified definition ID:

invocation:
  module_args:
      ad_user:
      adfs_authority_url: null 
      api_profile: latest 
      assignee_object_id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 
      auth_source: auto 
      cert_validation_mode: null 
      client_id: null 
      cloud_environment: AzureCloud 
      id: null 
      log_mode: null 
      log_path: null 
      name: null 
      password: null 
      profile: null 
      role_definition_id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 
      scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/RG-Ansible-Resources 
      secret: null 
      state: present 
      subscription_id: null 
      tenant: null 
      thumbprint: null 
      x509_certificate_path: null 
  msg: |- 
    Error creating role assignment: (RoleAssignmentExists) The role assignment already exists.
    Code: RoleAssignmentExists 
    Message: The role assignment already exists.

I'm running v1.14.0 of the collection

Appreciate any guidance

@Mohammad-Atif-Khan
Can you please get me the output from an azure_rm_roleassignment_info for the target that you're trying to assign to?
It's been a couple years since I worked on this module, so it'll take me a bit to get my bearings in the code again.

Based on what I remember, and what you've copied, this shouldn't be possible, but we'll see.

Also, I would highly recommend you open a new "issue" for this, and tag me in it so I can see. There have been 10 minor releases between when tlourey reported the original issue and the version you're using, so they're pretty far disconnected, even if similar error message.