[release/9.2] Don't fail for Azure role assignments in run mode (#8807)

github-actions[bot] · eerhardt · web-flow · commit 8de8d4bf3019 · 2025-04-18T10:57:45.000-07:00
* Don't fail for Azure role assignments in run mode We are throwing too early. When users only want to dotnet run their app and use role assignments, we shouldn't be blocking them on using role assignments. Only when you go to publish, should we throw saying that your infrastructure doesn't support targeted role assignments. Fix #8778 * Fix run mode for Azure resources that aren't referenced by compute resources. In those cases we still want the default role assignments to apply. --------- Co-authored-by: Eric Erhardt <eric.erhardt@microsoft.com>
diff --git a/src/Aspire.Hosting.Azure/AzureResourcePreparer.cs b/src/Aspire.Hosting.Azure/AzureResourcePreparer.cs
@@ -30,7 +30,7 @@ public async Task BeforeStartAsync(DistributedApplicationModel appModel, Cancell
         }
 
         var options = provisioningOptions.Value;
-        if (!options.SupportsTargetedRoleAssignments)
+        if (!EnvironmentSupportsTargetedRoleAssignments(options))
         {
             // If the app infrastructure does not support targeted role assignments, then we need to ensure that
             // there are no role assignment annotations in the app model because they won't be honored otherwise.
@@ -79,6 +79,13 @@ public async Task BeforeStartAsync(DistributedApplicationModel appModel, Cancell
         return azureResources;
     }
 
+    private bool EnvironmentSupportsTargetedRoleAssignments(AzureProvisioningOptions options)
+    {
+        // run mode always supports targeted role assignments
+        // publish mode only supports targeted role assignments if the environment supports it
+        return executionContext.IsRunMode || options.SupportsTargetedRoleAssignments;
+    }
+
     private static void EnsureNoRoleAssignmentAnnotations(DistributedApplicationModel appModel)
     {
         foreach (var resource in appModel.Resources)
@@ -94,7 +101,7 @@ private async Task BuildRoleAssignmentAnnotations(DistributedApplicationModel ap
     {
         var globalRoleAssignments = new Dictionary<AzureProvisioningResource, HashSet<RoleDefinition>>();
 
-        if (!options.SupportsTargetedRoleAssignments)
+        if (!EnvironmentSupportsTargetedRoleAssignments(options))
         {
             // when the app infrastructure doesn't support targeted role assignments, just copy all the default role assignments to applied role assignments
             foreach (var resource in azureResources.Select(r => r.AzureResource).OfType<AzureProvisioningResource>())
@@ -183,6 +190,19 @@ private async Task BuildRoleAssignmentAnnotations(DistributedApplicationModel ap
                     }
                 }
             }
+
+            if (executionContext.IsRunMode)
+            {
+                // in RunMode, any Azure resources that are not referenced by a compute resource should have their default role assignments applied
+                foreach (var azureResource in azureResources.Select(r => r.AzureResource).OfType<AzureProvisioningResource>())
+                {
+                    if (!globalRoleAssignments.TryGetValue(azureResource, out _) &&
+                        azureResource.TryGetLastAnnotation<DefaultRoleAssignmentsAnnotation>(out var defaultRoleAssignments))
+                    {
+                        AppendGlobalRoleAssignments(globalRoleAssignments, azureResource, defaultRoleAssignments.Roles);
+                    }
+                }
+            }
         }
 
         if (globalRoleAssignments.Count > 0)
diff --git a/tests/Aspire.Hosting.Azure.Tests/AzureResourcePreparerTests.cs b/tests/Aspire.Hosting.Azure.Tests/AzureResourcePreparerTests.cs
@@ -13,10 +13,12 @@ namespace Aspire.Hosting.Azure.Tests;
 
 public class AzureResourcePreparerTests(ITestOutputHelper output)
 {
-    [Fact]
-    public void ThrowsExceptionsIfRoleAssignmentUnsupported()
+    [Theory]
+    [InlineData(DistributedApplicationOperation.Publish)]
+    [InlineData(DistributedApplicationOperation.Run)]
+    public async Task ThrowsExceptionsIfRoleAssignmentUnsupported(DistributedApplicationOperation operation)
     {
-        using var builder = TestDistributedApplicationBuilder.Create();
+        using var builder = TestDistributedApplicationBuilder.Create(operation);
 
         var storage = builder.AddAzureStorage("storage");
 
@@ -25,8 +27,16 @@ public void ThrowsExceptionsIfRoleAssignmentUnsupported()
 
         var app = builder.Build();
 
-        var ex = Assert.Throws<InvalidOperationException>(app.Start);
-        Assert.Contains("role assignments", ex.Message);
+        if (operation == DistributedApplicationOperation.Publish)
+        {
+            var ex = Assert.Throws<InvalidOperationException>(app.Start);
+            Assert.Contains("role assignments", ex.Message);
+        }
+        else
+        {
+            await app.StartAsync();
+            // no exception is thrown in Run mode
+        }
     }
 
     [Theory]

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ public async Task BeforeStartAsync(DistributedApplicationModel appModel, Cancell`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`var options = provisioningOptions.Value;`
`33`		`- if (!options.SupportsTargetedRoleAssignments)`
	`33`	`+ if (!EnvironmentSupportsTargetedRoleAssignments(options))`
`34`	`34`	`{`
`35`	`35`	`// If the app infrastructure does not support targeted role assignments, then we need to ensure that`
`36`	`36`	`// there are no role assignment annotations in the app model because they won't be honored otherwise.`
`@@ -79,6 +79,13 @@ public async Task BeforeStartAsync(DistributedApplicationModel appModel, Cancell`
`79`	`79`	`return azureResources;`
`80`	`80`	`}`
`81`	`81`
	`82`	`+ private bool EnvironmentSupportsTargetedRoleAssignments(AzureProvisioningOptions options)`
	`83`	`+ {`
	`84`	`+ // run mode always supports targeted role assignments`
	`85`	`+ // publish mode only supports targeted role assignments if the environment supports it`
	`86`	`+ return executionContext.IsRunMode \|\| options.SupportsTargetedRoleAssignments;`
	`87`	`+ }`
	`88`	`+`
`82`	`89`	`private static void EnsureNoRoleAssignmentAnnotations(DistributedApplicationModel appModel)`
`83`	`90`	`{`
`84`	`91`	`foreach (var resource in appModel.Resources)`
`@@ -94,7 +101,7 @@ private async Task BuildRoleAssignmentAnnotations(DistributedApplicationModel ap`
`94`	`101`	`{`
`95`	`102`	`var globalRoleAssignments = new Dictionary<AzureProvisioningResource, HashSet<RoleDefinition>>();`
`96`	`103`
`97`		`- if (!options.SupportsTargetedRoleAssignments)`
	`104`	`+ if (!EnvironmentSupportsTargetedRoleAssignments(options))`
`98`	`105`	`{`
`99`	`106`	`// when the app infrastructure doesn't support targeted role assignments, just copy all the default role assignments to applied role assignments`
`100`	`107`	`foreach (var resource in azureResources.Select(r => r.AzureResource).OfType<AzureProvisioningResource>())`
`@@ -183,6 +190,19 @@ private async Task BuildRoleAssignmentAnnotations(DistributedApplicationModel ap`
`183`	`190`	`}`
`184`	`191`	`}`
`185`	`192`	`}`
	`193`	`+`
	`194`	`+ if (executionContext.IsRunMode)`
	`195`	`+ {`
	`196`	`+ // in RunMode, any Azure resources that are not referenced by a compute resource should have their default role assignments applied`
	`197`	`+ foreach (var azureResource in azureResources.Select(r => r.AzureResource).OfType<AzureProvisioningResource>())`
	`198`	`+ {`
	`199`	`+ if (!globalRoleAssignments.TryGetValue(azureResource, out _) &&`
	`200`	`+ azureResource.TryGetLastAnnotation<DefaultRoleAssignmentsAnnotation>(out var defaultRoleAssignments))`
	`201`	`+ {`
	`202`	`+ AppendGlobalRoleAssignments(globalRoleAssignments, azureResource, defaultRoleAssignments.Roles);`
	`203`	`+ }`
	`204`	`+ }`
	`205`	`+ }`
`186`	`206`	`}`
`187`	`207`
`188`	`208`	`if (globalRoleAssignments.Count > 0)`