Check for previous/existing GitHub issues
Issue Type?
Bug
Module Name
avm/res/event-grid/system-topic
(Optional) Module Version
0.6.5
Description
When externalResourceRoleAssignments targets a resource in a different resource group than the system topic, deployment fails with ResourceNotFound.
The generated inner role-assignment deployment (*-EventGrid-SysTopic-ExtRoleAssign-* → *-ResourceRoleAssignment) runs in the system topic's resource group and does not derive/set the target resource group from the supplied resourceId. ARM then resolves the extension-scope resource in the wrong RG.
Repro
// deployed into RG "rg-topic"; destination SA lives in "rg-dest"
module systemTopic 'br/public:avm/res/event-grid/system-topic:0.6.5' = {
name: 'st'
params: {
name: 'st-demo'
source: '<source SA resourceId in rg-topic>'
topicType: 'Microsoft.Storage.StorageAccounts'
managedIdentities: { systemAssigned: true }
externalResourceRoleAssignments: [
{
resourceId: '/subscriptions/<sub>/resourceGroups/rg-dest/providers/Microsoft.Storage/storageAccounts/<destSa>'
roleDefinitionId: 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' // Storage Queue Data Message Sender
roleName: 'Storage Queue Data Message Sender'
}
]
}
}Observed (deployment operation on inner *-ResourceRoleAssignment)
code: ResourceNotFound
target: .../resourceGroups/rg-dest/providers/Microsoft.Storage/storageAccounts/<destSa>/providers/Microsoft.Authorization/roleAssignments/<guid>
message: "The Resource 'Microsoft.Storage/storageAccounts/<destSa>' under resource group 'rg-topic' was not found."
The role-assignment id correctly points at rg-dest, but ARM looks for the destination under rg-topic (the deployment's RG).
Note: az deployment group validate and what-if both report success — neither catches the cross-RG write rejection; it only surfaces at actual deploy.
Expected
externalResourceRoleAssignments should support destinations in any RG/subscription by deriving resourceGroup/subscriptionId from the provided resourceId and setting them on the nested role-assignment deployment (as avm/ptn/authorization/resource-role-assignment already supports when called directly with an explicit scope).
Workaround
Call avm/ptn/authorization/resource-role-assignment as a separate module with explicit scope: resourceGroup(<destRg>), and set externalResourceRoleAssignments: [].
(Optional) Correlation Id
69c25a0c-f98a-440a-b638-21d88c9df767
Check for previous/existing GitHub issues
Issue Type?
Bug
Module Name
avm/res/event-grid/system-topic
(Optional) Module Version
0.6.5
Description
When
externalResourceRoleAssignmentstargets a resource in a different resource group than the system topic, deployment fails withResourceNotFound.The generated inner role-assignment deployment (
*-EventGrid-SysTopic-ExtRoleAssign-*→*-ResourceRoleAssignment) runs in the system topic's resource group and does not derive/set the target resource group from the suppliedresourceId. ARM then resolves the extension-scope resource in the wrong RG.Repro
Observed (deployment operation on inner
*-ResourceRoleAssignment)The role-assignment id correctly points at
rg-dest, but ARM looks for the destination underrg-topic(the deployment's RG).Note:
az deployment group validateandwhat-ifboth report success — neither catches the cross-RG write rejection; it only surfaces at actual deploy.Expected
externalResourceRoleAssignmentsshould support destinations in any RG/subscription by derivingresourceGroup/subscriptionIdfrom the providedresourceIdand setting them on the nested role-assignment deployment (asavm/ptn/authorization/resource-role-assignmentalready supports when called directly with an explicitscope).Workaround
Call
avm/ptn/authorization/resource-role-assignmentas a separate module with explicitscope: resourceGroup(<destRg>), and setexternalResourceRoleAssignments: [].(Optional) Correlation Id
69c25a0c-f98a-440a-b638-21d88c9df767