ARM Template Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments Updating SQL Role Assignment Scope is not permitted

Question

I am doing an incremental ARM Template update as below and the first time I run it, it works, and every subsequent deployment I get this error:

Updating SQL Role Assignment Scope is not permitted. You may only update the associated Role Definition

I have even changed the ARM Template to use the exact ARM code that is already there and generated from the Azure Portal script and it still throws the same error.

I have seen this ticket: Incremental redeployment of an ARM Template with Role Assignments throws an error, but the answer isn't helpful, so wonder if this is different since it relates to CosmosDB

"variables": {
    "cosmosDatabaseRoleDefinitionName": "[format('{0}_{1}_{2}_readwrite', parameters('cosmosDatabaseAccountName'), parameters('cosmosDatabaseId'), parameters('cosmosDatabaseContainerId'))]",
    "cosmosDatabaseRoleDefinitionId": "[guid(variables('cosmosDatabaseRoleDefinitionName'))]",
    "cosmosDatabaseRoleAssignmentId": "[guid(variables('cosmosDatabaseRoleDefinitionName'), parameters('appServiceName'))]"
  },
  // lots of other resources
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2019-10-01",
      "name": "AddAppToComosDb",
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
              "apiVersion": "2021-06-15",
              "name": "[format('{0}/{1}', parameters('cosmosDatabaseAccountName'), variables('cosmosDatabaseRoleAssignmentId'))]",
              "properties": {
                "roleDefinitionId": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions',parameters('cosmosDatabaseAccountName'), variables('cosmosDatabaseRoleDefinitionId'))]",
                "principalId": "[reference(resourceId('Microsoft.Web/sites', parameters('appServiceName')), '2019-08-01', 'full').identity.principalId]",
                "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts/dbs/colls', parameters('cosmosDatabaseAccountName'), parameters('cosmosDatabaseId'), parameters('cosmosDatabaseContainerId'))]"
              },
              "dependsOn": [
                "[resourceId(parameters('sharedResourceGroupName'), 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers', parameters('cosmosDatabaseAccountName'), parameters('cosmosDatabaseId'), parameters('cosmosDatabaseContainerId'))]",
                "[resourceId(parameters('sharedResourceGroupName'), 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('cosmosDatabaseAccountName'), variables('cosmosDatabaseRoleDefinitionId'))]"
              ]
            }

      },
      "resourceGroup": "[parameters('sharedResourceGroupName')]"
    }
  ]
}

Answer 1

Ok sorted this.
It appears it will create the assignment fine as is, but for updating you have to have the subscription ID specified in roleDefinitionId and principalId. To me, it seems a bug that one works and the other doesn't

"properties": {
    "roleDefinitionId": "[resourceId(parameters('sharedResourceGroupName'), 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions',parameters('cosmosDatabaseAccountName'), variables('cosmosDatabaseRoleDefinitionId'))]",
    "principalId": "[reference(resourceId('Microsoft.Web/sites', parameters('appServiceName')), '2019-08-01', 'full').identity.principalId]",
    "scope": "[resourceId(parameters('sharedResourceGroupName'), 'Microsoft.DocumentDB/databaseAccounts/dbs/colls', parameters('cosmosDatabaseAccountName'), parameters('cosmosDatabaseId'), parameters('cosmosDatabaseContainerId'))]"
},