feat: Subscription Vending PTN - UMI Role Assignments absolute scopes

[nsftwr]

Description

The ability to assign roles to UMI's out of the scope of the provisioned subscription. It is incredibly useful if youre vending a subscription with a user managed identity, and the provisioned UMI needs to have a role in a different sub, like Private DNS Zone Contributor in the Connectivity Subscription.

Pipeline Reference

Pipeline

Type of Change

• Azure Verified Module updates:
  • Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in version.json:
  • Feature update backwards compatible feature updates, and I have bumped the MINOR version in version.json.
  • Breaking changes and I have bumped the MAJOR version in version.json.
  • Update to documentation
• Update to CI Environment or utilities (Non-module affecting changes)

Checklist

• I'm sure there are no other open Pull Requests for the same update/change
• I have run Set-AVMModule locally to generate the supporting module files.
• My corresponding pipelines / checks run clean and green without any errors or warnings
• I have updated the module's CHANGELOG.md file with an entry for the next version

[microsoft-github-policy-service]

Important

The "Needs: Triage 🔍" label must be removed once the triage process is complete!

Tip

For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation.

[microsoft-github-policy-service]

Important

If this is a module-related PR, being submitted by the sole owner of the module, the AVM core team must review and approve it (as module owners can't approve their own PRs).

To indicate this PR needs the core team''s attention, apply the "Needs: Core Team 🧞" label!

The core team will only review and approve PRs that have this label applied!

[nsftwr]

@sebassem what are your thoughts on this? Happy to also get on a call if need be to explain the thought, but essentially the idea is that a UMI can be provisioned together with the vended sub, but have the role assigned in a different sub or management group like connectivity sub, having the Private DNS Zone Contributor role.

The current implementation adds an absoluteScope property next to relativeScope. Ive done that so its not classified as a breaking change, but I am also happy to make it so property changes relativeScope -> scope, and have the functionality as

• If scope: '' then role assignment is on the vended subscription
• if scope: '/resourceGroups/rg-aabbcc then role assignment is on the vended sub, scoped to the rg
• if scope: '/subscriptions/00000000-0000-0000-0000-000000000000' then the role assignment is on another sub
• if scope: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-aabbcc' then the role assignment is on the resource group in another sub
• if scope: '/managementGroups/mg_corp' then the role assignment is on the management group

Let me know what are your thoughts.

I havent done any of the AVM specific bits, nor tests as wanted to get feedback first