Third topic is about the same module. In the Terraform-based provider, it was possible to create a role assignment specifying the name of the role, like so:

var configRoleAssignment = new Assignment(
	$"orgflow-download-{stackName}-configRoleAssignment",
	new AssignmentArgs()
	{
		PrincipalId = app.Identity.Apply(x => x.PrincipalId),
		RoleDefinitionName = "App Configuration Data Reader", // Use textual name of role
		Scope = configService.Resources.Single().Id,
		SkipServicePrincipalAadCheck = true
	});

I cannot find any way to accomplish the same using AzureNextGen, it seems like we can only resolve role definitions using their GUID IDs and some awkward string concatenation:

var configRoleAssignment = new RoleAssignment(
	$"orgflow-download-{stackName}-configRoleAssignment",
	new RoleAssignmentArgs()
	{
		RoleAssignmentName = "200DA71F-80F9-4D5F-90AB-FCE5CE72FA97",
		PrincipalId = app.Identity.Apply(x => x!.PrincipalId),
		// TODO: Resolve subscription ID, and if possible also role definition ID
		RoleDefinitionId = "/subscriptions/1788357e-d506-4118-9f88-092c1dcddc16/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", //configDataReaderRole.Id,
		Scope = configStore.Id,
	});

Even doing a

GetRoleDefinition.InvokeAsync()

does not help, as that one also takes this ID as its only possible input. Does anyone know how to avoid hard-coding the role ID, and instead resolve it from the role name as was possible with the old provider?

This is a known issue. We have a ticket tracking this: https://github.com/pulumi/pulumi-azure-nextgen/issues/112

OK 👍