No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

```Do you want to perform this update? yes
Updating (LightstreamStudio/core-msi-stage):

     Type                               Name                                       Status                  Info
     pulumi:pulumi:Stack                core-msi-core-msi-stage
 +   ├─ azure:msi:UserAssignedIdentity  93bfe621-3-wus-uai                         created
 +   ├─ azure:msi:UserAssignedIdentity  93bfe621-3-weu-uai                         created
 +   ├─ azure:msi:UserAssignedIdentity  93bfe621-3-scus-uai                        created
 +   ├─ azure:msi:UserAssignedIdentity  93bfe621-3-uks-uai                         created
 +   ├─ azure:msi:UserAssignedIdentity  93bfe621-3-eus2-uai                        created
 ~   └─ azure:role:Definition           Reader And Blob Data Access - Lightstream  **updating failed**     [diff: ~assignableScopes]; 1 error

Diagnostics:
  azure:role:Definition (Reader And Blob Data Access - Lightstream):
    error: Plan apply failed: 1 error occurred:

    * updating urn:pulumi:core-msi-stage::core-msi::azure:role/definition:Definition::Reader And Blob Data Access: authorization.RoleDefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Cod
e="RoleDefinitionWithSameNameExists" Message="A role definition cannot be updated with a name that already exists."

Resources:
    5 changes
    + 5 created
    21 unchanged```

Are you sure that’s not saying that you already have a role with the desired name?

(slack threads make terminal output basically impossible to follow lol)

``` [diff: ~assignableScopes]; 1 error```

```Original Error: autorest/azure: Service returned an error. Status=409 Co$
e="RoleDefinitionWithSameNameExists" Message="A role definition cannot be updated with a name that already exists."
```

Hmm, that actually looks like an error from the upstream API

I’ll take a look at the actual code in a few minutes and see what I can find

Looks like this is the same issue reported at <https://github.com/terraform-providers/terraform-provider-azurerm/issues/2069>.

It is either a bug in the TF provider that `assignable_scopes` should be marked as `ForceNew`, or it is a bug in Azure itself.