Hi, Wondering if anyone has come across Pulumi reporting it deleted a role assignment but it still exists in azure? We made a change to a role assignment which then required a replacement. We modified the resource to delete before replace and can see from log below that is how it is behaving:

@ Updating.....

-- azure-native:authorization:RoleAssignment AcrPull deleting original (0s)

azure-native:authorization:RoleAssignment Reader

azure-native:authorization:RoleAssignment Contributor

azure-native:containerservice:MaintenanceConfiguration usc-sai-idem-japaneast-aks-maintenance

@ Updating....

-- azure-native:authorization:RoleAssignment AcrPull deleted original (1s)

@ Updating....

+- azure-native:authorization:RoleAssignment AcrPull replacing (0s) [diff: ~scope]

+- azure-native:authorization:RoleAssignment AcrPull replaced (0.00s) [diff: ~scope]

++ azure-native:authorization:RoleAssignment AcrPull creating replacement (0s) [diff: ~scope]

@ Updating.........

++ azure-native:authorization:RoleAssignment AcrPull creating replacement (6s) [diff: ~scope]; error: autorest/azure: Service returned an error. Status=<nil> Code="RoleAssignmentExists" Message="The role assignment already exists."

++ azure-native:authorization:RoleAssignment AcrPull **creating failed** [diff: ~scope]; error: autorest/azure: Service returned an error. Status=<nil> Code="RoleAssignmentExists" Message="The role assignment already exists."

Hi SamO, let me test this on my end: Do which Identity you are adding the role?

We assign the ACR Pull role to the managed identity of the AKS cluster.