Bug: Permission differences for custom roles

[marshalexander99]

Is there an existing issue for this?

• I have searched the existing issues

Infrastructure as Code Type? (Required)

terraform

PowerShell Module Version (Optional)

No response

Bootstrap Module Version (Optional)

4.3.5

Starter Module? (Required)

terraform - platform_landing_zone

Starter Module Version (Optional)

5.5.2

Input arguments of the ALZ-PowerShell-Module (Optional)

No response

Debug Output/Panic Output (Optional)

Expected Behaviour (Required)

The apply user managed identity created by bootstrap should be able to deploy policies to the root management group via DevOps pipelines with the custom role also created by the bootstrap

Actual Behaviour (Required)

The deployment pipeline just hangs providing no feedback to DevOps of a failure (simply times out). Running apply locally with an account/identity with owner rights to root management group completes deployment.
Policies are unable to be created by the apply UMI due to missing the policy write authorisation actions. Providing the additional permissions to the custom role solves the problem.
The BICEP custom role does seem to have the required policy write actions assigned to it for some reason.

Steps to Reproduce (Optional)

Run pipeline created by bootstrap to deploy accelerator. Pipeline seems to hang when performing the create/assign policies step and eventually times out.

Important Factoids (Optional)

We are targeting a management group a couple of layers below the tenant root for this deployment, however the account/service principal provided by the customer has full owner rights to the target root group when running the bootstrap process.

References (Optional)

No response