Assign VM Contributor role on workspace rg (not subscription)

[tamirkamara]

What is being addressed

We give the API identity this role on the subscription level which is too wide on the permission level and the scope level.
This is a partial solution to #2389.

How is this addressed

• Remove the role assignment from the subscription level and assign only to the workspace's resource group.

Migration Steps (breaking change)

You will loose the ability to stop/start VMs in existing workspaces versioned 0.3.20 or lower. To address this, assign Virtual Machine Contributor to id-api-<TRE_ID> identity on pre-existing workspace resource groups.

[github-actions]

Unit Test Results

0 tests   0 ✔️  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 16d5ff8.

♻️ This comment has been updated with latest results.

[tamirkamara]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/2787271098 (with refid c95e4643)

(in response to this comment from @tamirkamara)

[tamirkamara]

/test-extended

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/2789069895 (with refid c95e4643)

(in response to this comment from @tamirkamara)

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/2789069895 (with refid c95e4643)

(in response to this comment from @tamirkamara)

[tamirkamara]

/test-extended

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/2794621543 (with refid c95e4643)

(in response to this comment from @tamirkamara)

[tamirkamara]

/test-extended

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/2795029597 (with refid c95e4643)

(in response to this comment from @tamirkamara)

[tamirkamara]

/test-extended

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/2795136336 (with refid c95e4643)

(in response to this comment from @tamirkamara)

[tamirkamara]

/test-extended

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/2796214587 (with refid c95e4643)

(in response to this comment from @tamirkamara)

[tamirkamara]

/test-extended

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/2798019539 (with refid c95e4643)

(in response to this comment from @tamirkamara)

[marrobi]

@tamirkamara this causes a larger issue for existing workspaces. Once the subscription level role assignment is removed users cannot list VM user resources as they rely on this role assignment to query the power state. This means as soon as try to list any resources get 500 errors.

Can we make sure this is covered in breaking changes, and maybe we need a script that adds the role to workspaces, or a way to update workspaces...