Increase delay in role assignment creation (#9279)

* update delay

* add polling

* remove redundant logs

* update api version

Author: MuhammadAliFleet

src/fleet/HISTORY.rst

@@ -160,3 +160,8 @@ Release History
 ++++++
 * Upgrade SDK version to 2025-08-01-preview
 * Add Fleet Managed Namespace support
+
+
+1.8.1
+++++++
+* Ensure role assignment is created for private fleets before fleet creation.

src/fleet/azext_fleet/_client_factory.py

@@ -5,6 +5,7 @@
 
 from azure.cli.core.commands.client_factory import get_mgmt_service_client
 from azure.mgmt.msi import ManagedServiceIdentityClient
+from azure.mgmt.authorization import AuthorizationManagementClient
 from azure.cli.core.profiles import (
     CustomResourceType,
     ResourceType
@@ -60,5 +61,9 @@ def get_provider_client(cli_ctx):
         cli_ctx, ResourceType.MGMT_RESOURCE_RESOURCES)
 
 
+def get_role_assignments_client(cli_ctx):
+    return get_mgmt_service_client(cli_ctx, AuthorizationManagementClient).role_assignments
+
+
 def get_msi_client(cli_ctx, subscription_id=None):
     return get_mgmt_service_client(cli_ctx, ManagedServiceIdentityClient, subscription_id=subscription_id)

src/fleet/azext_fleet/_helpers.py

@@ -9,16 +9,18 @@
 import stat
 import tempfile
 import yaml
+import time
 
 from knack.log import get_logger
 from knack.prompting import NoTTYException, prompt_y_n
 from knack.util import CLIError
 from azure.cli.command_modules.acs._roleassignments import add_role_assignment
 from azure.mgmt.core.tools import parse_resource_id
-
+from azext_fleet.constants import NETWORK_CONTRIBUTOR_ROLE_ID
 
 from azext_fleet._client_factory import get_provider_client
 from azext_fleet._client_factory import get_msi_client
+from azext_fleet._client_factory import get_role_assignments_client
 
 logger = get_logger(__name__)
 
@@ -158,12 +160,35 @@ def _load_kubernetes_configuration(filename):
 
 def assign_network_contributor_role_to_subnet(cmd, object_id, subnet_id):
     if not add_role_assignment(cmd, 'Network Contributor', object_id, scope=subnet_id):
-        logger.warning("Failed to create Network Contributor role assignment on the subnet %s.\n"
-                       "This role assignment is required for the managed identity to access the subnet.\n"
-                       "Please ensure you have sufficient permissions, or ask an administrator to run:\n"
-                       "az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id %s "
-                       "--role 'Network Contributor' --scope %s",
-                       subnet_id, object_id, subnet_id)
+        logger.warning(
+            "Failed to create Network Contributor role assignment on the subnet %s.\n"
+            "This role assignment is required for the managed identity to access the subnet.\n"
+            "Please ensure you have sufficient permissions, or ask an administrator to run:\n"
+            "az role assignment create --assignee-principal-type ServicePrincipal --assignee-object-id %s "
+            "--role 'Network Contributor' --scope %s",
+            subnet_id, object_id, subnet_id)
+        return
+
+    auth_client = get_role_assignments_client(cmd.cli_ctx)
+    max_attempts = 3
+    interval = 3
+    for _ in range(max_attempts):
+        if _is_assignment_present(auth_client, subnet_id, object_id):
+            return
+        time.sleep(interval)
+    logger.warning(
+        "Role assignment for Network Contributor on subnet %s was not detected after %s seconds. "
+        "There may be a delay in propagation.",
+        subnet_id, max_attempts * interval)
+
+
+def _is_assignment_present(auth_client, subnet_id, object_id):
+    filter_query = f"assignedTo('{object_id}') and atScope()"
+    for assignment in auth_client.list_for_scope(subnet_id, filter=filter_query):
+        if assignment.role_definition_id.lower().endswith(NETWORK_CONTRIBUTOR_ROLE_ID) and \
+           assignment.scope.lower() == subnet_id.lower():
+            return True
+    return False
 
 
 def get_msi_object_id(cmd, msi_resource_id):

src/fleet/azext_fleet/constants.py

@@ -7,6 +7,7 @@
 UPGRADE_TYPE_FULL = "Full"
 UPGRADE_TYPE_NODEIMAGEONLY = "NodeImageOnly"
 FLEET_1P_APP_ID = "609d2f62-527f-4451-bfd2-ac2c7850822c"
+NETWORK_CONTRIBUTOR_ROLE_ID = "4d97b98b-1d4f-4787-a291-c67834d212e7"
 
 SUPPORTED_GATE_STATES_FILTERS = ["Pending", "Skipped", "Completed"]
 SUPPORTED_GATE_STATES_PATCH = ["Completed"]

src/fleet/azext_fleet/custom.py

@@ -14,6 +14,7 @@
 from azure.cli.core.util import sdk_no_wait, get_file_json, shell_safe_json_parse
 from azure.cli.core import get_default_cli
 from azure.mgmt.core.tools import parse_resource_id
+from azure.cli.command_modules.acs._graph import resolve_object_id
 
 from azext_fleet._client_factory import CUSTOM_MGMT_FLEET, cf_fleet_members, cf_fleets
 from azext_fleet._helpers import is_rp_registered, print_or_merge_credentials
@@ -134,7 +135,8 @@ def create_fleet(cmd,
         if not is_rp_registered(cmd):
             raise CLIError("The Microsoft.ContainerService resource provider is not registered."
                            "Run `az provider register -n Microsoft.ContainerService --wait`.")
-        assign_network_contributor_role_to_subnet(cmd, FLEET_1P_APP_ID, agent_subnet_id)
+        object_id = resolve_object_id(cmd.cli_ctx, FLEET_1P_APP_ID)
+        assign_network_contributor_role_to_subnet(cmd, object_id, agent_subnet_id)
 
     if enable_vnet_integration and assign_identity is not None:
         object_id = get_msi_object_id(cmd, assign_identity)

src/fleet/azext_fleet/tests/latest/recordings/test_fleet_hubful.yaml

@@ -16,7 +16,7 @@
 
 # TODO: Confirm this is the right version number you want and it matches your
 # HISTORY.rst entry.
-VERSION = '1.8.0'
+VERSION = '1.8.1'
 
 # The full list of classifiers is available at
 # https://pypi.python.org/pypi?%3Aaction=list_classifiers