[Role] BREAKING CHANGE: az role assignment delete: Stop deleting all role assignments by default (#30470)

Author: jiasli

src/azure-cli/azure/cli/command_modules/role/_help.py

@@ -772,11 +772,15 @@
 helps['role assignment delete'] = """
 type: command
 short-summary: Delete role assignments.
+long-summary: >-
+    This command deletes all role assignments that satisfy the provided query condition. Before running this
+    command, it is highly recommended to run `az role assignment list` first with the same arguments to see which
+    role assignments will be deleted.
 examples:
-  - name: Delete role assignments. (autogenerated)
-    text: |
-        az role assignment delete --assignee 00000000-0000-0000-0000-000000000000 --role "Storage Account Key Operator Service Role"
-    crafted: true
+  - name: Delete all role assignments with "Reader" role at the subscription scope.
+    text: az role assignment delete --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000
+  - name: Delete all role assignments of an assignee at the subscription scope.
+    text: az role assignment delete --assignee 00000000-0000-0000-0000-000000000000 --scope /subscriptions/00000000-0000-0000-0000-000000000000
 """
 
 helps['role assignment list'] = """
@@ -791,6 +795,11 @@
     After August 31, 2024, all classic administrators risk losing access to the subscription.
     Delete classic administrators who no longer need access or assign an Azure RBAC role for fine-grained access
     control. Learn more: https://go.microsoft.com/fwlink/?linkid=2238474
+examples:
+  - name: List all role assignments with "Reader" role at the subscription scope.
+    text: az role assignment list --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000
+  - name: List all role assignments of an assignee at the subscription scope.
+    text: az role assignment list --assignee 00000000-0000-0000-0000-000000000000 --scope /subscriptions/00000000-0000-0000-0000-000000000000
 """
 
 helps['role assignment list-changelogs'] = """

src/azure-cli/azure/cli/command_modules/role/_params.py

@@ -366,7 +366,7 @@ class PrincipalType(str, Enum):
                         'JSON description.')
 
     with self.argument_context('role assignment delete') as c:
-        c.argument('yes', options_list=['--yes', '-y'], action='store_true', help='Continue to delete all assignments under the subscription')
+        c.argument('yes', options_list=['--yes', '-y'], action='store_true', help='Currently no-op.')
 
     with self.argument_context('role definition') as c:
         c.argument('role_definition_id', options_list=['--name', '-n'], help='the role definition name')

src/azure-cli/azure/cli/command_modules/role/custom.py

@@ -27,6 +27,8 @@
 
 from azure.cli.core.profiles import ResourceType
 from azure.cli.core.util import get_file_json, shell_safe_json_parse, is_guid
+from azure.cli.core.azclierror import ArgumentUsageError
+
 from ._client_factory import _auth_client_factory, _graph_client_factory
 from ._multi_api_adaptor import MultiAPIAdaptor
 from ._msgrpah import GraphError, set_object_properties
@@ -501,7 +503,13 @@ def _get_displayable_name(graph_object):
 
 
 def delete_role_assignments(cmd, ids=None, assignee=None, role=None, resource_group_name=None,
-                            scope=None, include_inherited=False, yes=None):
+                            scope=None, include_inherited=False,
+                            yes=None):  # pylint: disable=unused-argument
+    # yes is currently a no-op
+    if not any((ids, assignee, role, resource_group_name, scope)):
+        raise ArgumentUsageError('Please provide at least one of these arguments: '
+                                 '--ids, --assignee, --role, --resource-group, --scope')
+
     factory = _auth_client_factory(cmd.cli_ctx, scope)
     assignments_client = factory.role_assignments
     definitions_client = factory.role_definitions
@@ -528,11 +536,6 @@ def delete_role_assignments(cmd, ids=None, assignee=None, role=None, resource_gr
         for i in ids:
             assignments_client.delete_by_id(i)
         return
-    if not any([ids, assignee, role, resource_group_name, scope, assignee, yes]):
-        from knack.prompting import prompt_y_n
-        msg = 'This will delete all role assignments under the subscription. Are you sure?'
-        if not prompt_y_n(msg, default="n"):
-            return
 
     scope = _build_role_scope(resource_group_name, scope,
                               assignments_client._config.subscription_id)
@@ -905,7 +908,6 @@ def add_permission(client, identifier, api, api_permissions):
         try:
             access_id, access_type = e.split('=')
         except ValueError as ex:
-            from azure.cli.core.azclierror import ArgumentUsageError
             raise ArgumentUsageError('Usage error: Please provide both permission id and type, such as '
                                      '`--api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope`') from ex
         resource_access = {
@@ -1184,7 +1186,6 @@ def create_service_principal_for_rbac(
     import time
 
     if role and not scopes or not role and scopes:
-        from azure.cli.core.azclierror import ArgumentUsageError
         raise ArgumentUsageError("Usage error: To create role assignments, specify both --role and --scopes.")
 
     graph_client = _graph_client_factory(cmd.cli_ctx)

src/azure-cli/azure/cli/command_modules/role/tests/latest/test_role_commands_thru_mock.py

@@ -383,14 +383,12 @@ def test_list_sp_owner(self, graph_client_mock):
         assert len(result) == 1
         assert result[0]['id'] == MOCKED_USER_ID
 
-    @mock.patch('azure.cli.command_modules.role.custom._auth_client_factory', autospec=True)
-    @mock.patch('knack.prompting.prompt_y_n', autospec=True)
-    def test_role_assignment_delete_prompt(self, prompt_mock, client_mock):
-        prompt_mock.return_value = False
-        # action
-        delete_role_assignments(mock.MagicMock())
-        # assert
-        prompt_mock.assert_called_once_with(mock.ANY, 'n')
+    def test_role_assignment_delete_no_args_raise_error(self):
+        from azure.cli.core.azclierror import ArgumentUsageError
+        with self.assertRaises(ArgumentUsageError):
+            delete_role_assignments(mock.MagicMock())
+        with self.assertRaises(ArgumentUsageError):
+            delete_role_assignments(mock.MagicMock(), yes=True)
 
     @mock.patch('azure.cli.command_modules.role.custom._graph_client_factory', autospec=True)
     def test_role_list_app_owner(self, graph_client_mock):