revert variables

Author: jaredfholgate

.github/tests/cleanup-scripts/cleanup_resouce_groups.ps1

@@ -23,6 +23,8 @@ $subscriptions = @(
     "0aeefd1c-62c7-4071-91ad-925899603976"
 )
 
+$roleDefinitionsFilter = "Azure Landing Zones"
+
 $managementGroups | ForEach-Object -Parallel {
     $managementGroupFilter = $using:managementGroupFilter
     $managementGroup = $_
@@ -40,6 +42,37 @@ $managementGroups | ForEach-Object -Parallel {
         Write-Host "Deleting management group: $($childManagementGroup.name) under parent: $managementGroup"
         az account management-group delete --name $childManagementGroup.name
     } -ThrottleLimit 10
+
+    $roleDefinitionsFilter = $using:roleDefinitionsFilter
+    $roleDefinitions = az role definition list --management-group $managementGroup | ConvertFrom-Json | Where-Object { $_.name -like "*$roleDefinitionsFilter*" -and $_.assignableScopes -contains "/providers/Microsoft.Management/managementGroups/$managementGroup" }
+    $roleDefinitions | ForEach-Object -Parallel {
+        $managementGroup = $using:managementGroup
+        $roleDefinition = $_
+
+        $roleAssignments = az role assignment list --role $roleDefinition.name --management-group $managementGroup | ConvertFrom-Json
+        $roleAssignments | ForEach-Object -Parallel {
+            $managementGroup = $using:managementGroup
+            $roleDefinition = $using:roleDefinition
+            $roleAssignment = $_
+            Write-Host "Deleting role assignment: $($roleAssignment.name) for role definition: $($roleDefinition.name) in management group: $managementGroup"
+            az role assignment delete --ids $roleAssignment.id
+        } -ThrottleLimit 10
+
+        foreach ( $subscription in $using:subscriptions ) {
+            $subscriptionRoleAssignments = az role assignment list --role $roleDefinition.name --subscription $subscription | ConvertFrom-Json
+            $subscriptionRoleAssignments | ForEach-Object -Parallel {
+                $roleDefinition = $using:roleDefinition
+                $subscription = $using:subscription
+                $roleAssignment = $_
+                Write-Host "Deleting role assignment: $($roleAssignment.name) for role definition: $($roleDefinition.name) in subscription: $subscription"
+                az role assignment delete --ids $roleAssignment.id
+            } -ThrottleLimit 10
+        }
+        if($roleDefinition.isCustom -eq $true) {
+            Write-Host "Deleting custom role definition: $($roleDefinition.name) in management group: $managementGroup"
+            az role definition delete --name $roleDefinition.name --management-group $managementGroup
+        }
+    } -ThrottleLimit 10
 } -ThrottleLimit 10
 
 $subscriptions | ForEach-Object -Parallel {

alz/azuredevops/variables.tf

@@ -785,20 +785,11 @@ variable "custom_role_definitions_bicep" {
       description = "This is a custom role created by the Azure Landing Zones Accelerator for running Bicep What If for the Management Group hierarchy and its associated governance resources such as policy, RBAC etc... You must use the `--validation-level providerNoRbac` (Az CLI 2.75.0 or later) or `-ValidationLevel providerNoRbac` (Az PowerShell 13.4.0 or later (Az.Resources 7.10.0 or later)) flag when running Bicep What If with this role."
       permissions = {
         actions = [
-          "Microsoft.Management/managementGroups/read",
-          "Microsoft.Management/managementGroups/subscriptions/read",
-          "Microsoft.Management/managementGroups/settings/read",
-          "Microsoft.Authorization/*/read",
-          "Microsoft.Authorization/policyDefinitions/write",
-          "Microsoft.Authorization/policySetDefinitions/write",
-          "Microsoft.Authorization/roleDefinitions/write",
-          "Microsoft.Authorization/policyAssignments/write",
-          "Microsoft.Insights/diagnosticSettings/write",
-          "Microsoft.Insights/diagnosticSettings/read",
+          "*/read",
           "Microsoft.Resources/deployments/whatIf/action",
-          "Microsoft.Resources/deployments/write",
-          "Microsoft.Resources/deploymentStacks/read",
-          "Microsoft.Resources/deploymentStacks/validate/action"
+          "Microsoft.Resources/deployments/validate/action",
+          "Microsoft.Resources/subscriptions/operationResults/read",
+          "Microsoft.Management/operationResults/*/read"
         ]
         not_actions = []
       }