{Role} az role assignment create: Show warning if --scope argument is not specified (#24755)

jiasli · web-flow · commit 00fe3e551fbc · 2023-02-24T11:40:01.000+08:00
diff --git a/src/azure-cli/azure/cli/command_modules/role/_help.py b/src/azure-cli/azure/cli/command_modules/role/_help.py
@@ -685,22 +685,23 @@
 helps['role assignment create'] = """
 type: command
 short-summary: Create a new role assignment for a user, group, or service principal.
+long-summary: >-
+    --scope argument will become required for creating a role assignment in the breaking change release of the fall
+    of 2023. Please explicitly specify --scope.
 examples:
-  - name: Create role assignment for an assignee.
-    text: az role assignment create --assignee sp_name --role a_role
+  - name: Create role assignment to grant the specified assignee the Reader role on an Azure virtual machine.
+    text: az role assignment create --assignee sp_name --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVm
   - name: Create role assignment for an assignee with description and condition.
     text: >-
-        az role assignment create --role "Owner" --assignee "John.Doe@Contoso.com"
+        az role assignment create --role Owner
+        --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/MyStorageAccount
+        --assignee "John.Doe@Contoso.com"
         --description "Role assignment foo to check on bar"
         --condition "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals 'foo'"
         --condition-version "2.0"
     supported-profiles: latest
-  - name: Create a new role assignment for a user, group, or service principal. (autogenerated)
-    text: |
-        az role assignment create --assignee 00000000-0000-0000-0000-000000000000 --role "Storage Account Key Operator Service Role" --scope $id
-    crafted: true
   - name: Create role assignment with your own assignment name.
-    text: az role assignment create --assignee-object-id 00000000-0000-0000-0000-000000000000 --assignee-principal-type ServicePrincipal --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000 --name 00000000-0000-0000-0000-000000000000
+    text: az role assignment create --assignee-object-id 00000000-0000-0000-0000-000000000000 --assignee-principal-type ServicePrincipal --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup --name 00000000-0000-0000-0000-000000000000
 """
 
 
diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py
@@ -50,6 +50,10 @@
     "The output includes credentials that you must protect. Be sure that you do not include these credentials in "
     "your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli")
 
+SCOPE_WARNING = (
+    "--scope argument will become required for creating a role assignment in the breaking change release of the fall "
+    "of 2023. Please explicitly specify --scope.")
+
 logger = get_logger(__name__)
 
 # pylint: disable=too-many-lines, protected-access
@@ -148,6 +152,9 @@ def create_role_assignment(cmd, role, assignee=None, assignee_object_id=None, re
                            scope=None, assignee_principal_type=None, description=None,
                            condition=None, condition_version=None, assignment_name=None):
     """Check parameters are provided correctly, then call _create_role_assignment."""
+    if not scope:
+        logger.warning(SCOPE_WARNING)
+
     if bool(assignee) == bool(assignee_object_id):
         raise CLIError('usage error: --assignee STRING | --assignee-object-id GUID')
 
