Azure SQL DB/MI role scoped at RG level is empty and triggers changes on every plan/apply

[joeharlan]

Expected Behavior

The Azure SQL DB and MI required permissions are only taken at the Subscription scope; not at the RG scope. The RG-scoped role pulled from the RSC API takes no permissions of any kind and is needless. The expectation would be that the empty RG-scoped role is never retrieved in the first place. Whether a role is pulled from the RSC API or not should be based on its legitimate need in the deployment of the role and its purpose. The Provider should never apply an empty role without permissions.

Current Behavior

An empty role is applied on first run, and each subsequent time the 'tf plan' and 'tf apply' operations are executed for other changes, TF reports changes are needed on the SQL DB/MI RG-scoped role with empty permissions lists for 'actions' and 'not_actions' sections.

Failure Information (for bugs)

See above screenshot for example.

• Use verbose outputs to capture any debug information.

Paste into a code block.

Steps to Reproduce

1. Execute a plan to onboard one or more Subscriptions with the "AZURE_SQL_DB_PROTECTION" and/or "AZURE_SQL_MI_PROTECTION" roles.
2. Immediately after the successful 'apply', run another 'plan' with no modifications to the plan files and the error pictured above will show.
3. You can also make any other unrelated change and run the 'plan' and 'apply' and you will see the same required changes.

Context

Polaris Provider 0.9.0-beta.8 was used for testing.

Failure Logs

See above screenshot for necessary details.

• Use verbose outputs to capture any debug information.

<TBD>