PIM RoleEligibilitySchedule is ignored if RoleEligibilityScheduleRequest is missing.

[borondy]

Describe the solution you'd like
PIM Eligibility assignments for a specific resource or scope is stored as Role Eligibility Schedules. Adding/removing/updating a Role Eligibility Schedule requires a RoleEligibilityScheduleRequest, which is also used for activating an eligible role assignment.

The function Get-AzOpsRoleEligibilityScheduleRequest starts by getting all RoleEligibilitySchedules for the specified scope and for each RoleEligibilitySchedule it then tries to get the RoleEligibilityScheduleRequest that was used to add the RoleEligibilitySchedule in order to create the RoleEligibilityScheduleRequest ARM template that is needed deploy the RoleEligibilitySchedule. So basically the RoleEligibilityScheduleRequest deployment template JSON file is created instead of RoleEligibilitySchedule JSON files since the resourcetype "Microsoft.Authorization/RoleEligibilitySchedules" doesn't have a Create API operation.

We noticed that PIM eligible assingments that are older than 30~40 days was ignored when doing Invoke-AzOpsPull because the RoleEligibilityScheduleRequest no longer exists. Recently deployed PIM eligible assignments were pulled but not older ones. Since RoleEligibilityScheduleRequests are created every time a role is Activated/Added/Removed/Updated the most logic thing is that Microsoft removes RoleEligibilityScheduleRequest after a specific time from creation.

In order to be able to update the Role Eligibility Schedule trough AzOps, we need to have RoleEligibilityScheduleRequest templates in the state repository even if the RoleEligibilityScheduleRequest resource does not exist in Azure anymore.