Add ConsentToRecurringPAYG support and role assignment retry logic

claestom · claestom · commit 56a70bb59184 · 2026-04-07T23:39:47.000+02:00
Sync changes from claestom/sql-arc-policy-license-config into the
sql-server-samples fork.

azurepolicy.json:
- Add ConsentToRecurringPAYG compliance checks in existenceCondition:
  when target is PAYG, resources must also have the consent property
  to be considered compliant (handles both new transitions and
  backward compatibility for pre-consent PAYG extensions)
- Add ConsentToRecurringPAYG to the deployment template: when target
  is PAYG, the remediation sets Consented=true with a UTC timestamp;
  non-PAYG targets use the base LicenseType-only settings
- Add consentTimestamp template parameter (auto-generated via utcNow)

deployment.ps1:
- Add retry loop (5 attempts, 10s delay) for managed identity role
  assignments to handle replication delays after policy assignment
  creation; also handles Conflict responses gracefully

README.md:
- Add Recurring Billing Consent (PAYG) section documenting the
  consent behavior, compliance evaluation, and immutability note
diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
@@ -151,6 +151,14 @@ $TargetLicenseType    = "PAYG"                                      # Must match
 
 > **Note:** Use `-GrantMissingPermissions` to automatically check and assign any missing required roles before remediation starts.
 
+## Recurring Billing Consent (PAYG)
+
+When `TargetLicenseType` is set to `PAYG`, the policy automatically includes `ConsentToRecurringPAYG` in the extension settings with `Consented: true` and a UTC timestamp. This is required for recurring pay-as-you-go billing as described in the [Microsoft documentation](https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/manage-pay-as-you-go-transition?view=sql-server-ver17#recurring-billing-consent).
+
+The policy also checks for `ConsentToRecurringPAYG` in its compliance evaluation — resources with `LicenseType: PAYG` but missing the consent property are flagged as non-compliant and remediated. This applies both when transitioning to PAYG and for existing PAYG extensions that predate the consent requirement (backward compatibility).
+
+> **Note:** Once `ConsentToRecurringPAYG` is set on an extension, it cannot be removed — this is enforced by the Azure resource provider. When transitioning away from PAYG, the policy changes `LicenseType` but leaves the consent property in place.
+
 ## Managed Identity And Roles
 
 The policy assignment is created with `-IdentityType SystemAssigned`. Azure creates a managed identity on the assignment and uses it to apply DeployIfNotExists changes during enforcement and remediation.
diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/policy/azurepolicy.json b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/policy/azurepolicy.json
@@ -112,6 +112,26 @@
                 {
                   "value": "[length(intersection(field('Microsoft.HybridCompute/machines/extensions/settings'), createObject('LicenseType', parameters('targetLicenseType'))))]",
                   "equals": 1
+                },
+                {
+                  "anyOf": [
+                    {
+                      "value": "[parameters('targetLicenseType')]",
+                      "notEquals": "PAYG"
+                    },
+                    {
+                      "allOf": [
+                        {
+                          "value": "[parameters('targetLicenseType')]",
+                          "equals": "PAYG"
+                        },
+                        {
+                          "field": "Microsoft.HybridCompute/machines/extensions/settings",
+                          "ContainsKey": "ConsentToRecurringPAYG"
+                        }
+                      ]
+                    }
+                  ]
                 }
               ]
             },
@@ -156,6 +176,10 @@
                 {
                   "value": "[contains(parameters('licenseTypesToOverwrite'), 'PAYG')]",
                   "equals": false
+                },
+                {
+                  "field": "Microsoft.HybridCompute/machines/extensions/settings",
+                  "ContainsKey": "ConsentToRecurringPAYG"
                 }
               ]
             },
@@ -214,14 +238,29 @@
                   "metadata": {
                     "description": "LicenseType value to set on the extension."
                   }
+                },
+                "consentTimestamp": {
+                  "type": "string",
+                  "defaultValue": "[utcNow('yyyy-MM-ddTHH:mm:ssZ')]",
+                  "metadata": {
+                    "description": "UTC timestamp for recurring PAYG consent. Auto-generated at deployment time."
+                  }
                 }
               },
               "functions": [],
               "variables": {
                 "vmExtensionPublisher": "Microsoft.AzureData",
-                "licenseSettings": {
+                "baseSettings": {
                   "LicenseType": "[parameters('targetLicenseType')]"
-                }
+                },
+                "paygConsentSettings": {
+                  "LicenseType": "[parameters('targetLicenseType')]",
+                  "ConsentToRecurringPAYG": {
+                    "Consented": true,
+                    "ConsentTimestamp": "[parameters('consentTimestamp')]"
+                  }
+                },
+                "licenseSettings": "[if(equals(parameters('targetLicenseType'), 'PAYG'), variables('paygConsentSettings'), variables('baseSettings'))]"
               },
               "resources": [
                 {
diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1 b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1
@@ -109,13 +109,29 @@ if (-not $SkipManagedIdentityRoleAssignment) {
       -ErrorAction SilentlyContinue
 
     if (-not $existingRole) {
-      New-AzRoleAssignment `
-        -ObjectId $principalId `
-        -RoleDefinitionName $requiredRoleName `
-        -Scope $AssignmentScope `
-        -ErrorAction Stop | Out-Null
-
-      Write-Output "Assigned '$requiredRoleName' to policy assignment identity ($principalId) at scope $AssignmentScope."
+      $maxRetries = 5
+      $retryDelay = 10
+      for ($i = 1; $i -le $maxRetries; $i++) {
+        try {
+          New-AzRoleAssignment `
+            -ObjectId $principalId `
+            -RoleDefinitionName $requiredRoleName `
+            -Scope $AssignmentScope `
+            -ErrorAction Stop | Out-Null
+
+          Write-Output "Assigned '$requiredRoleName' to policy assignment identity ($principalId) at scope $AssignmentScope."
+          break
+        }
+        catch {
+          if ($_.Exception.Message -match 'Conflict') {
+            Write-Output "Assigned '$requiredRoleName' to policy assignment identity ($principalId) at scope $AssignmentScope (confirmed after retry)."
+            break
+          }
+          if ($i -eq $maxRetries) { throw }
+          Write-Output "Waiting ${retryDelay}s for identity replication before assigning '$requiredRoleName' ($i/$maxRetries)..."
+          Start-Sleep -Seconds $retryDelay
+        }
+      }
     }
     else {
       Write-Output "Policy assignment identity already has '$requiredRoleName' at scope $AssignmentScope."
