fix: add missing dry-run option for assign-role command

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "azure-acme-provisioner",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "azure-acme-provisioner",
-      "version": "0.4.0",
+      "version": "0.4.1",
       "license": "MIT",
       "dependencies": {
         "@azure/arm-authorization": "^9.0.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "azure-acme-provisioner",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "author": {
     "name": "Sławomir Koszewski",
     "url": "https://github.com/skoszewski"

src/cli.ts

@@ -134,6 +134,7 @@ sharedOptions(
     .command('assign-role <domain>')
     .description('Assign Key Vault Certificate User and Secrets User roles to a principal for a domain certificate')
     .requiredOption('--principal-id <id>', 'Azure principal ID to assign roles to')
+    .option('--dry-run', 'Show what would be assigned without making changes')
 ).action(async (domain: string, options: Record<string, unknown>) => {
   applyOverrides(options);
   const config = loadConfig();
@@ -155,11 +156,16 @@ sharedOptions(
     { role: 'Key Vault Secrets User'     as const, scope: `${vaultBase}/secrets/${certName}` },
   ];
 
+  const dryRun = Boolean(options['dryRun']);
   for (const { role, scope } of assignments) {
+    if (dryRun) {
+      console.log(`[dry-run] Would assign '${role}' to ${principalId} on ${scope}`);
+    } else {
       const roleDefinitionId = `/subscriptions/${sub}/providers/Microsoft.Authorization/roleDefinitions/${ROLE_IDS[role]}`;
       await authClient.roleAssignments.create(scope, randomUUID(), { roleDefinitionId, principalId });
       console.log(`Assigned '${role}' to ${principalId} on ${scope}`);
     }
+  }
 });
 
 sharedOptions(