Assign RBAC role scoped to Data Collection Rule in separate resource group created by Metrics Workspace

[vanzod]

In my resource group I am deploying a VM to which I have to assign MonitoingMetricsPublisher role with Data Collection Rule resource as scope. The DCR is created automatically in a separate resource group when deploying an Azure Monitor Workspace in the same resource group as the VM. For this reason, the name of the DCR resource group is not known at the start of the deployment.
I need help understanding how to correctly set the scope for the assignment.

In my main bicep file I call a module that deploys both the Azure Monitor Workspace and the VM:

targetScope = 'subscription'
[...]
module telemetry 'modules/telemetry.bicep' = {
  name: 'telemetry'
  params: {
    region: region
    rgName: rgName
    config: prometheusConfig
    roleDefinitionIds: roleDefinitionIds
    principalObjId: deployingUserObjId
    subnetIds: clusterNetwork.outputs.subnetIds
  }
  dependsOn: [
    resourceGroup
    clusterNetwork
  ]
}

Here is the telemetry.bicep file. The prometheusScraper module creates the VM while workspaceGrafana creates the Monitor Workspace.

targetScope = 'subscription'

param region string
param rgName string
param config object
param principalObjId string
param roleDefinitionIds object
param subnetIds object

resource resourceGroup 'Microsoft.Resources/resourceGroups@2023-07-01' existing = {
  name: rgName
}

module workspaceGrafana 'managed_prometheus_grafana.bicep' = {
  name: 'workspaceGrafana'
  scope: resourceGroup
  params: {
    region: region
    principalObjId: principalObjId
    roleDefinitionIds: roleDefinitionIds
  }
}

module prometheusScraper 'prometheus_scraper.bicep' = {
  name: 'prometheusScraper'
  scope: resourceGroup
  params: {
    region: region
    config: config
    subnetIds: subnetIds
  }
}

module metricsPublisherAssignment 'assign_role.bicep' = {
  name: 'metricsPublisherAssignment'
  params: {
    principalId: prometheusScraper.outputs.id
    roleDefinitionIds : roleDefinitionIds
    dcrResourceId: workspaceGrafana.outputs.dataCollectionRuleResourceId
  }
  dependsOn: [
    prometheusScraper
    workspaceGrafana
  ]
}

The assign_role.bicep file takes care of creating the assignment by using the DCR resource ID to reference the existing DCR resource created in workspaceGrafana module:

targetScope = 'subscription'

param principalId string
param roleDefinitionIds object
param dcrResourceId string

var dcrName = split(dcrResourceId, '/')[8]
var dcrRg = split(dcrResourceId, '/')[4]

resource dataCollectionRule 'Microsoft.Insights/dataCollectionRules@2022-06-01' existing = {
  name: dcrName
  scope: resourceGroup(dcrRg)
}

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(principalId, roleDefinitionIds.MonitoringMetricsPublisher, dataCollectionRule.id)
  scope: dataCollectionRule
  properties: {
    roleDefinitionId: roleDefinitionIds.MonitoringMetricsPublisher
    principalId: principalId
    principalType: 'ServicePrincipal'
  }
}

In this configuration bicep fails as the scope of roleAssignment should match the scope of the bicep file.
If I then try to change the scope of assign_role.bicep to the DCR resource group by modifying the telemetry.bicep file as follows, it also fails as the module's scope requires a value that can be calculated at the start of the deployment.

var dcrRgName = split(workspaceGrafana.outputs.dataCollectionRuleResourceId, '/')[4]

resource dcrRg 'Microsoft.Resources/resourceGroups@2023-07-01' existing = {
  name: dcrRgName
}

module metricsPublisherAssignment 'assign_role.bicep' = {
  name: 'metricsPublisherAssignment'
  scope: dcrRg
  params: {
    principalId: prometheusScraper.outputs.id
    roleDefinitionIds : roleDefinitionIds
    dcrResourceId: workspaceGrafana.outputs.dataCollectionRuleResourceId
  }
  dependsOn: [
    prometheusScraper
    workspaceGrafana
  ]
}