feat(bicep): add all 682 Azure roles from rbaclookup module

Replaces hardcoded 38 roles with complete list extracted from
bicep/lookup/rbaclookup:2.x module.

Changes:
- Add scripts/extract_roles_from_rbaclookup.py to parse rbacLookup.bicep
- Generate ilsp/bicep_lsp/azure_roles.json with 682 role names
- Load roles dynamically in modules.py from JSON file
- Now supports ALL Azure built-in roles for autocomplete

Benefits:
- Complete Azure RBAC coverage (682 vs 38 roles)
- Easy to update when new roles are added to rbaclookup module
- Cleaner code (no giant hardcoded list in modules.py)

Usage to update roles:
  python3 scripts/extract_roles_from_rbaclookup.py /path/to/rbacLookup.bicep

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

ilsp/bicep_lsp/modules.py

@@ -18,77 +18,20 @@ from typing import Any
 logger = logging.getLogger(__name__)
 
 # Known Azure enum values not always captured in the catalog schema
+def _load_azure_roles() -> list[str]:
+    """Load Azure roles from azure_roles.json (generated from bicep/lookup/rbaclookup)."""
+    roles_file = pathlib.Path(__file__).parent / "azure_roles.json"
+    if roles_file.exists():
+        try:
+            return json.loads(roles_file.read_text())
+        except Exception as e:
+            logger.warning("Failed to load azure_roles.json: %s", e)
+    return []
+
 _KNOWN_ENUMS: dict[str, list[str]] = {
     "principalType": ["User", "Group", "ServicePrincipal", "Device", "ForeignGroup"],
-    "roles": [
-        # Key Vault roles
-        "KEY_VAULT_ADMINISTRATOR",
-        "KEY_VAULT_CERTIFICATES_OFFICER",
-        "KEY_VAULT_CRYPTO_OFFICER",
-        "KEY_VAULT_CRYPTO_SERVICE_ENCRYPTION_USER",
-        "KEY_VAULT_CRYPTO_USER",
-        "KEY_VAULT_READER",
-        "KEY_VAULT_SECRETS_OFFICER",
-        "KEY_VAULT_SECRETS_USER",
-        # Storage roles
-        "STORAGE_BLOB_DATA_CONTRIBUTOR",
-        "STORAGE_BLOB_DATA_OWNER",
-        "STORAGE_BLOB_DATA_READER",
-        "STORAGE_QUEUE_DATA_CONTRIBUTOR",
-        "STORAGE_QUEUE_DATA_READER",
-        "STORAGE_TABLE_DATA_CONTRIBUTOR",
-        "STORAGE_TABLE_DATA_READER",
-        # Common Azure roles
-        "CONTRIBUTOR",
-        "OWNER",
-        "READER",
-        "USER_ACCESS_ADMINISTRATOR",
-        # App/Function roles
-        "WEBSITE_CONTRIBUTOR",
-        # Monitoring roles
-        "MONITORING_CONTRIBUTOR",
-        "MONITORING_METRICS_PUBLISHER",
-        "MONITORING_READER",
-        "LOG_ANALYTICS_CONTRIBUTOR",
-        "LOG_ANALYTICS_READER",
-        # SQL roles
-        "SQL_DB_CONTRIBUTOR",
-        "SQL_MANAGED_INSTANCE_CONTRIBUTOR",
-        "SQL_SECURITY_MANAGER",
-        "SQL_SERVER_CONTRIBUTOR",
-    ],
-    "roleDefinitionIds": [
-        # Same list for roleDefinitionIds parameter
-        "KEY_VAULT_ADMINISTRATOR",
-        "KEY_VAULT_CERTIFICATES_OFFICER",
-        "KEY_VAULT_CRYPTO_OFFICER",
-        "KEY_VAULT_CRYPTO_SERVICE_ENCRYPTION_USER",
-        "KEY_VAULT_CRYPTO_USER",
-        "KEY_VAULT_READER",
-        "KEY_VAULT_SECRETS_OFFICER",
-        "KEY_VAULT_SECRETS_USER",
-        "STORAGE_BLOB_DATA_CONTRIBUTOR",
-        "STORAGE_BLOB_DATA_OWNER",
-        "STORAGE_BLOB_DATA_READER",
-        "STORAGE_QUEUE_DATA_CONTRIBUTOR",
-        "STORAGE_QUEUE_DATA_READER",
-        "STORAGE_TABLE_DATA_CONTRIBUTOR",
-        "STORAGE_TABLE_DATA_READER",
-        "CONTRIBUTOR",
-        "OWNER",
-        "READER",
-        "USER_ACCESS_ADMINISTRATOR",
-        "WEBSITE_CONTRIBUTOR",
-        "MONITORING_CONTRIBUTOR",
-        "MONITORING_METRICS_PUBLISHER",
-        "MONITORING_READER",
-        "LOG_ANALYTICS_CONTRIBUTOR",
-        "LOG_ANALYTICS_READER",
-        "SQL_DB_CONTRIBUTOR",
-        "SQL_MANAGED_INSTANCE_CONTRIBUTOR",
-        "SQL_SECURITY_MANAGER",
-        "SQL_SERVER_CONTRIBUTOR",
-    ],
+    "roles": _load_azure_roles(),
+    "roleDefinitionIds": _load_azure_roles(),  # alias for roles
 }
 
 # Catalog is baked into the image root at /bicep_modules_catalog.json