Issue Template

Prerequisites

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Context

• Module Version: today!
• Terraform Version: 1.5.0
• AzureRM Provider Version: latest

# add code here

Expected Behavior

Private DNS zone 'privatelink.blob.core.windows.net' for private endpoint dns. Private DNS zone is in a separate subscription to storage account and private endpoint. Managed System Identity being used to create / delete DNS records in that zone so the 'Private DNS Zone Contributor' role is being used.
The role_assignment_scope has to be set to the private DNS zone itself (or above) so that it has the 'action' to create / delete records.

The def_assignment module performs all this perfectly but the deployment fails

This is a DINE policy

Current Behavior

As above but Azure attempts to create the actual deployment in the policy scoped location and doesn't have permissions because the role_assignment_scope is set to the private DNS Zone in another subscription.

Possible Solution

role_assignment_scope could be a list ???

Failure Information (for bugs)

Steps to Reproduce

1. Create a private DNS zone in another subscription / resource group
2. Scope the policy to the DNS zone itself using Private DNS Zone Contributor (which does have deployment/* permissions)
3. Wait :-)

Failure Logs

Hi @AlexcFrench, you can create any extra role assignments using the native resource or make it a member of an AAD Group, using the identity_id output.

Hope this helps

This issue is stale because it has been open for 30 days with no activity.

This issue was closed because it has been inactive for 14 days since being marked as stale.