Specifying a role assignment scope doesn't allow the deployment to be created if it is elsewhere
AlexcFrench opened this issue · comments
Issue Template
Prerequisites
- I am running the latest version
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
Context
- Module Version: today!
- Terraform Version: 1.5.0
- AzureRM Provider Version: latest
# add code here
Expected Behavior
Private DNS zone 'privatelink.blob.core.windows.net' for private endpoint dns. Private DNS zone is in a separate subscription to storage account and private endpoint. Managed System Identity being used to create / delete DNS records in that zone so the 'Private DNS Zone Contributor' role is being used.
The role_assignment_scope has to be set to the private DNS zone itself (or above) so that it has the 'action' to create / delete records.
The def_assignment module performs all this perfectly but the deployment fails
This is a DINE policy
Current Behavior
As above but Azure attempts to create the actual deployment in the policy scoped location and doesn't have permissions because the role_assignment_scope is set to the private DNS Zone in another subscription.
Possible Solution
role_assignment_scope could be a list ???
Failure Information (for bugs)
Steps to Reproduce
- Create a private DNS zone in another subscription / resource group
- Scope the policy to the DNS zone itself using Private DNS Zone Contributor (which does have deployment/* permissions)
- Wait :-)
Failure Logs
Hi @AlexcFrench, you can create any extra role assignments using the native resource or make it a member of an AAD Group, using the identity_id
output.
Hope this helps
This issue is stale because it has been open for 30 days with no activity.
This issue was closed because it has been inactive for 14 days since being marked as stale.