azurerm_role_assignment must be replaced

Question

azurerm_role_assignment must be replaced

rjfmachado opened this issue 5 years ago · comments

Ricardo Machado commented 5 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.13

provider.azuread v0.6.0
provider.azurerm v1.36.1

Affected Resource(s)

azurerm_role_assignment

Terraform Configuration Files

terraform {
  required_version = ">= 0.12"
}

provider "azurerm" {
  version = "~> 1.36.0"
}

provider "azuread" {
  version = "~> 0.6.0"
}

data "azurerm_client_config" "current" {
}

# Get the tenant root Management Group
data "azurerm_management_group" "mgTenantRoot" {
  group_id = data.azurerm_client_config.current.tenant_id
}

# Create a Management Group as a child to the tenant root
resource "azurerm_management_group" "test239857" {
  display_name               = "test239857"
  parent_management_group_id = data.azurerm_management_group.mgTenantRoot.id
  group_id                   = "test239857"
  subscription_ids = [
    data.azurerm_client_config.current.subscription_id //move the subscription under the role definition scope
  ]
}

# Create a custom role scoped to a management group
resource "azurerm_role_definition" "test239857" {
  name        = "test239857"
  scope       = azurerm_management_group.test239857.id
  description = "Role scoped to a management group"

  permissions {
    actions = [
      "Microsoft.DeploymentManager/*/read"
    ]
    not_actions = []
  }

  assignable_scopes = [
    azurerm_management_group.test239857.id
  ]
}

# create a target for the role assignment
resource "azuread_group" "test239857" {
  name = "test239857"
}

# Get the current subscription
data "azurerm_subscription" "currentSubscription" {
}

# Assignment of a Management Group scoped role to a subscription
resource "azurerm_role_assignment" "test239857" {
  scope              = data.azurerm_subscription.currentSubscription.id
  role_definition_id = azurerm_role_definition.test239857.id
  principal_id       = azuread_group.test239857.id
}

Debug Output

https://gist.github.com/rjfmachado/b8dd89e4e89fd88391e26e27ab0ff3f2

Expected Behavior

Terraform plan should have no changes after apply

Actual Behavior

Terraform wants to recreate the Role Assignment

Steps to Reproduce

Terraform apply
Terraform plan

Important Factoids

User should have global tenant admin role on Azure AD and Owner on the subscription

References

#3450 Also hitting this when destroying

Derek Burdick · Answer 1 · Tue Dec 10 2019 14:31:46 GMT+0800 (China Standard Time)

Hi, I get the same behavior for built in roles, using azurerm_builtin_role_definition or azurerm_role_definition.

data azurerm_builtin_role_definition contributor {
name = "Contributor"
}

OR

data azurerm_role_definition contributor {
name = "Contributor"
}

Here is the output from plan/apply

module.service.azurerm_role_assignment.app-role must be replaced

-/+ resource "azurerm_role_assignment" "app-role" {
~ id = "/subscriptions/1234/resourceGroups/service-nexus-test1-westus2-dev/providers/Microsoft.Authorization/roleAssignments/6fea8cf5-5113-299f-aa9e-5e4be190fc2f" -> (known after apply)
~ name = "6fea8cf5-5113-299f-aa9e-5e4be190fc2f" -> (known after apply)
principal_id = "7f16a9bb-a75d-4953-8c50-61b7ae694bb4"
~ principal_type = "ServicePrincipal" -> (known after apply)
~ role_definition_id = "/subscriptions/1234/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" -> "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" # forces replacement
~ role_definition_name = "Contributor" -> (known after apply)
scope = "/subscriptions/1234/resourceGroups/service-test1-westus2-dev"
+ skip_service_principal_aad_check = (known after apply)
}

Darren Johnson · Answer 2 · Fri Jan 24 2020 03:49:03 GMT+0800 (China Standard Time)

Still having the same issue today 23/01/2020. It looks like it keeps wanting to switch between:

/subscriptions/GUID/providers/Microsoft.Authorization/roleDefinitions/GUID" -> "/providers/Microsoft.Authorization/roleDefinitions/GUID"

Every time it is also creating a new role_definition_id GUID.

Darren Johnson · Answer 3 · Thu Feb 27 2020 16:01:35 GMT+0800 (China Standard Time)

Hi I can confirm this issue still happens with terraform 0.12.21 and AzureRM 2.0

Brandon Saunders · Answer 4 · Sat Mar 14 2020 04:51:31 GMT+0800 (China Standard Time)

Same issue with Terraform v0.12.23

provider.azurerm v2.1.0

Ken Sykora · Answer 5 · Sat Mar 21 2020 02:47:05 GMT+0800 (China Standard Time)

I am having a similar issue that has to deal with multiple subscriptions in the same tenant. Here is my scenario:

resource "azurerm_role_definition" "resource-provider-registration" {
  name        = "Register Azure Resource Providers"
  scope       = "/subscriptions/${local.subscriptions.prod}"
  description = "Can register Azure resource providers"
  permissions {
    actions = ["*/register/action"]
  }
  assignable_scopes = [
    "/subscriptions/${local.subscriptions.prod}",
    "/subscriptions/${local.subscriptions.uat}",
    "/subscriptions/${local.subscriptions.dev}"
  ]

  provider = azurerm.prod
}

resource "azurerm_role_assignment" "ado-service-principal-provider-registration-prod" {
  scope              = "/subscriptions/${local.subscriptions.prod}"
  role_definition_id = azurerm_role_definition.resource-provider-registration.id
  principal_id       = local.azure_dev_ops_service_principals.prod.object_id

  provider = azurerm.prod
}

resource "azurerm_role_assignment" "ado-service-principal-provider-registration-uat" {
  scope              = "/subscriptions/${local.subscriptions.uat}"
  role_definition_id = azurerm_role_definition.resource-provider-registration.id
  principal_id       = local.azure_dev_ops_service_principals.uat.object_id

  provider = azurerm.uat
}

resource "azurerm_role_assignment" "ado-service-principal-provider-registration-dev" {
  scope              = "/subscriptions/${local.subscriptions.dev}"
  role_definition_id = azurerm_role_definition.resource-provider-registration.id
  principal_id       = local.azure_dev_ops_service_principals.dev.object_id

  provider = azurerm.dev
}

Subsequent runs of this produces the following terraform plans (wants to replace them due to the ID changing, when it hasn't changed.

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # azurerm_role_assignment.ado-service-principal-provider-registration-dev must be replaced
-/+ resource "azurerm_role_assignment" "ado-service-principal-provider-registration-dev" {
      ~ id                               = "/subscriptions/{Dev Subscription ID}/providers/Microsoft.Authorization/roleAssignments/2c2691ea-877f-cfe2-326e-6133d1ec73b9" -> (known after apply)
      ~ name                             = "2c2691ea-877f-cfe2-326e-6133d1ec73b9" -> (known after apply)
        principal_id                     = "2da99d69-b8a3-419f-a885-f6e1e5314524"
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/{Dev Subscription ID}/providers/Microsoft.Authorization/roleDefinitions/75262d2f-6665-aada-da4e-2bcafd5b2bc5" -> "/subscriptions/{Production Subscription ID}/providers/Microsoft.Authorization/roleDefinitions/75262d2f-6665-aada-da4e-2bcafd5b2bc5" # forces replacement
      ~ role_definition_name             = "Register Azure Resource Providers" -> (known after apply)
        scope                            = "/subscriptions/{Dev Subscription ID}"
      + skip_service_principal_aad_check = (known after apply)
    }

  # azurerm_role_assignment.ado-service-principal-provider-registration-uat must be replaced
-/+ resource "azurerm_role_assignment" "ado-service-principal-provider-registration-uat" {
      ~ id                               = "/subscriptions/{UAT Subscription ID}/providers/Microsoft.Authorization/roleAssignments/faf86950-c49d-061d-fd5e-142132c44441" -> (known after apply)
      ~ name                             = "faf86950-c49d-061d-fd5e-142132c44441" -> (known after apply)
        principal_id                     = "3defe365-2eb3-41c7-a025-55649d591ede"
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/{UAT Subscription ID}/providers/Microsoft.Authorization/roleDefinitions/75262d2f-6665-aada-da4e-2bcafd5b2bc5" -> "/subscriptions/{Production Subscription ID}/providers/Microsoft.Authorization/roleDefinitions/75262d2f-6665-aada-da4e-2bcafd5b2bc5" # forces replacement
      ~ role_definition_name             = "Register Azure Resource Providers" -> (known after apply)
        scope                            = "/subscriptions/{UAT Subscription ID}"
      + skip_service_principal_aad_check = (known after apply)
    }

Plan: 2 to add, 0 to change, 2 to destroy.

Amandeep Sahni · Answer 6 · Thu Apr 16 2020 14:11:30 GMT+0800 (China Standard Time)

Facing exactly the issue. Was anybody able to resolve?

Darren Johnson · Answer 7 · Thu Apr 16 2020 14:13:51 GMT+0800 (China Standard Time)

Yes I did literally yesterday! If you add a lifecycle ignore-changes block it stops happening.

I hope this helps.

  lifecycle {
    ignore_changes = [
      role_definition_id,
    ]
  }

Amandeep Sahni · Answer 8 · Fri Apr 17 2020 07:00:38 GMT+0800 (China Standard Time)

@darren-johnson : Thank you that helped.

Juanjo · Answer 9 · Fri Jun 05 2020 22:44:07 GMT+0800 (China Standard Time)

Same situation here, "ignore_changes" is a patch that works but this should be investigated and solved. In my case this happens only with custom roles, once we assign them it works but It wants to modify the resource each time we re-apply:

~ role_definition_id = "/subscriptions/SUBSCRIPTION_ID/providers/Microsoft.Authorization/roleDefinitions/d7e9b9d6-a3d1-9518-0e6b-ff17d47c9078" -> "/providers/Microsoft.Authorization/roleDefinitions/d7e9b9d6-a3d1-9518-0e6b-ff17d47c9078" # forces replacement

jibonilla03 · Answer 10 · Mon Jul 06 2020 12:50:53 GMT+0800 (China Standard Time)

I have same problem for a custom role, it always try to replace the role definition even when I add the ignore changes, can anyone assist ?

Terraform v0.12.28

provider.azurerm v2.17.0

locals {
  role_definition_id = uuid()
}

resource "azurerm_role_definition" "custom" {
  role_definition_id = local.role_definition_id
  name               = var.role_definition_name
  scope              = data.azurerm_management_group.gbs_cloud.id
  description        = var.role_definition_description

  permissions {
    actions     = var.role_actions
    not_actions = var.role_not_actions
  }

  assignable_scopes = [
    data.azurerm_management_group.gbs_cloud.id, 
  ]

   lifecycle {
    ignore_changes = [
      role_definition_id,
    ]
  }
}

Terraform will perform the following actions:
-/+ resource "azurerm_role_definition" "custom" {
        assignable_scopes  = [
            "/providers/Microsoft.Management/managementGroups/GBSCloud",
        ]
        description        = "This is a custom role created via Terraform"
      ~ id                 = "/providers/Microsoft.Authorization/roleDefinitions/709c011c-46c1-c5bd-5431-f5b12058399b" -> (known after apply)
        name               = "Custom Log Analytics"
      ~ role_definition_id = "709c011c-46c1-c5bd-5431-f5b12058399b" -> (known after apply)
      + scope              = "/providers/Microsoft.Management/managementGroups/GBSCloud" # forces replacement

      ~ permissions {
            actions          = [
                "*/read",
                "Microsoft.OperationalInsights/workspaces/analytics/query/action",
                "Microsoft.OperationalInsights/workspaces/search/action",
                "Microsoft.Insights/AlertRules/Throttled/Action",
                "Microsoft.Insights/AlertRules/Resolved/Action",
                "Microsoft.Insights/AlertRules/Activated/Action",
                "Microsoft.Insights/AlertRules/Read",
                "Microsoft.Insights/AlertRules/Delete",
                "Microsoft.Insights/AlertRules/Write",
            ]
          - data_actions     = [] -> null
            not_actions      = [
                "Microsoft.OperationalInsights/workspaces/sharedKeys/read",
            ]
          - not_data_actions = [] -> null
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Juanjo · Answer 11 · Mon Jul 06 2020 14:49:07 GMT+0800 (China Standard Time)

I have same problem for a custom role, it always try to replace the role definition even when I add the ignore changes, can anyone assist ?

Terraform v0.12.28

provider.azurerm v2.17.0

locals {
  role_definition_id = uuid()
}

resource "azurerm_role_definition" "custom" {
  role_definition_id = local.role_definition_id
  name               = var.role_definition_name
  scope              = data.azurerm_management_group.gbs_cloud.id
  description        = var.role_definition_description

  permissions {
    actions     = var.role_actions
    not_actions = var.role_not_actions
  }

  assignable_scopes = [
    data.azurerm_management_group.gbs_cloud.id, 
  ]

   lifecycle {
    ignore_changes = [
      role_definition_id,
    ]
  }
}

Terraform will perform the following actions:
-/+ resource "azurerm_role_definition" "custom" {
        assignable_scopes  = [
            "/providers/Microsoft.Management/managementGroups/GBSCloud",
        ]
        description        = "This is a custom role created via Terraform"
      ~ id                 = "/providers/Microsoft.Authorization/roleDefinitions/709c011c-46c1-c5bd-5431-f5b12058399b" -> (known after apply)
        name               = "Custom Log Analytics"
      ~ role_definition_id = "709c011c-46c1-c5bd-5431-f5b12058399b" -> (known after apply)
      + scope              = "/providers/Microsoft.Management/managementGroups/GBSCloud" # forces replacement

      ~ permissions {
            actions          = [
                "*/read",
                "Microsoft.OperationalInsights/workspaces/analytics/query/action",
                "Microsoft.OperationalInsights/workspaces/search/action",
                "Microsoft.Insights/AlertRules/Throttled/Action",
                "Microsoft.Insights/AlertRules/Resolved/Action",
                "Microsoft.Insights/AlertRules/Activated/Action",
                "Microsoft.Insights/AlertRules/Read",
                "Microsoft.Insights/AlertRules/Delete",
                "Microsoft.Insights/AlertRules/Write",
            ]
          - data_actions     = [] -> null
            not_actions      = [
                "Microsoft.OperationalInsights/workspaces/sharedKeys/read",
            ]
          - not_data_actions = [] -> null
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Your problem is related to an issue in azurerm_role_definition that was introduced in version 2.16, downgrade to version 2.15 and it will work as expected. Please don't forget to post in issue #7549 to let the developers know that there is more people affected.

jibonilla03 · Answer 12 · Tue Jul 07 2020 22:15:30 GMT+0800 (China Standard Time)

@juanjojulian Thanks downgrade to 2.15 works for me

bernardmaltais · Answer 13 · Fri Aug 21 2020 19:44:14 GMT+0800 (China Standard Time)

@juanjojulian 2.15 still gives the error in my case ;-(

Manuel Boillod · Answer 14 · Tue Sep 01 2020 23:53:36 GMT+0800 (China Standard Time)

Hi,
I found a workaround for role_definition_id that should be applied in some situations only:

Built-in role: role_definition_name is used
Custom role:
- applied at management group level: use role_definition_id = azurerm_role_definition.example.id as in terraform example
- applied at subscription level: use the workaround by prefixing the role definition id with the subscription id role_definition_id = "${data.azurerm_subscription.primary.id}${ azurerm_role_definition.example.id}"

Manuel

Juanjo · Answer 15 · Tue Dec 01 2020 18:07:45 GMT+0800 (China Standard Time)

Thanks for the tip @boillodmanuel , in my case it doesn't work, there must be some kind of mess in azurerm_role_assignment resource in my version combination:

Terraform v0.13.5
+ provider registry.terraform.io/hashicorp/azuread v1.1.1
+ provider registry.terraform.io/hashicorp/azurerm v2.38.0

For instance, if I write:

role_definition_id = azurerm_role_definition.customRole.id

Terraform wants to set role_definition_id to:

"/providers/Microsoft.Authorization/roleDefinitions/1b7485d0-f713-e168-5a5b-0816ba0b0646|/providers/Microsoft.Management/managementGroups/myManagementGroupName"

Which according to Documentation should be the output for "role_definition_id" not for "id"

But then if I make use of role_definition_resource_id

role_definition_id = azurerm_role_definition.customRole.role_definition_resource_id

Terraform wants to set role_definition_id to:

"/providers/Microsoft.Authorization/roleDefinitions/1b7485d0-f713-e168-5a5b-0816ba0b0646"

Which initially works but in subsequent applies Terraform will want to change it again and again:

 "/subscriptions/6hsbdka-d4cf-98e6-ff0c-3114fjkds8dbhnb43/providers/Microsoft.Authorization/roleDefinitions/1b7485d0-f713-e168-5a5b-0816ba0b0646" -> "/providers/Microsoft.Authorization/roleDefinitions/1b7485d0-f713-e168-5a5b-0816ba0b0646"

So the (ugly) workaround that works for me its:

role_definition_id = "${data.azurerm_subscription.mySubscription.id}/providers/Microsoft.Authorization/roleDefinitions/${ azurerm_role_definition.customRole.role_definition_id}"

I really cannot understand what's going on with this resource in azurerm, this issue has been open for one year now.

Carlos Sardo · Answer 16 · Wed Dec 16 2020 19:16:27 GMT+0800 (China Standard Time)

Facing the same issue, when using Terraform v0.14.2 and azurerm provider v2.36.0

Matt Garner · Answer 17 · Tue Mar 02 2021 03:41:09 GMT+0800 (China Standard Time)

This is still happening

Darren Johnson · Answer 18 · Wed Mar 17 2021 00:17:03 GMT+0800 (China Standard Time)

Quick update. I have just tested this with @thedevopscat using Terraform v0.14.8 & azurerm v2.51.0

Using the role_definition_name instead of role_definition_id does not cause the issue to occur, however you cannot use a custom role_definition_name as a datasource just by specifying the name.

It would be great if this can be fixed.

Nikolai Fauskrud · Answer 19 · Tue Apr 06 2021 19:57:42 GMT+0800 (China Standard Time)

My understanding suggests that a role definition object is created within each scope specified within the azurerm_role_definition resource. The object referred to in azurerm_role_assignment -> role_definition_id should be the one created for the scope set in azurerm_role_assignment -> role_definition_id.

The provider tries to use the object existing in its own subscription (the one specified in the provider configuration).

The (ugly) workaround suggested by @juanjojulian worked for me.

To avoid confusion between azurerm_role_definition and azurerm_role_assignment the input should be named role_definition_resource_id, not role_definition_id.

Torben Dury · Answer 20 · Fri Jan 21 2022 20:06:40 GMT+0800 (China Standard Time)

How is this more than 2 yrs old and still not fixed?

Christian Schmid · Answer 21 · Sun Feb 27 2022 19:02:58 GMT+0800 (China Standard Time)

We face the same problem with TF 1.0.9 and AzureRM 2.71.0.

Anders · Answer 22 · Mon Mar 07 2022 17:49:21 GMT+0800 (China Standard Time)

I ended up setting role_definition_name instead of the role_definition_id when assigning custom roles. Since custom role definition names are unique across a tenant this will work.

ASir · Answer 23 · Sat May 28 2022 18:39:38 GMT+0800 (China Standard Time)

@darren-johnson is right there is no role definition name in the data source - which I find very inconsistent. I would have this problem would have lead to a name reference being created...

Julien · Answer 24 · Mon Nov 06 2023 23:08:14 GMT+0800 (China Standard Time)

I noticed that if my data source is missing the scope it would be missing the /sub.../XXX prefix for the role_definition_id

data "azurerm_role_definition" "this" {
  name  = "ABC"
  # scope = var.role_subscription_id
}

resource "azurerm_role_assignment" "this" {
  scope              = azurerm_storage_account.this.id
...
  role_definition_id = data.azurerm_role_definition.this.id
}

PLAN:
-/+ resource "azurerm_role_assignment" "this" {
...
      ~ role_definition_id               = "/subscriptions/XXX/providers/Microsoft.Authorization/roleDefinitions/YYY" -> "/providers/Microsoft.Authorization/roleDefinitions/YYY" # forces replacement

david.carvalho · Answer 25 · Mon Jan 29 2024 23:51:23 GMT+0800 (China Standard Time)

Issue still occurs with
source = "hashicorp/azurerm" version "3.89.0" and terraform 1.7

data "azurerm_role_definition" "builtin_owner" {
  name = "Owner"
}

resource "azurerm_pim_eligible_role_assignment" "mg_finops_owner" {
  scope              = azurerm_management_group.xxxxx.id
  role_definition_id = data.azurerm_role_definition.builtin_owner.id
  principal_id       = azuread_group.xxxxx.object_id
}

Each terraform plan leads to:

Terraform will perform the following actions:

  # azurerm_pim_eligible_role_assignment.mg_finops_owner must be replaced
-/+ resource "azurerm_pim_eligible_role_assignment" "xxxxxxx" {
      ~ id                 = "/providers/Microsoft.Management/managementGroups/xxxxx|/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635|xxxxx" -> (known after apply)
      ~ principal_type     = "Group" -> (known after apply)
        # (3 unchanged attributes hidden)

      - schedule { # forces replacement
          - start_date_time = "2024-01-29T15:46:49.0788364+00:00" -> null

          - expiration {
              - duration_days  = 0 -> null
              - duration_hours = 0 -> null
            }
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Fixed by adding:

lifecycle {
    ignore_changes = [
      schedule,
    ]
  }

The resource was originally created without any schedule as it's optional.