Should be able to assign a role at scope of "/" (root)

[taliesins]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.5

AzureRM Provider Version

3.87.0

Affected Resource(s)/Data Source(s)

azurerm_role_assignment

Terraform Configuration Files

None

Debug Output/Panic Output

None

Expected Behaviour

When bootstrapping a new Azure tenant we want to create a service principal for the governance pipeline that can do everything. This leads to us wanting to apply roles at a scope of "/".

Root management group does not equal root scope:

• https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
• https://journeyofthegeek.com/2023/11/17/the-real-root-management-group/

Ideally we would be able to run something like this:

resource "azurerm_role_assignment" "owner_in_all_accounts" {
  scope              = "/"
  role_definition_name = "owner"
  principal_id       = azuread_group.test239857.id
}

If we do this with Azure CLI it would be:

az role assignment create --role 'Owner' --assignee ${principal_id} --scope "/"

Actual Behaviour

We are unable to select a scope of "/" as validation blocks it. So this forces us to use a null resource provider or https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/azapi_resource to create the role at the right scope.

There is validation that stops us from setting a scope of "/" at https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/authorization/role_assignment_resource.go#L63

Steps to Reproduce

terraform apply

Important Factoids

In the short term you can work around the problem using another provider: azapi

resource "random_uuid" "role-assigment-guid" {
}

data "azurerm_role_definition" "builtin" {
  name  = "Owner"
  scope = local.terraform_role_scope
}

# The following resource will create a role assigment at root scope ("/") for the service principal created by this module.
# It is required to use the az api provider, because the azurerm_role_assignment resource of azurerm provider does not support "/" as a valid scope.
# Fields description:
# - name contains the GUID of the newly created resource (randomly generated)
# - parent_id contains teh desired scope
# - type defines the API resource for the role assigment
# - in body,
#   - roleDefinitionId contains the GUID for the Owner rold definition at root scope
#   - principalId is the ID of the resource to assign the role to
#   - principalType defines that the principalId is a Service Principal
resource "azapi_resource" "role-assigment" {
  name                      = random_uuid.role-assigment-guid.id
  parent_id                 = "/"
  type                      = "Microsoft.Authorization/roleAssignments@2022-04-01"
  body                      = <<EOF
{
  "properties": {
    "roleDefinitionId": "${data.azurerm_role_definition.builtin.id}",
    "principalId": "${azuread_service_principal.terraform.id}",
    "principalType": "ServicePrincipal"
  }
}
EOF
  schema_validation_enabled = true
}

References

#4847