azurerm_role_assignment must be replaced #4847
Comments
|
Hi, I get the same behavior for built in roles, using azurerm_builtin_role_definition or azurerm_role_definition. data azurerm_builtin_role_definition contributor { OR data azurerm_role_definition contributor { Here is the output from plan/apply module.service.azurerm_role_assignment.app-role must be replaced-/+ resource "azurerm_role_assignment" "app-role" { |
|
Still having the same issue today 23/01/2020. It looks like it keeps wanting to switch between: /subscriptions/GUID/providers/Microsoft.Authorization/roleDefinitions/GUID" -> "/providers/Microsoft.Authorization/roleDefinitions/GUID" Every time it is also creating a new role_definition_id GUID. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
I am having a similar issue that has to deal with multiple subscriptions in the same tenant. Here is my scenario: resource "azurerm_role_definition" "resource-provider-registration" {
name = "Register Azure Resource Providers"
scope = "/subscriptions/${local.subscriptions.prod}"
description = "Can register Azure resource providers"
permissions {
actions = ["*/register/action"]
}
assignable_scopes = [
"/subscriptions/${local.subscriptions.prod}",
"/subscriptions/${local.subscriptions.uat}",
"/subscriptions/${local.subscriptions.dev}"
]
provider = azurerm.prod
}
resource "azurerm_role_assignment" "ado-service-principal-provider-registration-prod" {
scope = "/subscriptions/${local.subscriptions.prod}"
role_definition_id = azurerm_role_definition.resource-provider-registration.id
principal_id = local.azure_dev_ops_service_principals.prod.object_id
provider = azurerm.prod
}
resource "azurerm_role_assignment" "ado-service-principal-provider-registration-uat" {
scope = "/subscriptions/${local.subscriptions.uat}"
role_definition_id = azurerm_role_definition.resource-provider-registration.id
principal_id = local.azure_dev_ops_service_principals.uat.object_id
provider = azurerm.uat
}
resource "azurerm_role_assignment" "ado-service-principal-provider-registration-dev" {
scope = "/subscriptions/${local.subscriptions.dev}"
role_definition_id = azurerm_role_definition.resource-provider-registration.id
principal_id = local.azure_dev_ops_service_principals.dev.object_id
provider = azurerm.dev
}
Subsequent runs of this produces the following terraform plans (wants to replace them due to the ID changing, when it hasn't changed. |
|
Facing exactly the issue. Was anybody able to resolve? |
|
Yes I did literally yesterday! If you add a lifecycle ignore-changes block it stops happening. I hope this helps. lifecycle {
ignore_changes = [
role_definition_id,
]
} |
|
@darren-johnson : Thank you that helped. |
|
Same situation here, "ignore_changes" is a patch that works but this should be investigated and solved. In my case this happens only with custom roles, once we assign them it works but It wants to modify the resource each time we re-apply:
|
|
I have same problem for a custom role, it always try to replace the role definition even when I add the ignore changes, can anyone assist ? Terraform v0.12.28
locals {
role_definition_id = uuid()
}resource "azurerm_role_definition" "custom" {
role_definition_id = local.role_definition_id
name = var.role_definition_name
scope = data.azurerm_management_group.gbs_cloud.id
description = var.role_definition_description
permissions {
actions = var.role_actions
not_actions = var.role_not_actions
}
assignable_scopes = [
data.azurerm_management_group.gbs_cloud.id,
]
lifecycle {
ignore_changes = [
role_definition_id,
]
}
}Terraform will perform the following actions:
-/+ resource "azurerm_role_definition" "custom" {
assignable_scopes = [
"/providers/Microsoft.Management/managementGroups/GBSCloud",
]
description = "This is a custom role created via Terraform"
~ id = "/providers/Microsoft.Authorization/roleDefinitions/709c011c-46c1-c5bd-5431-f5b12058399b" -> (known after apply)
name = "Custom Log Analytics"
~ role_definition_id = "709c011c-46c1-c5bd-5431-f5b12058399b" -> (known after apply)
+ scope = "/providers/Microsoft.Management/managementGroups/GBSCloud" # forces replacement
~ permissions {
actions = [
"*/read",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Write",
]
- data_actions = [] -> null
not_actions = [
"Microsoft.OperationalInsights/workspaces/sharedKeys/read",
]
- not_data_actions = [] -> null
}
}
Plan: 1 to add, 0 to change, 1 to destroy. |
Your problem is related to an issue in azurerm_role_definition that was introduced in version 2.16, downgrade to version 2.15 and it will work as expected. Please don't forget to post in issue #7549 to let the developers know that there is more people affected. |
|
@juanjojulian Thanks downgrade to 2.15 works for me |
|
@juanjojulian 2.15 still gives the error in my case ;-( |
|
Hi,
Manuel |
|
Thanks for the tip @boillodmanuel , in my case it doesn't work, there must be some kind of mess in azurerm_role_assignment resource in my version combination: For instance, if I write: Terraform wants to set role_definition_id to: Which according to Documentation should be the output for "role_definition_id" not for "id" But then if I make use of role_definition_resource_id Terraform wants to set role_definition_id to: Which initially works but in subsequent applies Terraform will want to change it again and again: So the (ugly) workaround that works for me its: I really cannot understand what's going on with this resource in azurerm, this issue has been open for one year now. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Quick update. I have just tested this with @thedevopscat using Terraform v0.14.8 & azurerm v2.51.0 Using the role_definition_name instead of role_definition_id does not cause the issue to occur, however you cannot use a custom role_definition_name as a datasource just by specifying the name. It would be great if this can be fixed. |
|
My understanding suggests that a role definition object is created within each scope specified within the azurerm_role_definition resource. The object referred to in azurerm_role_assignment -> role_definition_id should be the one created for the scope set in azurerm_role_assignment -> role_definition_id. The provider tries to use the object existing in its own subscription (the one specified in the provider configuration). The (ugly) workaround suggested by @juanjojulian worked for me. To avoid confusion between azurerm_role_definition and azurerm_role_assignment the input should be named role_definition_resource_id, not role_definition_id. |
|
How is this more than 2 yrs old and still not fixed? |
|
We face the same problem with TF 1.0.9 and AzureRM 2.71.0. |
|
I ended up setting |
|
@darren-johnson is right there is no role definition name in the data source - which I find very inconsistent. I would have this problem would have lead to a name reference being created... |
|
I noticed that if my data source is missing the scope it would be missing the /sub.../XXX prefix for the role_definition_id |
|
Issue still occurs with Each terraform plan leads to: Fixed by adding: The resource was originally created without any schedule as it's optional. |
|
I just hit this issue again - I think there's multiple duplicate issues logged in this repo:
The root of the problem is that custom role definitions with multiple assignable scopes appear to have multiple valid resource ids - one for each assignable scope. When you create an assignment you have to use the resource id of the definition that aligns with the scope of the assignment, otherwise the Azure API will silently "correct" the value on write, which means the next time you run a "terraform plan" the value retrieved from the Azure API doesn't match the expected value in the terraform state and you end up with eternal drift. See my comment here for a hacky workaround that dynamically calculates the "correct" resource id based on the assignment scope and uses that in the resource assignment properties. It's truly awful and I'm not proud of it, but it stops the endless drift detection... |
|
We have the same problem. When using custom role assignments, Terraform wants to recreate the assignment since the (this is the existing proper role definition id) (now Terraform want to change it to this, and after the apply it is back to correct one since Azure "fixes" the id. So Azure and Terraform are never in sync.) Forces replacement I did also a bit of investigation and when assigning Azure custom roles to different scopes: Management Group level assignment: Subscription level assignment: Resource level assignment: |
|
This has been broken for a long time now. We've been manually adding the correct prefix to stop the churn. |
|
Any updates on this topic? We recently started experiencing the same issue |
and others
Community Note
Terraform (and AzureRM Provider) Version
Terraform v0.12.13
Affected Resource(s)
azurerm_role_assignment
Terraform Configuration Files
Debug Output
https://gist.github.com/rjfmachado/b8dd89e4e89fd88391e26e27ab0ff3f2
Expected Behavior
Terraform plan should have no changes after apply
Actual Behavior
Terraform wants to recreate the Role Assignment
Steps to Reproduce
Important Factoids
User should have global tenant admin role on Azure AD and Owner on the subscription
References
#3450 Also hitting this when destroying
The text was updated successfully, but these errors were encountered: