-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_role_definition resource id attribute is not valid #8426
Comments
Note that I was able to work around this with the following resource azurerm_role_assignment custom {
role_definition_id = trimsuffix(azurerm_role_definition.custom.id, "|${azurerm_role_definition.custom.scope}")
scope = "/subscriptions/${var.subscription}"
principal_id = azuread_service_principal.custom.id
} |
we are seeing this same issue as of this morning (when 2,27 was released). 2.26 of the provider does not have this problem |
When using it as a reference in azurerm_role_assignment, it errors out as well. Trying to import an existing role gives this error: Falling back to 2.26.0 solves the issue. |
Except that it does not when you already tried to apply with 2.27 (and other changes were successful).
🙄 |
This is killing my deployment pipelines everywhere. How quickly can we fix this?! |
I had to run the following for each resource to use the earlier provider. terraform state rm ...
terraform import ... ... |
Can we get this marked as a bug/defect? The resource ID attribute can no longer be used as reference in other objects. This breaks quite a bit of code and is not easy to workaround. |
In my case, this broke # broken in 2.27 because role definition ID is invalid
resource "azurerm_role_assignment" "foo" {
...
role_definition_id = azurerm_role_definition.foo.id
}
# workaround
resource "azurerm_role_assignment" "foo" {
...
role_definition_name = azurerm_role_definition.foo.name
} |
I can confirm this works, using the older version for both commands. Also |
This also broke our deployment. The id now seems to be a tuple of some sort. I was able to recover from this by using the Before: |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
Community Note
Terraform (and AzureRM Provider) Version
Affected Resource(s)
azurerm_role_definition
azurerm_role_assignment
Terraform Configuration Files
Expected Behavior
No error. Role definition can be found by the provider.
Actual Behavior
It appears as though the
id
attribute was changed in version 2.27.0 to include the scope asfmt.Sprintf("%s|%s", *existing.ID, scope)
(see https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/azurerm/internal/services/authorization/role_definition_resource.go#L156). As a result theazurerm_role_assignment
is not able to correctly read therole_definition_id
that is passed in.Steps to Reproduce
terraform apply
References
This appears to be related to #6107 introduced in 2.27.0 yesterday.
The text was updated successfully, but these errors were encountered: