fix hashicorp#8577

magodo · Sep 25, 2020 · b4a9e03 · b4a9e03
1 parent be9a83d
commit b4a9e03
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 9 deletions.
diff --git a/azurerm/internal/services/authorization/role_definition_resource.go b/azurerm/internal/services/authorization/role_definition_resource.go
@@ -292,15 +292,8 @@ func expandRoleDefinitionPermissions(d *schema.ResourceData) []authorization.Per
 func expandRoleDefinitionAssignableScopes(d *schema.ResourceData) []string {
 	scopes := make([]string, 0)
 
-	// The first scope in the list must be the target scope as it it not returned in any API call
-	assignedScope := d.Get("scope").(string)
-	scopes = append(scopes, assignedScope)
-	assignableScopes := d.Get("assignable_scopes").([]interface{})
-	for _, scope := range assignableScopes {
-		// Ensure the assigned scope is not duplicated in the list if also specified in `assignable_scopes`
-		if scope != assignedScope {
-			scopes = append(scopes, scope.(string))
-		}
+	for _, scope := range d.Get("assignable_scopes").([]interface{}) {
+		scopes = append(scopes, scope.(string))
 	}
 
 	return scopes

diff --git a/azurerm/internal/services/authorization/tests/role_definition_resource_test.go b/azurerm/internal/services/authorization/tests/role_definition_resource_test.go
@@ -164,6 +164,25 @@ func TestAccAzureRMRoleDefinition_managementGroup(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMRoleDefinition_assignToSmallerScope(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_role_definition", "test")
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acceptance.PreCheck(t) },
+		Providers:    acceptance.SupportedProviders,
+		CheckDestroy: testCheckAzureRMRoleDefinitionDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMRoleDefinition_assignToSmallerScope(uuid.New().String(), data),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMRoleDefinitionExists(data.ResourceName),
+				),
+			},
+			data.ImportStep(),
+		},
+	})
+}
+
 func testCheckAzureRMRoleDefinitionExists(resourceName string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		client := acceptance.AzureProvider.Meta().(*clients.Client).Authorization.RoleDefinitionsClient
@@ -394,3 +413,34 @@ resource "azurerm_role_definition" "test" {
 }
 `, id, data.RandomInteger)
 }
+
+func testAccAzureRMRoleDefinition_assignToSmallerScope(id string, data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_subscription" "primary" {
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestrg-%d"
+  location = "%s"
+}
+
+resource "azurerm_role_definition" "test" {
+  role_definition_id = "%s"
+  name               = "acctestrd-%d"
+  scope              = data.azurerm_subscription.primary.id
+
+  permissions {
+    actions     = ["*"]
+    not_actions = []
+  }
+
+  assignable_scopes = [
+    azurerm_resource_group.test.id
+  ]
+}
+`, data.RandomInteger, data.Locations.Primary, id, data.RandomInteger)
+}