From b4a9e03d77618ffa2a4c1463e44a77ebf83f1239 Mon Sep 17 00:00:00 2001 From: magodo Date: Fri, 25 Sep 2020 14:30:58 +0800 Subject: [PATCH] fix #8577 --- .../authorization/role_definition_resource.go | 11 +--- .../tests/role_definition_resource_test.go | 50 +++++++++++++++++++ 2 files changed, 52 insertions(+), 9 deletions(-) diff --git a/azurerm/internal/services/authorization/role_definition_resource.go b/azurerm/internal/services/authorization/role_definition_resource.go index 030d73c0e255..da847f5647b5 100644 --- a/azurerm/internal/services/authorization/role_definition_resource.go +++ b/azurerm/internal/services/authorization/role_definition_resource.go @@ -292,15 +292,8 @@ func expandRoleDefinitionPermissions(d *schema.ResourceData) []authorization.Per func expandRoleDefinitionAssignableScopes(d *schema.ResourceData) []string { scopes := make([]string, 0) - // The first scope in the list must be the target scope as it it not returned in any API call - assignedScope := d.Get("scope").(string) - scopes = append(scopes, assignedScope) - assignableScopes := d.Get("assignable_scopes").([]interface{}) - for _, scope := range assignableScopes { - // Ensure the assigned scope is not duplicated in the list if also specified in `assignable_scopes` - if scope != assignedScope { - scopes = append(scopes, scope.(string)) - } + for _, scope := range d.Get("assignable_scopes").([]interface{}) { + scopes = append(scopes, scope.(string)) } return scopes diff --git a/azurerm/internal/services/authorization/tests/role_definition_resource_test.go b/azurerm/internal/services/authorization/tests/role_definition_resource_test.go index fa7198181dd9..1e7ee56a69cc 100644 --- a/azurerm/internal/services/authorization/tests/role_definition_resource_test.go +++ b/azurerm/internal/services/authorization/tests/role_definition_resource_test.go @@ -164,6 +164,25 @@ func TestAccAzureRMRoleDefinition_managementGroup(t *testing.T) { }) } +func TestAccAzureRMRoleDefinition_assignToSmallerScope(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_role_definition", "test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acceptance.PreCheck(t) }, + Providers: acceptance.SupportedProviders, + CheckDestroy: testCheckAzureRMRoleDefinitionDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAzureRMRoleDefinition_assignToSmallerScope(uuid.New().String(), data), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMRoleDefinitionExists(data.ResourceName), + ), + }, + data.ImportStep(), + }, + }) +} + func testCheckAzureRMRoleDefinitionExists(resourceName string) resource.TestCheckFunc { return func(s *terraform.State) error { client := acceptance.AzureProvider.Meta().(*clients.Client).Authorization.RoleDefinitionsClient @@ -394,3 +413,34 @@ resource "azurerm_role_definition" "test" { } `, id, data.RandomInteger) } + +func testAccAzureRMRoleDefinition_assignToSmallerScope(id string, data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +data "azurerm_subscription" "primary" { +} + +resource "azurerm_resource_group" "test" { + name = "acctestrg-%d" + location = "%s" +} + +resource "azurerm_role_definition" "test" { + role_definition_id = "%s" + name = "acctestrd-%d" + scope = data.azurerm_subscription.primary.id + + permissions { + actions = ["*"] + not_actions = [] + } + + assignable_scopes = [ + azurerm_resource_group.test.id + ] +} +`, data.RandomInteger, data.Locations.Primary, id, data.RandomInteger) +}