Terraform-provider-azurerm: Unable to update existing azurerm_role_definition - error 409

Created on 12 Oct 2018  路  9Comments  路  Source: terraform-providers/terraform-provider-azurerm

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7
+ provider.azurerm v1.12.0

Affected Resource(s)

  • azurerm_role_definition

Terraform Configuration Files

Original code:

resource "azurerm_role_definition" "register-resource-providers" {
  name        = "Register Resource Providers"
  scope       = "${data.azurerm_subscription.current.id}"
  description = "This is a custom role created via Terraform to allow users to register resource providers"

  permissions {
    actions = ["*/register/action"]
  }

  assignable_scopes = [
    "/subscriptions/00000000-0000-0000-0000-000000000001"
  ]
}

Update I'm trying to make (see additional assignable_scopes):

resource "azurerm_role_definition" "register-resource-providers" {
  name        = "Register Resource Providers"
  scope       = "${data.azurerm_subscription.current.id}"
  description = "This is a custom role created via Terraform to allow users to register resource providers"

  permissions {
    actions = ["*/register/action"]
  }

  assignable_scopes = [
    "/subscriptions/00000000-0000-0000-0000-000000000001"
    "/subscriptions/00000000-0000-0000-0000-000000000002"
    "/subscriptions/00000000-0000-0000-0000-000000000003"
  ]
}

Debug Output

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ azurerm_role_definition.register-resource-providers
      assignable_scopes.#: "1" => "3"
      assignable_scopes.0: "/subscriptions/00000000-0000-0000-0000-000000000001" => "/subscriptions/00000000-0000-0000-0000-000000000001"
      assignable_scopes.1: "" => "/subscriptions/00000000-0000-0000-0000-000000000002"
      assignable_scopes.2: "" => "/subscriptions/00000000-0000-0000-0000-000000000003"


Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azurerm_role_definition.register-resource-providers: Modifying... (ID: /subscriptions/00000000-0000-0000-0000-...s/01408bce-1618-f81b-bb34-0d60a3c5d0b3)
  assignable_scopes.#: "1" => "3"
  assignable_scopes.0: "/subscriptions/00000000-0000-0000-0000-000000000001" => "/subscriptions/00000000-0000-0000-0000-000000000002"
  assignable_scopes.1: "" => "/subscriptions/00000000-0000-0000-0000-000000000001"
  assignable_scopes.2: "" => "/subscriptions/00000000-0000-0000-0000-000000000003"
Releasing state lock. This may take a few moments...

Error: Error applying plan:

1 error(s) occurred:

* azurerm_role_definition.register-resource-providers: 1 error(s) occurred:

* azurerm_role_definition.register-resource-providers: authorization.RoleDefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="RoleDefinitionWithSameNameExists" Message="A role definition cannot be updated with a name that already exists."

Expected Behavior

Since I was able to successfully update the assignableScopes via the Azure CLI, I would have expected Terraform to do the same and not get the error code 409 as shown above.

Via the Azure CLI I successfully updated the role defintion with this command:

az role definition update --role-definition custom_role.json --subscription 00000000-0000-0000-0000-000000000001

In the custom_role.json file I simply added the additional subscription ID's to assignableScopes.

Actual Behavior

Terraform tried to update the existing role definition and got this error:

1 error(s) occurred:

* azurerm_role_definition.register-resource-providers: 1 error(s) occurred:

* azurerm_role_definition.register-resource-providers: authorization.RoleDefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="RoleDefinitionWithSameNameExists" Message="A role definition cannot be updated with a name that already exists."

Steps to Reproduce

  1. Create a custom role definition via Terraform.
  2. Add additional assignableScopes to the custom role definition.
  3. terraform apply

Important Factoids

Running in Azure West US.

References

  • #0000
bug servicroles
Source
picture mlcooper
👍30

Most helpful comment

If you delete the role, give the role a role_definition_id of a random guid, apply, and then do the update and apply that it seems to succeed. lesson is - do not omit role_definition_id.

picture alastairtree on 29 Mar 2019
👍2

All 9 comments

Hit this today too!

dbilleci-lightstream picture dbilleci-lightstream on 27 Oct 2018
👍2

At first glance, this looks like an issue with the Azure SDK for Go.

@tombuildsstuff @JunyiYi, what is the preferred approach in this scenario? Do we wait for the issue to be resolved up-stream, or try to find a workaround?

A141864 picture A141864 on 4 Feb 2019

If you delete the role, give the role a role_definition_id of a random guid, apply, and then do the update and apply that it seems to succeed. lesson is - do not omit role_definition_id.

alastairtree picture alastairtree on 29 Mar 2019
👍2

@alastairtree , could you post here your workaround.
is it some sort of script (az cli) or update via terraform code ?

ranokarno picture ranokarno on 16 Apr 2019

You need to delete the role from azure/terraform state, and then recreate is using terraform but be sure to specify a role_definition_id as a random and static guid.

alastairtree picture alastairtree on 16 Apr 2019
👍1

This is getting long in the tooth, and I'd love to see it fixed sooner than later.

lrosenman picture lrosenman on 9 Jul 2019

In my case I now have multiple user groups associated with the custom role I have created, and Terraform wants to delete and re-create it which is no longer permitted due to the dependencies. It should be possible to suggest that a resource is left alone and carry on! Using you can add things like lifecycle deletion prevention, but all that does is fails your running script when it gets to that resource with the lifecycle property in place.

qmarc picture qmarc on 6 Nov 2019

like @qmarc i have "global" roles that i have to update now and then. To get around this issue i apply the change via powershell
$RoleDef = Get-AzureRmRoleDefinition -Name <Def_Name> $RoleDef.AssignableScopes = $SubscriptionsId $RoleDef.Actions = $RoleDef.Actions + "Microsoft.Resources/deployments/write" $RoleDef | Set-AzureRmRoleDefinition
re-running terraform is now says "No changes. Infrastructure is up-to-date."

Grant-Rc picture Grant-Rc on 6 Dec 2019

Hit this issue today with the latest plugin version.

Are there any plans to address it?

MarkKharitonov picture MarkKharitonov on 13 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Faaux picture Faaux  路  3Comments
voyera picture voyera  路  3Comments
MMollyy picture MMollyy  路  3Comments
JayDoubleu picture JayDoubleu  路  3Comments
alant94 picture alant94  路  3Comments