Terraform-provider-azurerm: Role assignments that reference built-in roles are always recreated.

Created on 7 May 2019  ·  4Comments  ·  Source: terraform-providers/terraform-provider-azurerm

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.11.13
+ provider.azurerm v1.27.1

Affected Resource(s)

  • azurerm_role_assignment
  • azurerm_role_definition

Terraform Configuration Files

resource "random_uuid" "acrpull_id" {
    keepers = {
        acr_id  = "${azurerm_container_registry.acr.id}"
        sp_id   = "${var.aks_sp_id}"
        role    = "AcrPull"
    }
}

data "azurerm_role_definition" "acrpull" {
    name    = "AcrPull"
}

# Grant the AKS Service principal ACRPull on the ACR
resource "azurerm_role_assignment" "aks_acrpull" {
  name               = "${random_uuid.acrpull_id.result}"
  scope              = "${azurerm_container_registry.acr.id}"
  role_definition_id = "${data.azurerm_role_definition.acrpull.id}"
  principal_id       = "${var.aks_sp_id}"
}

Expected Behavior

The random GUID, used for the role assignment name, should stay the same the second time run, so if nothing else changes the assignment should be untouched. The role definition references a built-in role AcrPull

Actual Behavior

The provider sees the resource id change to <computed> so the resource gets deleted and re-created every-time. Also the format of the role_definition changes.

Terraform will perform the following actions:

-‌/‌+‌ ‌module.RESOURCE_GROUP.azurerm_role_assignment.aks_acrpull ‌(new resource required)‌
      id:                   "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.ContainerRegistry/registries/ACR_NAME/providers/Microsoft.Authorization/roleAssignments/1be2ce41-b24f-87aa-5486-ca9624ebae5e" => <computed> ‌(forces new resource)‌
      name:                 "1be2ce41-b24f-87aa-5486-ca9624ebae5e" => "1be2ce41-b24f-87aa-5486-ca9624ebae5e"
      principal_id:         "***" => "***"
      role_definition_id:   "/subscriptions/SUBSCRIPTION_ID/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d" => "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d" ‌(forces new resource)‌
      role_definition_name: "AcrPull" => <computed>
      scope:                "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.ContainerRegistry/registries/ACR_NAME" => "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.ContainerRegistry/registries/ACR_NAME"

Steps to Reproduce

Run the same configuration twice without changing anything.

  1. terraform apply
  2. terraform plan
  3. terraform apply

Important Factoids

References

bug servicroles
Source
picture askew
👍8

Most helpful comment

Seeing exactly the same behaviour, role assignments tagged as "new resource required" on every plan and our names are auto generated

Terraform v0.11.14
+ provider.azuread v0.4.0
+ provider.azurerm v1.31.0

resource "azurerm_role_assignment" "hih_developer" {
  scope              = "${azurerm_cosmosdb_account.db.id}"
  role_definition_id = "${data.azurerm_role_definition.cosmosdb_contributor.id}"
  principal_id       = "${data.azuread_group.rbac_developers.id}"
}

-/+ module.hih-service-module.azurerm_role_assignment.hih_developer (new resource required)
      id:                 "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GRP/providers/Microsoft.DocumentDB/databaseAccounts/COSMOSDB_ACCT/providers/Microsoft.Authorization/roleAssignments/c854ebce-6520-e326-8f4b-323fc4b1be69" => <computed> (forces new resource)
      name:               "c854ebce-6520-e326-8f4b-323fc4b1be69" => <computed>
      principal_id:       "****" => "****"
      role_definition_id: "/subscriptions/SUBSCRIPTION_ID/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450" => "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450" (forces new resource)
      scope:              "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GRP/providers/Microsoft.DocumentDB/databaseAccounts/COSMOSDB_ACCT" => "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GRP/providers/Microsoft.DocumentDB/databaseAccounts/COSMOSDB_ACCT"
picture peterbev on 15 Jul 2019
👍4

All 4 comments

If you don’t specify the name with your random guid it will be assigned and managed automatically. So removing the name in your instance should fix it

LaurentLesle picture LaurentLesle on 13 May 2019

Seeing exactly the same behaviour, role assignments tagged as "new resource required" on every plan and our names are auto generated

Terraform v0.11.14
+ provider.azuread v0.4.0
+ provider.azurerm v1.31.0

resource "azurerm_role_assignment" "hih_developer" {
  scope              = "${azurerm_cosmosdb_account.db.id}"
  role_definition_id = "${data.azurerm_role_definition.cosmosdb_contributor.id}"
  principal_id       = "${data.azuread_group.rbac_developers.id}"
}

-/+ module.hih-service-module.azurerm_role_assignment.hih_developer (new resource required)
      id:                 "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GRP/providers/Microsoft.DocumentDB/databaseAccounts/COSMOSDB_ACCT/providers/Microsoft.Authorization/roleAssignments/c854ebce-6520-e326-8f4b-323fc4b1be69" => <computed> (forces new resource)
      name:               "c854ebce-6520-e326-8f4b-323fc4b1be69" => <computed>
      principal_id:       "****" => "****"
      role_definition_id: "/subscriptions/SUBSCRIPTION_ID/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450" => "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450" (forces new resource)
      scope:              "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GRP/providers/Microsoft.DocumentDB/databaseAccounts/COSMOSDB_ACCT" => "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GRP/providers/Microsoft.DocumentDB/databaseAccounts/COSMOSDB_ACCT"
peterbev picture peterbev on 15 Jul 2019
👍4

me too

zoltan-swoop picture zoltan-swoop on 28 May 2020

Regarding the doc, you should not use role_definition_id with built-in role but role_definition_name

=> https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html#example-usage-using-a-built-in-role-

resource "azurerm_role_assignment" "example" {
  scope                = data.azurerm_subscription.primary.id
  role_definition_name = "Reader"
  principal_id         = data.azurerm_client_config.example.object_id
}
boillodmanuel picture boillodmanuel on 1 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mjyeaney picture mjyeaney  ·  34Comments
jonaspetersorensen picture jonaspetersorensen  ·  32Comments
hashibot picture hashibot  ·  48Comments
hashibot picture hashibot  ·  28Comments
mooperd picture mooperd  ·  48Comments