Terraform-provider-azurerm: Illegal character being added to azurerm_role_definition creation

Created on 24 Sep 2020  路  5Comments  路  Source: terraform-providers/terraform-provider-azurerm

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.13.2
Terraform v0.13.3

  • provider registry.terraform.io/hashicorp/azurerm v2.27.0
  • provider registry.terraform.io/hashicorp/azurerm v2.28.0

Affected Resource(s)

  • azurerm_role_definition

Terraform Configuration Files

provider "azurerm" {
  version = "=2.27.0"
  features {}
}

resource "azurerm_resource_group" "test" {
  name     = "test"
  location = "eastus"
}

resource "azurerm_role_definition" "cert_manager" {
  name        = "test"
  scope       = azurerm_resource_group.test.id

  permissions {
    actions     = ["Microsoft.Network/dnszones/TXT/read"]
    not_actions = []
  }

  assignable_scopes = [azurerm_resource_group.test.id]
}

Expected Behavior

Valid role definition id created.

Actual Behavior

azurerm_role_definition.cert_manager: Refreshing state... [id=/subscriptions/............/providers/Microsoft.Authorization/roleDefinitions/dbd0d95c-0073-a8e2-8878-5abce457e11c|/subscriptions/............../resourceGroups/test]

It seems like the role definition id has a trailing '|' (pipe).

...roleDefinitions/dbd0d95c-0073-a8e2-8878-5abce457e11c|/subscriptions...

Steps to Reproduce

  1. terraform apply
question servicauthorization
Source
picture dutsmiller
👍5

Most helpful comment

Hi all, due to some breaking change of backend service behaviour, we have to change the id format for resource "azurerm_role_definition". Sorry for this breaking change.

If you want to use the azure id to do role assignment, please refer to this doc https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html and use role_definition_resource_id. For example:

resource "azurerm_role_assignment" "example" {
  scope              = ...
  role_definition_id = azurerm_role_definition.example.role_definition_resource_id
  principal_id       = azurerm_user_assigned_identity.example.principal_id
}
picture njuCZ on 25 Sep 2020
👍3

All 5 comments

Experiencing the same issue. And to add a detail: by itself, this looks innocuous, but try passing the ID of this role definition to a role assignment for example, like so:

resource "azurerm_role_definition" "example" {
  name        = "..."
  description = "..."
  scope       = data.azurerm_subscription.main.id

  permissions {
    actions     = ["..."]
    not_actions = []
  }

  assignable_scopes = [data.azurerm_subscription.main.id]
}

resource "azurerm_role_assignment" "example" {
  scope              = ...
  role_definition_id = azurerm_role_definition.example.id
  principal_id       = azurerm_user_assigned_identity.example.principal_id
}

You'll get an error on the azurerm_role_assignment resource because azurerm_role_definition.example.id includes that undesirable |:

Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidRoleDefinitionId" Message="The role definition ID 'e96e4e4e-d920-60a8-7580-7e8e8a4064b0|' is not valid."

(note the pipe near the end of the line)

fabiendelpierre picture fabiendelpierre on 24 Sep 2020

Having the same issue with Terraform 0.13.3 and Azurerm 2.29.0

tiurikov picture tiurikov on 24 Sep 2020

Looks similar to https://github.com/terraform-providers/terraform-provider-azurerm/issues/8547, it is claimed to be fixed in 2.29, but I'm still getting the error.

tiurikov picture tiurikov on 24 Sep 2020

Hi all, due to some breaking change of backend service behaviour, we have to change the id format for resource "azurerm_role_definition". Sorry for this breaking change.

If you want to use the azure id to do role assignment, please refer to this doc https://www.terraform.io/docs/providers/azurerm/r/role_assignment.html and use role_definition_resource_id. For example:

resource "azurerm_role_assignment" "example" {
  scope              = ...
  role_definition_id = azurerm_role_definition.example.role_definition_resource_id
  principal_id       = azurerm_user_assigned_identity.example.principal_id
}
njuCZ picture njuCZ on 25 Sep 2020
👍3

@njuCZ thanks, that helps!

tiurikov picture tiurikov on 25 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rudolphjacksonm picture rudolphjacksonm  路  3Comments
voyera picture voyera  路  3Comments
bentterp picture bentterp  路  3Comments
Faaux picture Faaux  路  3Comments
MMollyy picture MMollyy  路  3Comments