terraform-provider-azuread icon indicating copy to clipboard operation
terraform-provider-azuread copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

azuread_directory_role_eligibility_schedule_request returning RoleNotFound on creation

Open Fodsuk opened this issue 10 months ago • 2 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

  • azuread_directory_role_eligibility_schedule_request

Terraform Configuration Files

resource "azuread_custom_directory_role" "iam" {

  display_name = "My Directory Role"
  description  = "My Directory Role"
  enabled      = true
  version      = "1.0"

  permissions {
    allowed_resource_actions = [
      "microsoft.directory/applications/basic/update",
      "microsoft.directory/applications/create",
      "microsoft.directory/applications/standard/read",
    ]
  }

}

resource "azuread_directory_role_eligibility_schedule_request" "iam" {
  role_definition_id = azuread_custom_directory_role.iam.object_id
  # principal id (you would need to source one in your own Entra)
  principal_id       = "3ed50089-5811-4504-a7c3-d04d64047eb7"
  directory_scope_id = "/"
  justification      = "create eligibility schedule request"
}

Debug Output

Panic Output

Expected Behavior

The eligibility role assignment is created

Actual Behavior

The custom role isn't found and the following error fails

Error: Eligibility schedule request for role "1d13bcc2-3044-42df-ac26-0ef2b1b762de" to principal "3ed50089-5811-4504-a7c3-d04d64047eb7", received 404 with error: RoleEligibilityScheduleRequestClient.BaseClient.Post(): unexpected status 404 with OData error: RoleNotFound: The role is not found.
│
│   with azuread_directory_role_eligibility_schedule_request.iam,
│   on directory_role_assignment.tf line 18, in resource "azuread_directory_role_eligibility_schedule_request" "iam":
│   18: resource "azuread_directory_role_eligibility_schedule_request" "iam" {
│
│ RoleEligibilityScheduleRequestClient.BaseClient.Post(): unexpected status 404 with OData error: RoleNotFound: The role is not found.

Steps to Reproduce

  1. terraform apply

Important Factoids

I have tried adding a wait provisioner to the custom directory role creation

resource "azuread_custom_directory_role" "iam" {

  display_name = "My Directory Role"
  description  = "My Directory Role"
  enabled      = true
  version      = "1.0"

  permissions {
    allowed_resource_actions = [
      "microsoft.directory/applications/basic/update",
      "microsoft.directory/applications/create",
      "microsoft.directory/applications/standard/read",
    ]
  }

  # wait 10 minutes for role to be ready
  provisioner "local-exec" {
    command     = "Start-Sleep 600"
    interpreter = ["pwsh", "-Command"]
  }

}

References

  • #0000

Fodsuk avatar Apr 17 '24 14:04 Fodsuk

Does the same thing happen if you only include the custom role in the initial apply, then add in the azuread_directory_role_eligibility_schedule_request afterwards?

nbaju1 avatar Apr 19 '24 11:04 nbaju1

I am now getting a few other issues with the same configuration on every single apply (so initial and adding afterwards):

  • azuread_directory_role_eligibility_schedule_request using a azuread_custom_directory_role will always force replace the current eligibility assignment. Looks like the role_definition_id keeps changing when using template_id or object_id.
  • azuread_directory_role_assignment using a azuread_directory_role is always wanting to create a new resource even if it has been imported. When running apply it will error stating a resource already exists.

Working:

  • azuread_directory_role_assignment using a azuread_custom_directory_role - working as expected and using template_id.
  • azuread_directory_role_eligibility_schedule_request using a azuread_directory_role - working as expected.

azurerm has some similar issues as well.

  • azurerm_pim_eligible_role_assignment using a azurerm_role_definition against a azurerm_subscriptions is always wanting to create a new resource even if it has been imported. When running apply it will error stating a resource already exists.
  • azurerm_pim_eligible_role_assignment using a azurerm_role_definition against a azurerm_management_group

I have imported with the same resource names, no change.

Gaarindor avatar May 03 '24 01:05 Gaarindor