azuread_access_package_catalog_role not supporing AccessPackage assignment manager as display_name

[sklakegg]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

hashicorp/azuread v2.47.0

Affected Resource(s)

azuread_access_package_catalog_role

Terraform Configuration Files

data "azuread_access_package_catalog_role" "example" {
  display_name = "AccessPackage assignment manager"
}

Debug Output

Error: No role found matching specified filter (displayName eq 'AccessPackage assignment manager')

Expected Behavior

Role is found, see docs: https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roledefinitions?view=graph-rest-1.0&tabs=http

Actual Behavior

Role is not found. It works however to use object_id:

data "azuread_access_package_catalog_role" "access_package_assignment_manager" {
  object_id = "e2182095-804a-4656-ae11-64734e9b7ae5"
}

Steps to Reproduce

Create a azuread_access_package_catalog_role data source with either "Access package manager" or "Access package assignment manager"

[nbaju1]

The correct syntax for the display names for these roles is AccessPackages manager and AccessPackage assignment manager.

Can be checked with GET on "/roleManagement/entitlementManagement/roleDefinitions" (https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roledefinitions?view=graph-rest-1.0&tabs=http)

[sklakegg]

The correct syntax for the display names for these roles is AccessPackages manager and AccessPackage assignment manager.

Can be checked with GET on "/roleManagement/entitlementManagement/roleDefinitions" (https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roledefinitions?view=graph-rest-1.0&tabs=http)

Thanks for the reply.
I tried using the correct display names.

data "azuread_access_package_catalog_role" "access_package_manager" {
  display_name = "AccessPackages manager"
}

data "azuread_access_package_catalog_role" "access_package_assignment_manager" {
  display_name = "AccessPackage assignment manager"
}

It works for "AccessPackages manager" but "AccessPackage assignment manager" throws:
Error: No role found matching specified filter (displayName eq 'AccessPackage assignment manager')

It works however with using the object id of the role:
data "azuread_access_package_catalog_role" "access_package_assignment_manager" {
object_id = "e2182095-804a-4656-ae11-64734e9b7ae5"
}

I will update the issue

[nbaju1]

I tested the filter directly with the Graph API and it returned an empty list.
"/roleManagement/entitlementManagement/roleDefinitions?$filter=displayName eq 'AccessPackage assignment manager'"

Filtering on AccessPackages manager works and returns the expected role definition.

So seems like the issue is with the Graph API, not the provider. Perhaps there should be a note in the documentation warning about this, suggesting to use your workaround using the object ID directly (which is the same in all tenants, it seems).

[manicminer]

Thanks for reporting this @sklakegg, it does look like this is an API issue as we rely on query filters to do the heavy lifting here.