Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azuread_directory_role_eligibility_schedule_request returning RoleNotFound on creation #1356

Open
Fodsuk opened this issue Apr 17, 2024 · 2 comments
Open

azuread_directory_role_eligibility_schedule_request returning RoleNotFound on creation #1356

Fodsuk opened this issue Apr 17, 2024 · 2 comments
Labels
bug feature/directory-roles

Comments

@Fodsuk
Copy link

Fodsuk commented Apr 17, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

  • azuread_directory_role_eligibility_schedule_request

Terraform Configuration Files

resource "azuread_custom_directory_role" "iam" {

  display_name = "My Directory Role"
  description  = "My Directory Role"
  enabled      = true
  version      = "1.0"

  permissions {
    allowed_resource_actions = [
      "microsoft.directory/applications/basic/update",
      "microsoft.directory/applications/create",
      "microsoft.directory/applications/standard/read",
    ]
  }

}

resource "azuread_directory_role_eligibility_schedule_request" "iam" {
  role_definition_id = azuread_custom_directory_role.iam.object_id
  # principal id (you would need to source one in your own Entra)
  principal_id       = "3ed50089-5811-4504-a7c3-d04d64047eb7"
  directory_scope_id = "/"
  justification      = "create eligibility schedule request"
}

Debug Output

Panic Output

Expected Behavior

The eligibility role assignment is created

Actual Behavior

The custom role isn't found and the following error fails

Error: Eligibility schedule request for role "1d13bcc2-3044-42df-ac26-0ef2b1b762de" to principal "3ed50089-5811-4504-a7c3-d04d64047eb7", received 404 with error: RoleEligibilityScheduleRequestClient.BaseClient.Post(): unexpected status 404 with OData error: RoleNotFound: The role is not found.
│
│   with azuread_directory_role_eligibility_schedule_request.iam,
│   on directory_role_assignment.tf line 18, in resource "azuread_directory_role_eligibility_schedule_request" "iam":
│   18: resource "azuread_directory_role_eligibility_schedule_request" "iam" {
│
│ RoleEligibilityScheduleRequestClient.BaseClient.Post(): unexpected status 404 with OData error: RoleNotFound: The role is not found.

Steps to Reproduce

  1. terraform apply

Important Factoids

I have tried adding a wait provisioner to the custom directory role creation

resource "azuread_custom_directory_role" "iam" {

  display_name = "My Directory Role"
  description  = "My Directory Role"
  enabled      = true
  version      = "1.0"

  permissions {
    allowed_resource_actions = [
      "microsoft.directory/applications/basic/update",
      "microsoft.directory/applications/create",
      "microsoft.directory/applications/standard/read",
    ]
  }

  # wait 10 minutes for role to be ready
  provisioner "local-exec" {
    command     = "Start-Sleep 600"
    interpreter = ["pwsh", "-Command"]
  }

}

References

  • #0000
@nbaju1
Copy link

nbaju1 commented Apr 19, 2024

Does the same thing happen if you only include the custom role in the initial apply, then add in the azuread_directory_role_eligibility_schedule_request afterwards?

@Gaarindor
Copy link

I am now getting a few other issues with the same configuration on every single apply (so initial and adding afterwards):

  • azuread_directory_role_eligibility_schedule_request using a azuread_custom_directory_role will always force replace the current eligibility assignment. Looks like the role_definition_id keeps changing when using template_id or object_id.
  • azuread_directory_role_assignment using a azuread_directory_role is always wanting to create a new resource even if it has been imported. When running apply it will error stating a resource already exists.

Working:

  • azuread_directory_role_assignment using a azuread_custom_directory_role - working as expected and using template_id.
  • azuread_directory_role_eligibility_schedule_request using a azuread_directory_role - working as expected.

azurerm has some similar issues as well.

  • azurerm_pim_eligible_role_assignment using a azurerm_role_definition against a azurerm_subscriptions is always wanting to create a new resource even if it has been imported. When running apply it will error stating a resource already exists.
  • azurerm_pim_eligible_role_assignment using a azurerm_role_definition against a azurerm_management_group

I have imported with the same resource names, no change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug feature/directory-roles
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@manicminer @Fodsuk @Gaarindor @nbaju1