azuread_directory_role_assignment fails in v2.26.0 when directory_scope_id is not set

[sjovang]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.2.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.26.0

Affected Resource(s)

• azuread_directory_role_assignment

Terraform Configuration Files

data "azuread_domains" "initial" {
  only_initial = true
}

data "azurerm_client_config" "core" {}

data "azurerm_management_group" "root" {
  name = data.azurerm_client_config.core.tenant_id
}

resource "random_password" "emergency_user_password" {
  length = 64
}

locals {
  password = var.emergency_access_account_password == "" ? random_password.emergency_user_password.result : var.emergency_access_account_password
}

resource "azuread_user" "emergency_access_account" {
  user_principal_name         = "${var.emergency_access_account_username}@${data.azuread_domains.initial.domains.0.domain_name}"
  display_name                = var.emergency_access_account_display_name
  disable_password_expiration = true
  password                    = local.password
}

resource "azuread_directory_role_assignment" "global_administrator" {
  role_id             = "62e90394-69f5-4237-9190-012177145e10"
  principal_object_id = resource.azuread_user.emergency_access_account.object_id
}

resource "azurerm_role_assignment" "owner" {
  scope                = data.azurerm_management_group.root.id
  role_definition_name = "Owner"
  principal_id         = resource.azuread_user.emergency_access_account.object_id
}

Debug Output

https://gist.github.com/sjovang/1c91c65e1b42c38483a435b50a49f92f

Expected Behavior

Global Administrator-role assigned to the user. When rolling back to v2.25.0 the configuration assigns the role as expected.

Actual Behavior

Apply returns the following error:

│ Error: Assigning directory role "62e90394-69f5-4237-9190-012177145e10" to directory principal "5d03249e-3f08-4546-9b28-95dcf530e40c", received 400 with error: RoleAssignmentsClient.BaseClient.Post(): unexpected status 400 with OData error: Request_BadRequest: Must specify valid property scope of entity RoleAssignment.
│ 
│   with module.emergency_access.azuread_directory_role_assignment.global_administrator,
│   on ../../main.tf line 43, in resource "azuread_directory_role_assignment" "global_administrator":
│   43: resource "azuread_directory_role_assignment" "global_administrator" {
│ 
│ RoleAssignmentsClient.BaseClient.Post(): unexpected status 400 with OData error: Request_BadRequest: Must specify valid property scope of entity
│ RoleAssignment.

Steps to Reproduce

1. terraform apply

[sjovang]

I did a bit more testing, and setting directory_scope_id = "/" is a workaround for the error

[manicminer]

Hi @sjovang, thanks for reporting this. You have found the correct resolution in specifying directory_scope_id = "/". It looks like this change wasn't documented correctly which we'll fix as soon as possible, sorry about that.

In 2.25.0 the provider defaulted this value, however this was causing issues with some combinations of directory_scope_id and app_scope_id and so the default value was removed in 2.26.0. This isn't the sort of change we'd usually make without advance notice but unfortunately was necessary to resolve a wider issue.

[manicminer]

@sjovang Actually, please disregard my previous reply! I have realized that it's possible to retain the default value and given that this was a breaking change, I think the best course is for us to issue a patch release restoring the previous behavior (making directory_scope_id optional).

[github-actions]

This functionality has been released in v2.26.1 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.