azurerm_pim_eligible_role_assignment creates assignment but fails with couldn't find resource

[alexwilcox9]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.7

AzureRM Provider Version

3.74.0

Affected Resource(s)/Data Source(s)

azurerm_pim_eligible_role_assignment

Terraform Configuration Files

# referencing an existing resource group where Monitoring Contributor is allowed to be eligible indefinitely 
data "azurerm_resource_group" "example" {
  name = "log-analytics-rg"
}

resource "azuread_group" "example" {
  display_name       = "PIM Issue Test"
  security_enabled   = true
  assignable_to_role = true
}

data "azurerm_role_definition" "iam-lookup" {
  name = "Monitoring Contributor"
}

resource "azurerm_pim_eligible_role_assignment" "example" {
  scope              = data.azurerm_resource_group.example.id
  role_definition_id = data.azurerm_role_definition.iam-lookup.id
  principal_id       = azuread_group.example.object_id
}

Debug Output/Panic Output

https://gist.github.com/alexwilcox9/b0c7f241b12a966ce9fd424cc4b2c828

Expected Behaviour

The PIM assignment should be created and Terraform complete successfully

Actual Behaviour

The PIM assignment is created but Terraform fails to detect this and errors after about seven minutes.

If you run a second apply it errors as the assignment already exists

│ Error: waiting for Role Management Policy: (Principal Id "4561ddd0-xxxx-xxxx-xxxx-xxxxxxxxxxxx" / Scope "/subscriptions/fafb7faf-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/log-analytics-rg" / Role Definition Id "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa") to become ready: couldn't find resource (21 retries)
│ 
│   with azurerm_pim_eligible_role_assignment.example,
│   on main.tf line 29, in resource "azurerm_pim_eligible_role_assignment" "example":
│   29: resource "azurerm_pim_eligible_role_assignment" "example" {
│ 
│ waiting for Role Management Policy: (Principal Id "4561ddd0-xxxx-xxxx-xxxx-xxxxxxxxxxxx" / Scope "/subscriptions/fafb7faf-95c8-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/log-analytics-rg" / Role Definition Id
│ "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa") to become ready: couldn't find resource (21 retries)
╵

Steps to Reproduce

1. Adjust the assignment policy for a role at the resource group scope to allow indefinite assignment
2. terraform apply

Important Factoids

No response

References

No response

[alexwilcox9]

I think I've found the cause of the issue, basically it's the scope of the role definition.

In the example above I don't specify the scope of the role when I look it up which gives me the following ID:
/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa
Even though this works for setting the assignment the API returns the role definition at the scope of the assignment
/subscriptions/fafb7faf-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa

Because of this, this search never matches:
https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/authorization/pim_eligible_role_assignment_resource.go#L631

		for _, item := range items.Items {
			if *item.Properties.RoleDefinitionId == roleDefinitionId &&
				*item.Properties.MemberType == roleeligibilityscheduleinstances.MemberTypeDirect {
				state = "Found"
				result = item
			}
		}

Adding 'scope' to my role lookup resolves the issue. The for loop above could also be adjusted to only check the role ID's GUID as it's already searching at the correct scope

[manicminer]

@alexwilcox9 Thanks for digging into that, that's super helpful 👍

[davidng1996]

@manicminer can we get a fix for this? I'm having the same issues since Aug #22909

[ztdietmaier]

I see the same behaviour with azurerm_pim_active_role_assignment resources (azurerm provider 3.75.0)

[TeamDman]

I had this problem with a scope at the resource group level.
Following the example usage for subscriptions resolved the problem for me.

resource "azurerm_pim_eligible_role_assignment" "project_owner" {
  scope              = azurerm_resource_group.main.id
  role_definition_id = "${data.azurerm_subscription.primary.id}${data.azurerm_role_definition.owner.id}"
  # these don't work
  # role_definition_id = data.azurerm_role_definition.owner.role_definition_id
  # role_definition_id = "${azurerm_resource_group.main.id}${data.azurerm_role_definition.owner.id}"

[xuzhang3]

This is a bug. The role assignment in pending status will never be get as the right API is not used. There are two API: schedule and instance, the API currently used by AzureRM can only get activated role assignments.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.