datasource azurerm_role_definition no longer includes scope definition since v3.86

[KoenR3]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.6

AzureRM Provider Version

3.86.0

Affected Data Source

azurerm_role_definition

Terraform Configuration Files

data "azurerm_role_definition" "default-builtin-ai-developer" {
  name  = "Azure AI Developer"
  scope = data.azurerm_subscription.SUB.id
}

resource "azurerm_resource_group" "RG-AI-002" {
  name     = "rg-ai"
  location = "East US"
}

resource "azurerm_role_assignment" "RA-RG-AI-DEVELOPER" {
  principal_id       = data.azuread_group.ADG-DEV.object_id
  scope              = azurerm_resource_group.RG-AI-002.id
  #role_definition_name = "Azure AI Developer"
  role_definition_id = data.azurerm_role_definition.default-builtin-ai-developer.role_definition_id
}

Debug Output/Panic Output

{"properties":{"roleDefinitionId":"b24988ac-6180-42a0-ab88-20f7382dd24c","principalId":"---","description":""}}: timestamp="2024-01-05T10:37:45.685+0100"
2024-01-05T10:37:45.687+0100 [DEBUG] provider.terraform-provider-azurerm_v3.86.0_x5: AzureRM Response for --- version=2020-04-01-preview: 
HTTP/2.0 404 Not Found
Content-Length: 128
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Fri, 05 Jan 2024 09:37:45 GMT
Expires: -1
Pragma: no-cache
Set-Cookie: x-ms-gateway-slice=Production; path=/; secure; samesite=none; httponly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: 5410145f-abbb-070e-3f41-15c946c1b3ee
X-Ms-Ratelimit-Remaining-Subscription-Reads: 11996
X-Ms-Request-Id: bf7da5dd-1afe-4fa8-bdba-dc74ce8c135b
X-Ms-Routing-Request-Id: FRANCESOUTH:20240105T093745Z:7e325489-82a8-4ca3-9ea9-d8cbd87a5aec

{"error":{"code":"RoleAssignmentNotFound","message":"The role assignment '4784b805-289d-ab96-6f2a-78bb93a15c4b' is not found."}}: timestamp="2024-01-05T10:37:45.687+0100"
2024-01-05T10:37:45.687+0100 [DEBUG] provider.terraform-provider-azurerm_v3.86.0_x5: Waiting for state to become: [success]: timestamp="2024-01-05T10:37:45.687+0100"
2024-01-05T10:37:45.687+0100 [DEBUG] provider.terraform-provider-azurerm_v3.86.0_x5: AzureRM Request: 
PUT //subscriptions/---/resourceGroups/---/providers/Microsoft.Authorization/roleAssignments/4784b805-289d-ab96-6f2a-78bb93a15c4b?api-version=2020-04-01-preview HTTP/1.1
Host: management.azure.com
User-Agent: Go/go1.21.3 (arm64-darwin) go-autorest/v14.2.1 Azure-SDK-For-Go/v66.0.0 authorization/2020-04-01-preview HashiCorp Terraform/1.6.3 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/3.86.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 144
Content-Type: application/json; charset=utf-8
X-Ms-Correlation-Request-Id: 5410145f-abbb-070e-3f41-15c946c1b3ee
Accept-Encoding: gzip

{"properties":{"roleDefinitionId":"64702f94-c441-49e6-a78b-ef80e0188fee","principalId":"---","description":""}}: timestamp="2024-01-05T10:37:45.687+0100"
2024-01-05T10:37:49.735+0100 [DEBUG] provider.terraform-provider-azurerm_v3.86.0_x5: AzureRM Response for https://management.azure.com//subscriptions/---/resourceGroups/---/providers/Microsoft.Authorization/roleAssignments/4784b805-289d-ab96-6f2a-78bb93a15c4b?api-version=2020-04-01-preview: 
HTTP/2.0 400 Bad Request
Content-Length: 88
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Fri, 05 Jan 2024 09:37:45 GMT
Expires: -1
Pragma: no-cache
Set-Cookie: x-ms-gateway-slice=Production; path=/; secure; samesite=none; httponly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: 5410145f-abbb-070e-3f41-15c946c1b3ee
X-Ms-Ratelimit-Remaining-Subscription-Writes: 1198
X-Ms-Request-Id: 449a55fe-cd84-42b2-9681-3137171e9633
X-Ms-Routing-Request-Id: FRANCESOUTH:20240105T093746Z:2d60aebc-57c9-4b16-acb8-5a54a188a0d8

{"error":{"code":"BadRequestFormat","message":"The request was incorrectly formatted."}}: timestamp="2024-01-05T10:37:49.734+0100"
2024-01-05T10:37:49.735+0100 [ERROR] provider.terraform-provider-azurerm_v3.86.0_x5: Response contains error diagnostic: diagnostic_summary="authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code=\"BadRequestFormat\" Message=\"The request was incorrectly formatted.\"" tf_resource_type=azurerm_role_assignment tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.19.0/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_detail="" tf_provider_addr=provider @module=sdk.proto tf_proto_version=5.4 tf_req_id=e0e6647f-e6e4-ccd5-480c-fa58c1afbe2e diagnostic_severity=ERROR timestamp="2024-01-05T10:37:49.735+0100"
2024-01-05T10:37:49.737+0100 [DEBUG] State storage *remote.State declined to persist a state snapshot
2024-01-05T10:37:49.737+0100 [ERROR] vertex "azurerm_role_assignment.RA-RG-AI-DEVELOPER" error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequestFormat" Message="The request was incorrectly formatted."
2024-01-05T10:37:49.775+0100 [DEBUG] provider.terraform-provider-azurerm_v3.86.0_x5: AzureRM Response for https://management.azure.com//subscriptions/---/resourceGroups/rg-openai-cnv-demo-dev-002/providers/Microsoft.Authorization/roleAssignments/f5ef47de-1d53-3121-782d-01cac63d784f?api-version=2020-04-01-preview: 
HTTP/2.0 400 Bad Request
Content-Length: 88
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Fri, 05 Jan 2024 09:37:45 GMT
Expires: -1
Pragma: no-cache
Set-Cookie: x-ms-gateway-slice=Production; path=/; secure; samesite=none; httponly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: 5410145f-abbb-070e-3f41-15c946c1b3ee
X-Ms-Ratelimit-Remaining-Subscription-Writes: 1198
X-Ms-Request-Id: 4be2437b-6400-4892-b218-0341aab02b4b
X-Ms-Routing-Request-Id: FRANCESOUTH:20240105T093746Z:eb5400d5-8505-44ba-aa47-8c02aa089806

Expected Behaviour

When adding the scope argument in the datasource the scope should be added to the role_definition_id. The role is created with the correct scope.

Actual Behaviour

╷
│ Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequestFormat" Message="The request was incorrectly formatted."
│
│ with azurerm_role_assignment.RA-RG-CONTRIBUTOR,
│ on role-assignment.tf line 1, in resource "azurerm_role_assignment" "RA-RG-CONTRIBUTOR":
│ 1: resource "azurerm_role_assignment" "RA-RG-CONTRIBUTOR" {
│
╵
╷

Steps to Reproduce

1. terraform apply

Reverting to 3.85.0 solves the issue as the datasource now includes the scope

Important Factoids

No response

References

No response

[magodo]

This seems to be a regression from #24320. @ziyeqf would you mind take a look at this?

[ziyeqf]

Hi @KoenR3, thanks for reporting.

I just submitted a PR (#24418) for this, you can subscribe it to keep track.

For any further question please leave comments.
Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.