-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_builtin_role_definition Incorrectly destroys and creates a role assignment (forces new resource) instead of noop. #1726
Comments
Hello, i had faced similar issue. Instead of using role_definition_id, i used role_definition_name and it did work fine. please try that solution. Thanks. |
@reddyed > Yes, I am aware of the workaround. I opened the bug as my customer has a lot of code with role_definition_id in them. Not a biggie but opened the bug in case others are affected by it too. |
To clarify this bug, When you fetch the this passed to which generates a plan like
You can work around this, less than ideally, like data "azurerm_client_config" "current" {}
locals {
subscription_id = "${data.azurerm_client_config.current.subscription_id}"
}
resource "azurerm_role_assignment" "aks-Owner" {
scope = "${azurerm_resource_group.aks-kubedev-shared-rg.id}"
#NOTE: No slash '/' between the two vars as the one returned by azurerm_builtin_role_definition has a leading slash
role_definition_id = "/subscriptions/${local.subscription_id}${data.azurerm_builtin_role_definition.ManiOwner.id}"
principal_id = "a9eae191-1c79-4341-a5bc-321a4c124db6"
} this is similar to the issue reported in #1972 |
I suggest the same workaround here: #4847 (comment) |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Terraform Version
v.0.11.7
Affected Resource(s)
Terraform Configuration Files
main.tf
Debug Output
Panic Output
Expected Behavior
terraform plan
should do a noop right after a terraform apply (i.e config ==state==reality)Actual Behavior
terraform plan does a (forces new resource) with:
Plan: 1 to add, 0 to change and 1 to destroy.
The issue occurs only while using role_definition_id i.e.
terraform apply destroys the role assignment and then adds it again.
Steps to Reproduce
terraform plan
terraform apply
terraform plan
Important Factoids
uncomment the line
role_definition_name = "Owner"
and comment out the line with:role_definition_id = "${data.azurerm_builtin_role_definition.ManiOwner.id}"
and the issue does not affect if one uses role_definition_name
References
azurerm_builtin_role_definition
The text was updated successfully, but these errors were encountered: