Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_pim_eligible_role_assignment throws an invalid ARM resource scope error when assigning to resource group #22608

Open
1 task done
MohnJadden opened this issue Jul 19, 2023 · 5 comments
Open
1 task done

azurerm_pim_eligible_role_assignment throws an invalid ARM resource scope error when assigning to resource group #22608

MohnJadden opened this issue Jul 19, 2023 · 5 comments
Assignees
@manicminer
Labels
service/authorization v/3.x

Comments

@MohnJadden
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.3

AzureRM Provider Version

3.65.0

Affected Resource(s)/Data Source(s)

azurerm_pim_eligible_role_assignment

Terraform Configuration Files

variable "teams" {
  type = map(object({
    team_name            = string
    location             = string
    Owner                = string
    TechnicalContact     = string
    SecurityGroup        = string
    DepartmentName       = string
    City                 = string
    ApplicationGroupType = string
    ApplicationType      = string
    LoadBalancerType     = string
    VDIType = string
    MaximumSessions      = number
  }))
}

resource "azurerm_resource_group" "test-vdi-rg" {
  for_each = var.teams
  name     = "${each.value.team_name}-VDI"
  location = coalesce(each.value.location, each.key)
  tags = {
    Owner            = coalesce(each.value.Owner, each.key)
    TechnicalContact = coalesce(each.value.TechnicalContact, each.key)
    Location         = coalesce(each.value.City, each.key)
    DepartmentName   = coalesce(each.value.DepartmentName, each.key)
  }
}
resource "azurerm_pim_eligible_role_assignment" "role-vdi-vmadminpim" {
    for_each             = var.teams
  scope                = "/subscriptions/mySubscriptionGUID/resourceGroups/${azurerm_resource_group.test-vdi-rg[each.key].name}"
  role_definition_id = "Virtual Machine Administrator Login"
  principal_id       = coalesce(each.value.SecurityGroup, each.key)
}

Debug Output/Panic Output

Debug output is at https://gist.github.com/MohnJadden/6860f1fce6dc7b0223900d4f798ba961

Expected Behaviour

An Azure AD PIM eligible role should be created at the resource group level so that the securityGroup from the tfvars is assigned VM Admin Login permissions only at that resource group level.

Actual Behaviour

I receive the following error:

│ Error: listing role assignments on scope Role Management Policy: (Principal Id "a2b70160-0238-40f6-bf10-cd222ef2e743" / Scope "/subscriptions/mySubscriptionGUID/resourceGroups/resourceGroup-VDI/" / Role Definition Id "Virtual Machine Administrator Login"): loading results: unexpected status 400 with error: InvalidARMRequest: Invalid ARM resource scope

│ with azurerm_pim_eligible_role_assignment.role-vdi-vmadminpim["Team9"],
│ on testVDI.tf line 44, in resource "azurerm_pim_eligible_role_assignment" "role-vdi-vmadminpim":
│ 44: resource "azurerm_pim_eligible_role_assignment" "role-vdi-vmadminpim" {

│ listing role assignments on scope Role Management Policy: (Principal Id "a2b70160-0238-40f6-bf10-cd222ef2e743" / Scope
│ "/subscriptions/mySubscriptionGUID/resourceGroups/resourceGroup-VDI/" / Role Definition Id "Virtual Machine Administrator Login"): loading results: unexpected status 400 with
│ error: InvalidARMRequest: Invalid ARM resource scope

Steps to Reproduce

  1. Run terraform apply
  2. Say yes and let the apply run
  3. The error is thrown, all other resources apply successfully

Important Factoids

No response

References

Seems very similar to #22513
@davidng1996
Copy link

davidng1996 commented Jul 20, 2023
edited
Loading

I believe you are supposed to use the resource id of the role definition. it should be in this format "/subscriptions/"subscriptionID"/providers/Microsoft.Authorization/roleDefinitions/"roleDefinitionID""

You can get the resource id by using:

data "azurerm_subscription" "primary" {}

data "azurerm_role_definition" "example" {
name = "Virtual Machine Administrator Login"
}

resource "azurerm_pim_eligible_role_assignment" "example" {
scope = "/subscriptions/"subscriptionID"/resourceGroups/"resourcegroupID" "
role_definition_id = "${data.azurerm_subscription.primary.id}${data.azurerm_role_definition.example.id}"
principal_id = data.azurerm_client_config.example.object_id
}

@MohnJadden
Copy link
Author

MohnJadden commented Jul 20, 2023
edited
Loading

I'm not sure if the scope argument = the originating scope of the role definition resource ID makes sense.

The scope in anything else dealing with IAM is the level at which the permission should apply. In this use case, we only want users in certain resource groups to have rights to log on as admins to VMs within their resource group. If we can only scope this at the subscription level, then we'd be granting users the rights to log on as admins to an entire Azure subscription - that's a pretty huge security issue.

That said, the azurerm_pim_active_role_assignment documentation doesn't specify what the scope means. The way I read it is that the role definition ID is either the name or resource ID of the role that we want to assign. Since PIM can apply to both Azure AD roles (which have no real tie-in to Azure resources) and Azure resource roles (which have no real tie-in to Azure AD) it seems like we should be able to specify the scope by AAD tenant ID, subscription ID, resource group ID, or even individual resource IDs.

@davidng1996
Copy link

@MohnJadden yea you are right regarding the scope argument. That's a copy-and-paste error from my side. I have updated my previous comment.

For role_definition_id, have you tried the resource ID method? I am able to assign the scope to subscription, rg, and individual resource level.

@MohnJadden
Copy link
Author

I did, and the original nil error still persists. Even if I comment out the offending team in the tfvars file, the error persists - it's like something in the state is hung up somewhere or something like that.

@MohnJadden MohnJadden mentioned this issue Aug 1, 2023
Closed
1 task
@manicminer manicminer self-assigned this Aug 2, 2023
@EricManseau
Copy link

EricManseau commented Jan 8, 2024
edited
Loading

I was running into the same issue with Powershell using New-AzRoleEligibilityScheduleRequest, finally I had to provide the following value for the Role Definition Id, reusing the previous example with the subscription as being the target scope for the role eligibility schedule:

$scopeId/providers/Microsoft.Authorization/roleDefinitions/$roleDefId
where:

  • $scopeId is the resource group id, "/subscriptions/"subscriptionID"/resourceGroups/"resourcegroupID"
  • $roleDefId the role definition id, the role definition guid that is retrieved from the role definition for Reader, in my case using Get-AzRoleDefinition

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@manicminer manicminer

Labels
service/authorization v/3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@manicminer @MohnJadden @davidng1996 @EricManseau