Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_pim_eligible_role_assignment does not get destroyed when removed #23672

Open
1 task done
MohnJadden opened this issue Oct 24, 2023 · 1 comment
Open
1 task done

azurerm_pim_eligible_role_assignment does not get destroyed when removed #23672

MohnJadden opened this issue Oct 24, 2023 · 1 comment
Labels
service/authorization v/3.x

Comments

@MohnJadden
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.3

AzureRM Provider Version

3.77.0

Affected Resource(s)/Data Source(s)

azurerm_pim_eligible_role_assignment

Terraform Configuration Files

resource "azurerm_resource_group" "vdi-rg" {
  for_each = var.teams
  name     = "${each.value.teamName}-VDI"
  location = coalesce(each.value.location, each.key)
}

resource "azurerm_pim_eligible_role_assignment" "role-vdi-vmadminpim" {
    for_each             = var.teams
  scope                = "/subscriptions/3f51eae4-8db3-468d-a09d-cb67d67630b4/resourceGroups/${azurerm_resource_group.vdi-rg[each.key].name}"
  role_definition_id = "/subscriptions/3f51eae4-8db3-468d-a09d-cb67d67630b4/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4"
  principal_id       = coalesce(each.value.securityGroup, each.key)
justification = "initial PIM config"

  schedule {
    start_date_time = "2023-10-19T17:00:00Z"
    expiration {
      end_date_time = "2024-10-02T17:22:00Z"
    }
  }
}

The auto.tfvars file has one map key commented out, which is targeted for destruction, while others are uncommented and thus remain as normal:


Team11 = {
    "maximumSessions": "999999",
    "applicationGroupType": "Desktop",
    "departmentName": "IT - Support",
    "city": "NY",
    "loadBalancerType": "Persistent",
    "securityGroup": "AnotherGUID",
    "applicationType": "Desktop",
    "teamName": "SmallerTeam",
    "location": "eastus",
    "technicalContact": "ContactX,",
    "owner": "OwnerY,",
    "vdiType": "Personal",
    "autoShutdownEnable":"false"
}

#   Team13 = {
#     "teamName": "BigTeam-Pooled",
#     "departmentName": "Data",
#     "city": "NY",
#     "location": "eastus",
#     "technicalContact": "personX,",
#     "owner": "personY,",
#     "securityGroup": "GUIDHere",
#     "applicationGroupType": "Desktop",
#     "vdiType": "Pooled",
#     "applicationType": "Desktop",
#     "maximumSessions": 2,
#    "loadBalancerType": "DepthFirst", 
#    "autoShutdownEnable":"true",
#    autoShutdown={
#    "businessHoursStart":"08:00:00",
#    "businessHoursEnd":"20:00:00"}
#  }

Debug Output/Panic Output

There's no debug or panic - if I comment out the index key and its properties in auto.tfvars, we see no azurerm_pim_eligible_role_assignment get checked by the state, but we see it for the other index key mentioned above (along with all other index keys where the eligible role assignment was successfully created by Terraform):

azurerm_pim_eligible_role_assignment.role-vdi-vmadminpim["Team11"]: Refreshing state... [id=/subscriptions/ourSubscriptionGUID/resourceGroups/EandY-VDI|/subscriptions/ourSubscriptionGUID/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4|AnotherGUID]

Expected Behaviour

Terraform should have removed the PIM role assignment. If we uncomment the index key and run terraform plan or apply, it should create the role assignment.

Actual Behaviour

Terraform does not do anything regarding the role assignment. If I uncomment the Team13 index key and run terraform plan or apply it throws an error that the resource already exists and should be imported, but importing is broken - see #23657 and #23366 for details.

Steps to Reproduce

  1. Run terraform apply with the index key commented out
  2. Uncomment the index key
  3. Run terraform apply

Important Factoids

No response

References

I have to manually remove the PIM eligible role assignment to re-create it and allow it to be destroyed normally.
@MohnJadden MohnJadden mentioned this issue Oct 24, 2023
Closed
1 task
@MohnJadden MohnJadden mentioned this issue Dec 5, 2023
Closed
1 task
@TeamDman
Copy link

This seems like expected behaviour - because the resource hasn't been imported, terraform doesn't know to destroy it when it's commented out and it suggests to create it (but fails because it exists) when uncommented.

The import problem is being more actively discussed in #23111

This would be a duplicate I imagine

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/authorization v/3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TeamDman @MohnJadden