Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Data source azurerm_role_definition doesn't export role_definition_id property anymore #24200

Closed
1 task done
frederic-peraud opened this issue Dec 12, 2023 · 2 comments · Fixed by #24211
Closed
1 task done

Comments

@frederic-peraud
Copy link

frederic-peraud commented Dec 12, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.4

AzureRM Provider Version

3.84

Affected Resource(s)/Data Source(s)

datasource azurerm_role_definition

Terraform Configuration Files

provider "azurerm" {

  subscription_id            = "sub_id"
  skip_provider_registration = true
  features {}
}

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "= 3.84"
    }
  }
  required_version = "~> 1.4"
  experiments      = [module_variable_optional_attrs]
}

locals {
  rbacs = {
    "sp_lcz_custom_privatelink_contributor" = {
      object_id = data.azuread_service_principal.sp.object_id
      role_id   = data.azurerm_role_definition.custom-role.id
    }
  }

  role_definition_id = {
    for k, v in data.azurerm_role_definition.role :
    k => length(split("/", v.id)) == 1 ? format("%s/providers/Microsoft.Authorization  /roleDefinitions/%s", data.azurerm_subscription.current.id, v.id) : v.id
  }
}

data "azurerm_role_definition" "custom-role" {
  name  = "Custom_PrivateLink_Contributor"
  scope = data.azurerm_subscription.current.id
}

# https://github.com/hashicorp/terraform-provider-azurerm/issues/11172
data "azurerm_role_definition" "role" {
  for_each = local.rbac

  role_definition_id = each.value.role_id != null ? length(split("/", each.value.role_id)) > 1 ? split("/", each.value.role_id)[length(split("/", each.value.role_id)) - 1] : each.value.role_id : null


  scope = data.azurerm_subscription.current.id
}

resource "azurerm_role_assignment" "rbac_on_rg" {
  for_each = local.rbac

  scope = azurerm_resource_group.rg.id

  role_definition_id = local.role_definition_id[each.key]
  principal_id       = each.value.object_id
}

Debug Output/Panic Output

╷
│ Error: expected "role_definition_id" to be a valid UUID, got
│
│   with module.rg_ic.data.azurerm_role_definition.role["sp_lcz_custom_privatelink_contributor"],
│   on ../data.tf line 9, in data "azurerm_role_definition" "role":
│    9:   role_definition_id = each.value.role_id != null ? length(split("/", each.value.role_id)) > 1 ? split("/", each.value.role_id)[length(split("/", each.value.role_id)) - 1] : each.value.role_id : null
│
╵

Expected Behaviour

The role_definition_id property from datasource azurerm_role_definition should be readable.

# module.rg_ic.azurerm_role_assignment.rbac_on_rg["sp_lcz_custom_privatelink_contributor"] will be created
  + resource "azurerm_role_assignment" "rbac_on_rg" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = "3dbe2475-5e45-448e-883f-efe110df69a5"
      + principal_type                   = (known after apply)
      + role_definition_id               = "/subscriptions/9783655a-7251-425b-997b-aa9bddf14084/providers/Microsoft.Authorization/roleDefinitions/a4020c90-1a6f-43c4-b17e-d42692729202"
      + role_definition_name             = (known after apply)
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

Actual Behaviour

The datasource azurerm_role_definition has been rework last week but it doesn't appear in the CHANGELOG.

7c1a305

It sounds like the role_definition_id property is not exported since and cannot be used.

Steps to Reproduce

terraform init

terraform plan

terraform apply

Important Factoids

No response

References

No response

@frederic-peraud frederic-peraud changed the title Data source azurerm_role_definition doesn't export role_deinition_id property anymore Data source azurerm_role_definition doesn't export role_definition_id property anymore Dec 12, 2023
@sinbai
Copy link
Contributor

sinbai commented Dec 13, 2023

Hi @frederic-peraud thanks for opening this issue. PR has been submitted to fix this issue. Could you please follow if for more updates?

@github-actions github-actions bot added this to the v3.85.0 milestone Dec 13, 2023
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
2 participants