role_definition has a permadiff when referencing a resource group in scope

[chrisst]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.29
provider.azurerm v2.24.0

Affected Resource(s)

• azurerm_role_definition

Terraform Configuration Files

provider "azurerm" {
  version = "=2.24.0"
  features {}
}


resource "azurerm_resource_group" "main" {
  name     = "chrisst-resources"
  location = "centralus"
}


resource "azurerm_role_definition" "actuator" {
  name = "chrisst-role"
  # Setting to the resource group will result in a permanent diff. 
  scope       = azurerm_resource_group.main.id
  description = "Permissions for the cluster-actuator to stand up a cluster"

  permissions {
    actions = [
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.Network/virtualNetworks/subnets/read",
      "Microsoft.Network/virtualNetworks/subnets/join/action",
      "Microsoft.Network/networkInterfaces/*",
      "Microsoft.Compute/virtualMachines/*",
      "Microsoft.Compute/disks/*",
    ]
    not_actions = []
  }

  assignable_scopes = [
    azurerm_resource_group.main.id,
  ]
}

Debug Output

output from the role_definition create
https://gist.github.com/chrisst/bb60c47e1bc53e4522caaa1da610ad29

Expected Behavior

I would expect that the resource group scope would apply and not cause a diff immediately after the apply.

Actual Behavior

The resource group doesn't get recorded in the scope variable and instead it just records the subscription id without the resource group appended. This then creates a diff and then tries to reapply that scope recreating the resource.

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # azurerm_role_definition.actuator must be replaced
-/+ resource "azurerm_role_definition" "actuator" {
        assignable_scopes  = [
            "/subscriptions/<guid1>>/resourceGroups/chrisst-resources",
        ]
        description        = "Permissions for the cluster-actuator to stand up a cluster"
      ~ id                 = "/subscriptions/<guid1>>/providers/Microsoft.Authorization/roleDefinitions/<guid2>" -> (known after apply)
        name               = "chrisst-role"
      ~ role_definition_id = "<guid2>" -> (known after apply)
      ~ scope              = "/subscriptions/<guid1>>" -> "/subscriptions/<guid1>>/resourceGroups/chrisst-resources" # forces replacement

      ~ permissions {
            actions          = [
                "Microsoft.Resources/subscriptions/resourceGroups/read",
                "Microsoft.Network/virtualNetworks/subnets/read",
                "Microsoft.Network/virtualNetworks/subnets/join/action",
                "Microsoft.Network/networkInterfaces/*",
                "Microsoft.Compute/virtualMachines/*",
                "Microsoft.Compute/disks/*",
            ]
          - data_actions     = [] -> null
            not_actions      = []
          - not_data_actions = [] -> null
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[aeimer]

Same here

[vishnu-anil]

Same here. Everytime i do an apply, the role definition gets recreated with the scope changing from "/subscriptions/xxxx" -> "/subscriptions/xxxx/resourceGroups/xxxx" even though there is no change made to the code. Any help please?

[BrendanThompson]

This same issue also occurs when one references a azurerm_management_group as the scope.