Fixing destroy when role scope is a Management Group #6107
Conversation
cmendible
force-pushed
the
fix-role-definition
branch
from
c7884b7 to
935e683
Compare
There was a problem hiding this comment.
Hi @cmendible, thank you for this fix
I was wondering if you could add a test that fails without it, and passes with the change so we can ensure it doesn't fail in the future.
Also what is the ID of the role definition when it is scoped to a management group? doesn't it start with the group and then finish with the scope?
katbyte
added
service/policy
waiting-response
service/authentication
bug
and removed
service/policy
labels
|
Hi @katbyte no problem I'll add the tests and come back to you with sample IDs |
|
@katbyte when roles are scoped to a management group, the ID takes the following form:
so the scope can not be extracted from it and therefore we must be read the assignable_scopes property. |
azurerm/internal/services/authorization/tests/resource_arm_role_definition_test.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Getting an error running the test @cmendible :
------ Stdout: -------
=== RUN TestAccAzureRMRoleDefinition_managementGroup
=== PAUSE TestAccAzureRMRoleDefinition_managementGroup
=== CONT TestAccAzureRMRoleDefinition_managementGroup
--- FAIL: TestAccAzureRMRoleDefinition_managementGroup (7.72s)
testing.go:640: Step 0 error: errors during apply:
Error: Error checking for presence of existing Role Definition ID for "acctestrd-200325225805475020" (Scope "/providers/Microsoft.Management/managementGroups/testMG")
on /opt/teamcity-agent/temp/buildTmp/tf-test132856266/main.tf line 10:
(source code not available)
Sorry about that, the management group must exist before the test runs. Is there a place where we can create this dependency before running the tests or should I embed the management group creation inside the |
cmendible
force-pushed
the
fix-role-definition
branch
from
91e7fbe to
a17632b
Compare
|
@katbyte just added the management group to the test. |
|
Hi @katbyte any news on this one? |
cmendible
force-pushed
the
fix-role-definition
branch
from
c0ef8f3 to
a612fe2
Compare
|
Big organisations use Management-Groups to manage Azure Policy and Custom-Roles definitions, this is really needed. Thanks. |
|
I have the same problem. It would really be helpful for Azure-Terraform interactions regarding Management Groups. |
jackofallops
force-pushed
the
fix-role-definition
branch
from
a612fe2 to
0233066
Compare
azurerm/internal/services/authorization/role_definition_resource.go
Outdated
Show resolved
Hide resolved
|
Tests passing, (failures unrelated) |
|
This has been released in version 2.27.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.27.0"
}
# ... other configuration ... |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked as resolved and limited conversation to collaborators
Fixes #5125: When using azurerm_role_definition to create a role scoped to a Management Group instead to a Subscription or Resource Group,
terraform destroyfailed cause the scope sent to the API was empty.This was caused by the parseRoleDefinitionId function which asumes that every roleDefinitionId starts with the scope which is not the case for Roles scoped to a Management Group.