terraform-provider-azurerm: azurerm_pim_eligible_role_assignment 400 error when using null or empty schedule block

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.3

AzureRM Provider Version

3.67.0

Affected Resource(s)/Data Source(s)

azurerm_pim_eligible_role_assignment

Terraform Configuration Files

variable "teams" {
  type = map(object({
    team_name            = string
    location             = string
    Owner                = string
    TechnicalContact     = string
    SecurityGroup        = string
    DepartmentName       = string
    City                 = string
    ApplicationGroupType = string
    ApplicationType      = string
    LoadBalancerType     = string
    VDIType = string
    MaximumSessions      = number
  }))
}

resource "azurerm_resource_group" "vdi-rg" {
  for_each = var.teams
  name     = "${each.value.team_name}-VDI"
  location = coalesce(each.value.location, each.key)
  tags = {
    Owner            = coalesce(each.value.Owner, each.key)
    TechnicalContact = coalesce(each.value.TechnicalContact, each.key)
    Location         = coalesce(each.value.City, each.key)
    DepartmentName   = coalesce(each.value.DepartmentName, each.key)
    TeamName         = coalesce(each.value.team_name, each.key)
  }
}

resource "azurerm_pim_eligible_role_assignment" "role-vdi-vmadminpim" {
    for_each             = var.teams
  scope                = "/subscriptions/3f51eae4-8db3-468d-a09d-cb67d67630b4/resourceGroups/${azurerm_resource_group.vdi-rg[each.key].name}"
  role_definition_id = "/subscriptions/3f51eae4-8db3-468d-a09d-cb67d67630b4/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4"
  principal_id       = coalesce(each.value.SecurityGroup, each.key)

  timeouts {
    create = "10m"
    delete = "10m"
  }
     lifecycle {
    ignore_changes = [
      # Ignore changes to the Schedule block.  It won't take nulls as inputs and we assume that these PIM assignments are meant to live as long as the VDI environment.
      schedule
    ]
  }
}

Debug Output/Panic Output

{"error":{"code":"RoleAssignmentRequestPolicyValidationFailed","message":"The following policy rules failed: [\"ExpirationRule\"]"}}: timestamp=2023-08-01T14:39:22.604-0400
2023-08-01T14:39:22.604-0400 [ERROR] provider.terraform-provider-azurerm_v3.67.0_x5.exe: Response contains error diagnostic: tf_req_id=15f63ca5-4bae-bb46-8ed2-2225d57fce01 diagnostic_detail="waiting for Role Management Policy: (Principal Id "01b95094-3727-42de-9bfe-f1bd55734554" / Scope "/subscriptions/ourSubscriptionGUID/resourceGroups/rgName" / Role Definition Id "/subscriptions/ourSubscriptionGUID/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4") to be created: creating Scoped Role Eligibility Schedule Request (Scope: "/subscriptions/ourSubscriptionGUID/resourceGroups/rgName"
Role Eligibility Schedule Request Name: "596b4579-6944-e996-1f2b-e1b5fbdcb67a"): unexpected status 400 with error: RoleAssignmentRequestPolicyValidationFailed: The following policy rules failed: ["ExpirationRule"]" diagnostic_severity=ERROR tf_proto_version=5.3 tf_provider_addr=provider tf_resource_type=azurerm_pim_eligible_role_assignment tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/diag/diagnostics.go:55 @module=sdk.proto diagnostic_summary="waiting for Role Management Policy: (Principal Id "01b95094-3727-42de-9bfe-f1bd55734554" / Scope "/subscriptions/ourSubscriptionGUID/resourceGroups/rgName" / Role Definition Id "/subscriptions/ourSubscriptionGUID/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4") to be created: creating Scoped Role Eligibility Schedule Request (Scope: "/subscriptions/ourSubscriptionGUID/resourceGroups/rgName"
Role Eligibility Schedule Request Name: "596b4579-6944-e996-1f2b-e1b5fbdcb67a"): unexpected status 400 with error: RoleAssignmentRequestPolicyValidationFailed: The following policy rules failed: ["ExpirationRule"]" timestamp=2023-08-01T14:39:22.604-0400
2023-08-01T14:39:22.606-0400 [DEBUG] State storage *remote.State declined to persist a state snapshot
2023-08-01T14:39:22.606-0400 [ERROR] vertex "azurerm_pim_eligible_role_assignment.role-vdi-vmadminpim[\"Team12\"]" error: waiting for Role Management Policy: (Principal Id "01b95094-3727-42de-9bfe-f1bd55734554" / Scope "/subscriptions/ourSubscriptionGUID/resourceGroups/rgName" / Role Definition Id "/subscriptions/ourSubscriptionGUID/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4") to be created: creating Scoped Role Eligibility Schedule Request (Scope: "/subscriptions/ourSubscriptionGUID/resourceGroups/rgName"
Role Eligibility Schedule Request Name: "596b4579-6944-e996-1f2b-e1b5fbdcb67a"): unexpected status 400 with error: RoleAssignmentRequestPolicyValidationFailed: The following policy rules failed: ["ExpirationRule"]
2023-08-01T14:39:22.609-0400 [DEBUG] provider.terraform-provider-azurerm_v3.67.0_x5.exe: AzureRM Response for https://management.azure.com/subscriptions/ourSubscriptionGUID/resourceGroups/rgName/providers/Microsoft.DesktopVirtualization/workspaces/MTDJumpbox-workspace?api-version=2022-02-10-preview: 
HTTP/2.0 200 OK
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Tue, 01 Aug 2023 18:39:22 GMT
Expires: -1
Pragma: no-cache
Server: Microsoft-IIS/10.0
Set-Cookie: ARRAffinity=70e38c1ed72db5f7ffb204484a71ad78c423ea1a8a3bd749fefcc9c77560a9e4;Path=/;HttpOnly;Secure;Domain=rdarmprovider-g-us-r0.wvd.microsoft.com
Set-Cookie: ARRAffinitySameSite=70e38c1ed72db5f7ffb204484a71ad78c423ea1a8a3bd749fefcc9c77560a9e4;Path=/;HttpOnly;SameSite=None;Secure;Domain=rdarmprovider-g-us-r0.wvd.microsoft.com
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding,Accept-Encoding
X-Content-Type-Options: nosniff
X-Ms-Correlation-Id: 1d896bed-0d5a-45f7-ae79-c4d750973911
X-Ms-Correlation-Request-Id: 659d0fb3-bdf6-95a8-8b49-f1a84a113662
X-Ms-Lamport-Ts: 4474978300
X-Ms-Opsarmpath64: L3N1YnNjcmlwdGlvbnMvM2Y1MWVhZTQtOGRiMy00NjhkLWEwOWQtY2I2N2Q2NzYzMGI0L3Jlc291cmNlR3JvdXBzL01UREp1bXBib3gtVkRJL3Byb3ZpZGVycy9NaWNyb3NvZnQuRGVza3RvcFZpcnR1YWxpemF0aW9uL3dvcmtzcGFjZXMvTVRESnVtcGJveC13b3Jrc3BhY2U=
X-Ms-Ratelimit-Remaining-Subscription-Reads: 11999
X-Ms-Request-Id: 15593fae-ccf4-4bc6-9040-2e4a9c4f28f8
X-Ms-Routing-Request-Id: EASTUS:20230801T183922Z:ec7d62d7-3fa1-45ab-bb1b-2d2983b2620c
X-Powered-By: ASP.NET
X-Rate-Limit-Limit: 0
X-Rate-Limit-Remaining: 9223372036854775807
X-Rate-Limit-Reset: 0

Expected Behaviour

Terraform should create an Azure AD PIM eligible role with no expiration date/time.

Actual Behaviour

Terraform throws an error: │ Role Eligibility Schedule Request Name: “596b4579-6944-e996-1f2b-e1b5fbdcb67a”): unexpected status 400 with error: RoleAssignmentRequestPolicyValidationFailed: The following policy rules failed: [“ExpirationRule”] │ │ with azurerm_pim_eligible_role_assignment.role-vdi-vmadminpim[“Team12”], │ on AzureVDI.tf line 56, in resource “azurerm_pim_eligible_role_assignment” “role-vdi-vmadminpim”: │ 56: resource “azurerm_pim_eligible_role_assignment” “role-vdi-vmadminpim” { │ │ waiting for Role Management Policy: (Principal Id “01b95094-3727-42de-9bfe-f1bd55734554” / Scope “/subscriptions/ourSubscriptionGUID/resourceGroups/rgName” / Role Definition Id
│ “/subscriptions/ourSubscriptionGUID/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4”) to be created: creating Scoped Role Eligibility Schedule
│ Request (Scope: “/subscriptions/ourSubscriptionGUID/resourceGroups/rgName” │ Role Eligibility Schedule Request Name: “596b4579-6944-e996-1f2b-e1b5fbdcb67a”): unexpected status 400 with error: RoleAssignmentRequestPolicyValidationFailed: The following policy rules failed: │ [“ExpirationRule”]

Steps to Reproduce

  1. Run terraform apply
  2. Error occurs

Important Factoids

No response

References

Possibly related to #22608 - that threw a 400 error but with different error text.

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Reactions: 12
  • Comments: 22 (3 by maintainers)

Most upvoted comments

The issue still occurs in 3.68.

+6
MohnJadden on Aug 7, 2023

The issue is still occurring in 3.70.

+3
MohnJadden on Aug 21, 2023

Still occurring in 3.72.

+2
MohnJadden on Sep 12, 2023

Still occurring in 3.71.

+2
MohnJadden on Sep 7, 2023

@manicminer #23295 will support manage role polies.

+1
xuzhang3 on Dec 6, 2023

Still a problem, will this be fixed in any upcoming releases?

+1
NasoA on Nov 9, 2023

Still occurring in 3.73. @manicminer could I trouble you for a rough idea on when this will be worked on?

+1
MohnJadden on Sep 19, 2023
Read more comments on GitHub
← terraform-provider-azurerm: azurerm_mssql_virtual_machine: API returning 500's
terraform-provider-azurerm: azurerm_policy_set_definition update behaviour broken in 2.19 using policy_definition_reference →