terraform-provider-azurerm: Error in azurerm_role_assignment

In this code

resource "azurerm_role_assignment" "role_assignment_name" {
  scope                = var.rbac_scope_id
  role_definition_name = var.rbac_role_name
  principal_id         = var.principal_id
}

I’m getting this error

2021-06-04T09:34:10.3860839Z Error: Provider produced inconsistent result after apply
2021-06-04T09:34:10.3861369Z 
2021-06-04T09:34:10.3861847Z When applying changes to
2021-06-04T09:34:10.3862760Z module.provision_keyvaults[0].module.kv_create["pwd-002"].module.kv_roles_aadgroups["Contributor"].module.rbac-assign-aadgroup-by-role-name.azurerm_role_assignment.role_assignment_name,
2021-06-04T09:34:10.3863640Z provider "provider[\"registry.terraform.io/hashicorp/azurerm\"]" produced
2021-06-04T09:34:10.3864333Z an unexpected new value: Root resource was present, but now absent.
2021-06-04T09:34:10.3864899Z 
2021-06-04T09:34:10.3865489Z This is a bug in the provider, which should be reported in the provider's
2021-06-04T09:34:10.3866035Z own issue tracker.

providers.tf

provider "azurerm" {
  alias           = "main"
  tenant_id       = var.tenant_id
  subscription_id = var.providers_azurerm["main"].subscription_id

  features {
    key_vault {
      purge_soft_delete_on_destroy = true
      recover_soft_deleted_key_vaults = true
    }
  }
}

provider "azurerm" {
  tenant_id       = var.tenant_id
  subscription_id = var.providers_azurerm["subscription"].subscription_id
  
  features {
    key_vault {
      purge_soft_delete_on_destroy = true
      recover_soft_deleted_key_vaults = true
    }
  }
}

If more files would be needed, just ask RawTF.TXT

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 56
Comments: 26 (4 by maintainers)

Commits related to this issue

Lock azurerm version because of bug introduced in latest https://github.com/terraform-providers/terraform-provider-azurerm/issues/12060 — committed to michaelbaranov/docker-examples by michaelbaranov 3 years ago
Lock azurerm version because of bug introduced in latest https://github.com/terraform-providers/terraform-provider-azurerm/issues/12060 — committed to michaelbaranov/docker-examples by michaelbaranov 3 years ago
`azurerm_role_assignment`: Fix assignments to resources (#12076) Fixes #12074 Fixes #12060 Fixes #12057 Fixes #12079 Fixes #12078 Fixes #12087 Related to/similar for [go-azure-helpers](h... — committed to hashicorp/terraform-provider-azurerm by aristosvo 3 years ago
`azurerm_role_assignment`: Fix assignments to resources (#12076) Fixes #12074 Fixes #12060 Fixes #12057 Fixes #12079 Fixes #12078 Fixes #12087 Related to/similar for [go-azure-helpers](h... — committed to hashicorp/terraform-provider-azurerm by aristosvo 3 years ago
sdkv2 shim - firewall (#11941) sdkv2 shim - storage (#11952) Fix app service ase name check (#11891) Add note to avoid conflicts when enabling AGIC (#11954) update dependencies: vendoring the gen... — committed to yupwei68/terraform-provider-azurerm by favoretti 3 years ago
`azurerm_role_assignment`: Fix assignments to resources (#12076) Fixes #12074 Fixes #12060 Fixes #12057 Fixes #12079 Fixes #12078 Fixes #12087 Related to/similar for [go-azure-helpers](h... — committed to yupwei68/terraform-provider-azurerm by aristosvo 3 years ago

Most upvoted comments

The fix PR is already out there (https://github.com/terraform-providers/terraform-provider-azurerm/pull/12076), I’ve mentioned it in the contributors Slack channel already.

The best way to show the importance of this issue is by adding a 👍!

+27

aristosvo on Jun 6, 2021

We have a similar issue.

After upgrading from 2.61.0 to 2.62.0 terraform plan reported that our azurerm_role_assignment was deleted so then it will attempt to created it. When attempting to created it, obviously it failed because the role assignment already exists.

I have tried importing the azurerm_role_assignment as per https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment using terraform import "{resourceId}|{scope}".

The command fails with both 2.61.0 and 2.62.0.

2.61.0 error: Error: Error loading Role Assignment "...": authorization.RoleAssignmentsClient#GetByID: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="NoRegisteredProviderFound" Message="No registered resource provider found for location 'northeurope' and API version '2020-04-01-preview' for type 'virtualNetworks'. The supported api-versions are '2014-12-01-preview, 2015-05-01-preview, 2015-06-15, 2016-03-30, 2016-06-01, 2016-07-01, 2016-08-01, 2016-09-01, 2016-10-01, 2016-11-01, 2016-12-01, 2017-03-01, 2017-04-01, 2017-06-01, 2017-08-01, 2017-09-01, 2017-10-01, 2017-11-01, 2018-01-01, 2018-02-01, 2018-03-01, 2018-04-01, 2018-05-01, 2018-06-01, 2018-07-01, 2018-08-01, 2018-10-01, 2018-11-01, 2018-12-01, 2019-02-01, 2019-04-01, 2019-06-01, 2019-07-01, 2019-08-01, 2019-09-01, 2019-11-01, 2019-12-01, 2020-01-01, 2020-03-01, 2020-04-01, 2020-05-01, 2020-06-01, 2020-07-01, 2020-08-01, 2020-11-01, 2021-01-01, 2021-02-01'. The supported locations are 'westus, eastus, northeurope, westeurope, eastasia, southeastasia, northcentralus, southcentralus, centralus, eastus2, japaneast, japanwest, brazilsouth, australiaeast, australiasoutheast, centralindia, southindia, westindia, canadacentral, canadaeast, westcentralus, westus2, ukwest, uksouth, koreacentral, koreasouth, francecentral, australiacentral, southafricanorth, uaenorth, switzerlandnorth, germanywestcentral, norwayeast, westus3, jioindiawest'."

2.62.0 error: Error: Error loading Role Assignment "...": authorization.RoleAssignmentsClient#GetByID: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="UnsupportedQuery" Message="'tenantId' query parameter '/subscriptions/***/resourceGroups/dev-rg/providers/Microsoft.Network/virtualNetworks/dev-vnet' must be a well formed Guid and it can be used only in case of a cross tenant request."

At the moment we are stuck. We’re going to try to use older versions as well until we manage to import the resource.

cosminstirbu on Jun 4, 2021

Take a look at this error message from our key-vault role assignment

2021-06-04T20:57:26.702Z [DEBUG] plugin.terraform-provider-azurerm_v2.62.0_x5: GET //subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Authorization/roleAssignments/<redacted>?api-version=2020-04-01-preview HTTP/1.1

2021-06-04T20:57:26.774Z [DEBUG] plugin.terraform-provider-azurerm_v2.62.0_x5: {"error":{"code":"RoleAssignmentNotFound","message":"The role assignment '<redacted>' is not found."}}

2021-06-04T20:57:26.774Z [DEBUG] plugin.terraform-provider-azurerm_v2.62.0_x5: [DEBUG] Role Assignment ID "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.KeyVault/vaults/<redacted>/providers/Microsoft.Authorization/roleAssignments/<redacted>" was not found - removing from state

The read resource id used is //subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Authorization/roleAssignments/<redacted>

But if you look closely at the error message, the correct resource id should’ve been /subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.KeyVault/vaults/<redacted>/providers/Microsoft.Authorization/roleAssignments/<redacted>

The id used in the read call is parse.RoleAssignmentID(d.Id()) whereas the id used in log.printf error is d.Id(). So the issue must lie with the parse.RoleAssignmentID function not accounting for resource-level role assignments.

https://github.com/terraform-providers/terraform-provider-azurerm/commit/359ce785f07ac90f98a0cc02809b05b395d966a4#diff-e833946cd56e23570e9a158d4978664d4665f6d8cb0c1851e3873054a9f67a83L222 https://github.com/terraform-providers/terraform-provider-azurerm/commit/359ce785f07ac90f98a0cc02809b05b395d966a4#diff-e833946cd56e23570e9a158d4978664d4665f6d8cb0c1851e3873054a9f67a83R247 https://github.com/terraform-providers/terraform-provider-azurerm/commit/359ce785f07ac90f98a0cc02809b05b395d966a4#diff-e833946cd56e23570e9a158d4978664d4665f6d8cb0c1851e3873054a9f67a83R254

kuwas on Jun 4, 2021

Since we didn’t manage to import the resource we ended up deleting it.

We then pinned azurerm to version 2.61.0 which recreated the azurerm_role_assignment successfully.

For now we’ll stick to version 2.61.0.

cosminstirbu on Jun 4, 2021

I am experiencing the exact same thing. This was working as expected in version 2.61.0 of the provider, but it looks like 2.62.0 somehow introduces this bug.

Using Terraform v 0.15.4 and azurerm v 2.62.0.

First this error happens, then the role assignment does not go into the terraform state. Subsequent runs complain that the resource already exists, as the role assignment is created but not recorded in tfstate.

torivara on Jun 4, 2021

Don’t hold your breath! A hotfix is in the making!

🥳🥳🥳🥳

aristosvo on Jun 8, 2021

I believe role assignment module has been broken, deleted the tfstate and cleaned the infrastructure and it still would not work.

mandarsj on Jun 4, 2021

Seems like 2.62 has a bug so that it cannot retrieve azurerm_role_assignment running plan with terraform v0.15.5 and 2.62 the plan output reports the azurerm_role_assignment as “has been deleted”. Terraform will then try to create it as it is present in the configuration.

tjololo on Jun 4, 2021

I also have a similar issue that I’m working through. Provider 2.62 removed the role assignment objects from the terraform state for a log analytics resource and so is planning to recreate the role assignements. It then fails as the assignment already exists. However when I checked another role assignment on a resource group it appears to plan with no changes as expected.

I have set the provider to 2.61 and planned against a different log analytics resource and it again plans with no changes, suggesting it is an issue introduced in 2.62.

Also we are on Terraform 13.7

dhmoto17 on Jun 4, 2021