-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for azurerm_role_assignment separate resource to add conditions #24045
Comments
Hi @anwarnk , I don't think this is a constraint of I would like to know more about Can you post your configuration to have some more idea on this? Could be that I'm missing something here. |
I've got another idea, in your
|
For clarification we have a for_each setup in terraform with its own state file. The for_each is set for each new subscription, the role assigned in the condition is what we deem as generic.
However, further in the code development we may need to customise the role assignment for maybe one principal_id to add additional roles (this would be in a different state file). However, if I try and do it today, using the same role with different conditions it will error, which is what I suspected before even trying it out. What I am asking for if there's a possibility to something similar like resource "azuread_group_member" > add member to an existing group but in this case add condition to an exiting one. For now we have a workaround and that is we created a new role definition with different GUID and then added the extra conditions that we wanted. |
Thanks for the clarification! I indeed see the limitation coming from the restapi specs here as they don't offer It appears to me like you have to create another role assignment with a new condition but you can flag this with Microsoft Dev team if they are planning to support in near future. I'm open if Hashicorp team has other thoughts on this. |
Is there an existing issue for this?
Community Note
Description
Currently we are assigning rbac using azurerm_role_assignment with conditions. This works great, however we have a requirement to assign additional conditions in another resource. However, there isn't an option to just add conditions and if we use the same resource it complains with:
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="RoleAssignmentExists" Message="The role assignment already exists."
New or Affected Resource(s)/Data Source(s)
azurerm_role_assignment
Potential Terraform Configuration
References
No response
The text was updated successfully, but these errors were encountered: