-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for set parameter assignee-principal-type in azurerm_role_assignment #24062
Comments
Workaround to the same effect:
|
hi @dav1dli Thanks for filing this issue. Could you please have a try with skip_service_principal_aad_check.the PrincipalType will set to
|
Thanks! That worked. And at least in my case I could use this:
so, it is not necessary to refer a role by ID and assign a name. I would suggest adding a note to the documentation. |
The suggested solution helped. But since the option is not similar to the option provided by |
The described workarround is nice if we know the principal-type and only deploy a single role assignment for a single Service Principal and we know it is definitely a Service Principal. Both azurerm resources azurerm_synapse_role_assignment and azurerm_role_assignment do not set the attribute "principalType" (available in the Azure API), so it remains NULL. Many sub-componenst even work with this incomplete role assignment. This is exactly the problem we are having. In other words a synapse role assinment made by azure api or azure cli will create a correct role assignment with the correct SID in SQL engine, but when the Terraform azurerm provider creates the assignment the role assingment is incomplete and the SQL Engine's SID creation will be broken. So there is no chance to login with the SP at the SQL engine in the end. @rcskosir , can you please re-open this issue? |
@mafis-hh Reopening! |
Hi Guys! After much testing I found this thread. I think this also doesn't work when the user is assigned the "Role-Based Access Control Administrator" role with an ABAC condition imposed
https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-overview Best Regards, |
Hi @mafis-hh, I think this is a separate case related to the |
Hi @wuxu92, you are right. It is a separate case, there are two terraform resources which can handle the same Azure resource. |
We are having the same issue when using: Our app reg, that we use to deploy TF resources, is assigned the role Creating the role assignment with the azure cli, works, with the same app reg. Based on our findings and other comments, the request body doesn't contain the Would be nice if the PR could be reviewed / merged: |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Is there an existing issue for this?
Community Note
Description
In case when access to Graph API is blocked (security policy for example) role assignment fails with an error
similar error is produced when trying to
az role assignment create --assignee XXX --role "AcrPull" --scope "/subscriptions/YYY/resourceGroups/RG-XXX/providers/Microsoft.ContainerRegistry/registries/ACREXXX
with additionbut trying
produces desired result.
The documentation says:
so the parameter supported but it cannot be set.
Please allow to set the parameter.
New or Affected Resource(s)/Data Source(s)
azurerm_role_assignment
Potential Terraform Configuration
No response
References
No response
The text was updated successfully, but these errors were encountered: