Marcus Adams
Reputation: 1267
Terraform azurerm custom rbac role gives connection error on role assignment
I am trying to create a custom RBAC role definition and assignment to assign to an app registration. All resources and the definition create ok but when it goes to execute the azurerm_role_assignment resource I get:
Service returned an error. Status=400 Code="InvalidRoleDefinitionId" Message="The role definition ID 'xxxx-xxxx-xxxx-xxxx-xxxx' is not valid
I'm probably going a bit code blind as I can't see what's wrong, any ideas?
resource "random_password" "aad-app-myrbac" {
length = 24
special = true
override_special = "@#$%+=_-*&[]{}?!"
}
resource "random_password" "aad-sp-myrbac" {
length = 24
special = true
override_special = "@#$%+=_-*&[]{}?!"
}
resource "azuread_application" "myrbac" {
name = "my-app-registration"
homepage = "https://localhost"
identifier_uris = [""]
reply_urls = [""]
available_to_other_tenants = false
oauth2_allow_implicit_flow = false
}
resource "azuread_application_password" "myrbac" {
application_object_id = azuread_application.myrbac.id
description = "myrbac client secret"
value = random_password.aad-app-myrbac.result
end_date_relative = "87600h"
lifecycle {
ignore_changes = [end_date_relative]
}
}
resource "azuread_service_principal" "myrbac" {
application_id = azuread_application.myrbac.application_id
}
resource "azuread_service_principal_password" "myrbac" {
service_principal_id = azuread_service_principal.myrbac.id
value = random_password.aad-sp-myrbac.result
end_date_relative = "87600h"
lifecycle {
ignore_changes = [end_date_relative]
}
}
resource "azurerm_role_definition" "myrbac" {
name = "my role definition"
scope = data.azurerm_subscription.current.id
description = "my role definition"
permissions {
actions = [
"Microsoft.Authorization/permissions/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/*/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read"
]
not_actions = []
}
assignable_scopes = [data.azurerm_subscription.current.id]
}
resource "azurerm_role_assignment" "myrbac" {
scope = data.azurerm_subscription.current.id
role_definition_id = azurerm_role_definition.myrbac.id
principal_id = azuread_service_principal.myrbac.object_id
skip_service_principal_aad_check = true
}
note code has been sanitised and the total role defs cut down for brevity.
Upvotes: 0
Views: 1260
Answers (1)
Charles Xu
Reputation: 31384
You can use the parameter role_definition_name instead of role_definition_id and add the depends_on like this:
resource "azurerm_role_assignment" "myrbac" {
scope = data.azurerm_subscription.current.id
role_definition_name = azurerm_role_definition.myrbac.name
principal_id = azuread_service_principal.myrbac.object_id
skip_service_principal_aad_check = true
depends_on = [azurerm_role_definition.myrbac]
}
It will work for you.
Upvotes: 1
Related Questions
- Terraform Import azurerm_role_assignment
- Azure RBAC role 'ConfigureFactoryRepo' is required to be granted over the entire subscription to Terraform Service Principal to spin up Data Factory
- How to attach an existing rbac role to an Azure VM using Terraform?
- adding RBAC role for a Managed identity on multiple resource groups via automation
- Terraform azurerm provider tries to register with wrong credentials
- Azure devops pipeline terraform error - 403 when attempting role assignment
- azurerm role assignment, not able to assign role when used client_id, client_secret, subscription_id, tenant_id in provider
- Assign Azure rbac Role to Virtual Machine using terraform
- How to create appRoles with azurerm provider on terraform
- Role Assignment in Azure with Terraform