Existing IoTHub role assignments won't allow recreation of roles

[Meandron]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

We updated the azurerm provider version from 3.7.0 to the current one, which is v3.38.0
Due to this change in v.3.35.0, the scope of IotHubs were changed:
IoT Hub casing change

Now, as you can see in the plan output, existing custom IoTHub roles are marked to be replaced, as the scope changed (IotHubs -> iotHubs). With having role assignments to that custom roles, TF apply fails.

Terraform Version

1.2.3

AzureRM Provider Version

3.38.0

Affected Resource(s)/Data Source(s)

azurerm_role_definition

Terraform Configuration Files

resource "azurerm_role_definition" "iothub_deployment_role" {
  name        = "dmp-eu1-aa-deployment-role-c"
  scope       = azurerm_iothub.ioh_dmp.id
  description = "This is a custom role to allowing deployment to IoT Hub"

  permissions {
    actions      = ["Microsoft.Devices/iotHubs/Read", "Microsoft.Devices/IotHubs/listkeys/action"]
    data_actions = ["Microsoft.Devices/IotHubs/configurations/write", "Microsoft.Devices/IotHubs/configurations/applyToEdgeDevice/action"]
    not_actions  = []
  }

  assignable_scopes = [
    azurerm_iothub.ioh_dmp.id,
  ]
}

Debug Output/Panic Output

# PLAN OUTPUT: 
# azurerm_role_definition.iothub_deployment_role must be replaced
-/+ resource "azurerm_role_definition" "iothub_deployment_role" {
      ~ assignable_scopes           = [
          - "/subscriptions/9468c70f-d65a-4feb-9784-682748f5b2d0/resourceGroups/rg-dmp-eu1-c/providers/Microsoft.Devices/IotHubs/ioh-dmp-eu1-aa-c",
          + "/subscriptions/9468c70f-d65a-4feb-9784-682748f5b2d0/resourceGroups/rg-dmp-eu1-c/providers/Microsoft.Devices/iotHubs/ioh-dmp-eu1-aa-c",
        ]
      ~ id                          = "/subscriptions/9468c70f-d65a-4feb-9784-682748f5b2d0/providers/Microsoft.Authorization/roleDefinitions/3aa1145b-6ef2-76c4-8acb-0f7b4259a817|/subscriptions/9468c70f-d65a-4feb-9784-682748f5b2d0/resourceGroups/rg-dmp-eu1-c/providers/Microsoft.Devices/IotHubs/ioh-dmp-eu1-aa-c" -> (known after apply)
        name                        = "dmp-eu1-aa-deployment-role-c"
      ~ role_definition_id          = "3aa1145b-6ef2-76c4-8acb-0f7b4259a817" -> (known after apply)
      ~ role_definition_resource_id = "/subscriptions/9468c70f-d65a-4feb-9784-682748f5b2d0/providers/Microsoft.Authorization/roleDefinitions/3aa1145b-6ef2-76c4-8acb-0f7b4259a817" -> (known after apply)
      ~ scope                       = "/subscriptions/9468c70f-d65a-4feb-9784-682748f5b2d0/resourceGroups/rg-dmp-eu1-c/providers/Microsoft.Devices/IotHubs/ioh-dmp-eu1-aa-c" -> "/subscriptions/9468c70f-d65a-4feb-9784-682748f5b2d0/resourceGroups/rg-dmp-eu1-c/providers/Microsoft.Devices/iotHubs/ioh-dmp-eu1-aa-c" # forces replacement
        # (1 unchanged attribute hidden)

      ~ permissions {
          - not_data_actions = [] -> null
            # (3 unchanged attributes hidden)
        }
    }

#APPLY OUTPUT
Error: deleting Role Definition "3aa1145b-6ef2-76c4-8acb-0f7b4259a817" at Scope "/subscriptions/9468c70f-d65a-4feb-9784-682748f5b2d0/resourceGroups/rg-dmp-eu1-c/providers/Microsoft.Devices/IotHubs/ioh-dmp-eu1-aa-c": authorization.RoleDefinitionsClient#Delete: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="RoleDefinitionHasAssignments" Message="There are existing role assignments referencing role 3aa1145b-6ef2-76c4-8acb-0f7b4259a817. The role assignments must be deleted before the role can be deleted."

Expected Behaviour

Not sure about this one: The update to a version >= 3.35.0 should not cause the apply step to fail, but I cannot state what should / could happen internally.

Actual Behaviour

The apply step fails due to existing role assignments, see apply output

Steps to Reproduce

1. Use azurerm provider version < v.3.35.0
2. Create IoTHub
3. Create IotHub custom role
4. Assign principals to that custom role
5. Update azurerm provider version to >= v3.35.0

Important Factoids

No response

References

No response

[myc2h6o]

Hi @Meandron thanks for opening the issue! The change mentioned #19524 is part of the automatic state migration to fix the ID casing issue of azurerm_iothub_*. @mbfrahry this seems to be breaking the resources which depend on them. Is there a need to mark scope in this resource to be case-insensitive?

[Meandron]

We don't have that issue anymore, but had an issue with role assignments in general on our side. The issue did not show up again with 3.44.1, i.e. the change was still showing, but apply did not fail anymore.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.