azurerm_pim_active_role_assignment failing when the azurerm_role_definition is provisioned at a different subscription

[davidng1996]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.2

AzureRM Provider Version

3.65

Affected Resource(s)/Data Source(s)

azurerm_pim_active_role_assignment, azurerm_pim_eligible_role_assignment

Terraform Configuration Files

data "azurerm_subscription" "primary" {
}
resource "azurerm_role_definition" "example" {
  name        = "my-custom-role"
  scope       = data.azurerm_subscription.primary.id
  description = "This is a custom role created via Terraform"

  permissions {
    actions     = ["*"]
    not_actions = []
    data_actions = ["*"]
    not_data_actions = []
  }

  assignable_scopes = [
    data.azurerm_subscription.primary.id,
    "/subscriptions/<subscriptionID2>"
  ]

}

resource "azurerm_pim_active_role_assignment" "always_active_azure_role_assignment1" {
  scope              = data.azurerm_subscription.primary.id
  role_definition_id = azurerm_role_definition.example.role_definition_resource_id
  principal_id       = "<principal_id>"
  justification      = "Test1"


  schedule {
    expiration {
      duration_hours = 10
    }
  }

}

resource "azurerm_pim_active_role_assignment" "always_active_azure_role_assignment2" {
  scope              = "/subscriptions/<subscriptionID2>"
  role_definition_id = azurerm_role_definition.example.role_definition_resource_id
  principal_id       = "<principal_id>"
  justification      = "Test2"


  schedule {
    expiration {
      duration_hours = 10
    }
  }

}

Debug Output/Panic Output

Error: waiting for Role Management Policy: (Principal Id "<principal_id>" / Scope "/subscriptions/<subscriptionID2>" / Role Definition Id "<data.azurerm_subscription.primary.id>/providers/Microsoft.Authorization/roleDefinitions/<role_definition_id>") to become found: timeout while waiting for state to become 'Found' (last state: 'Missing', timeout: 5m0s)

Expected Behaviour

No response

Actual Behaviour

Error: waiting for Role Management Policy: (Principal Id "<principal_id>" / Scope "/subscriptions/" / Role Definition Id "<data.azurerm_subscription.primary.id>/providers/Microsoft.Authorization/roleDefinitions/<role_definition_id>") to become found: timeout while waiting for state to become 'Found' (last state: 'Missing', timeout: 5m0s)

This error occurred when provisioning azurerm_pim_active_role_assignment in subscriptionID2, even though it is included in the assignable_scope. azurerm_pim_active_role_assignment in subscriptionID2 is created when I checked from Azure Portal

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[davidng1996]

This is affecting both azurerm_pim_active_role_assignment and azurerm_pim_eligible_role_assignment. Role assignments are created and can be seen in Azure portal, but you will only get a successful message in Terraform when you provision the role assignment in the same subscription where the role definition is.

I added timeouts block and it is still failing at 5m

timeouts {
read = "1h"
create = "1h"
}

[bardholthe]

I get the same error with or without the timeouts setting

[szejna]

I'm seeing the same issue.

PIM assignment is created, in my situation a subscription, but TF errors out waiting for Role Management Policy status to change.

[MohnJadden]

I'm getting the same issue as well with azurerm_pim_eligible_role_assignment. I did the same thing as @davidng1996 and added a timeouts block but it stuck at 5 minutes.

Interestingly enough, if I import azurerm_pim_eligible_role_assignment following the required import naming convention, TF shows that it successfully imports the resource, but the resource doesn't show up in the state - if I run terraform state list it isn't listed, if I run tf plan or apply it wants to create the resource.

I hate to sound mean but was any testing done on the azurerm_pim functionality in an actual Azure environment before it was added? Having it get announced as existing but not actually working is literally worse than not knowing it exists in the first place.

[unique-dominik]

Hmmm, I appreciate all your push for this 🍻 But I can not make it work and still get an error:

data "azurerm_subscription" "this" {
  subscription_id = var.subscription_id
}

resource "azuread_group" "supporters" {
  display_name     = "${module.context.full_name}-eligible-support"
  security_enabled = true
}

data "azuread_user" "supporters" {
  for_each            = toset(var.pim_eligible_support_upns)
  user_principal_name = each.value
}

resource "azuread_group_member" "supporters" {
  for_each         = toset(var.pim_eligible_support_upns)
  group_object_id  = azuread_group.supporters.id
  member_object_id = data.azuread_user.supporters[each.key].id
}

locals {
  roles = [
    "Azure Kubernetes Service RBAC Admin", # apply kubernetes changes
    "Reader",                              # read resources within the subscription
    "Virtual Machine Contributor",         # start the VM
    "Virtual Machine User Login"           # login to VM via AAD
  ]
}

resource "time_static" "this" {}

data "azurerm_role_definition" "builtin" {
  for_each = toset(local.roles)
  name     = each.value
}

resource "azurerm_pim_eligible_role_assignment" "supporters" {
  for_each           = data.azurerm_role_definition.builtin
  scope              = data.azurerm_subscription.this.id
  role_definition_id = each.value.role_definition_id
  principal_id       = azuread_group.supporters.object_id

  justification = "Provide support to the ${module.context.environment}-${module.context.project} tenant."

  schedule {
    start_date_time = time_static.this.rfc3339
    expiration {
      duration_days = 60
    }
  }
}

│ Error: waiting for Role Management Policy: (Principal Id "<principal>" / Scope "/subscriptions/<subscription>" / Role Definition Id "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c") to become ready: context canceled
│ 
│   with module.support.azurerm_pim_eligible_role_assignment.supporters["Virtual Machine Contributor"],
│   on ../../../../azure/infra/tf-core-infra/modules/support/pim.tf line 37, in resource "azurerm_pim_eligible_role_assignment" "supporters":
│   37: resource "azurerm_pim_eligible_role_assignment" "supporters" {
│ 
│ waiting for Role Management Policy: (Principal Id "<principal>" / Scope "/subscriptions/<subscription>" / Role Definition Id
│ "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c") to become ready: context canceled
╵
╷
│ Error: waiting for Role Management Policy: (Principal Id "<principal>" / Scope "/subscriptions/<subscription>" / Role Definition Id "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7") to become ready: context canceled
│ 
│   with module.support.azurerm_pim_eligible_role_assignment.supporters["Reader"],
│   on ../../../../azure/infra/tf-core-infra/modules/support/pim.tf line 37, in resource "azurerm_pim_eligible_role_assignment" "supporters":
│   37: resource "azurerm_pim_eligible_role_assignment" "supporters" {
│ 
│ waiting for Role Management Policy: (Principal Id "<principal>" / Scope "/subscriptions/<subscription>" / Role Definition Id
│ "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7") to become ready: context canceled
╵
╷
│ Error: waiting for Role Management Policy: (Principal Id "<principal>" / Scope "/subscriptions/<subscription>" / Role Definition Id "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7") to become ready: context canceled
│ 
│   with module.support.azurerm_pim_eligible_role_assignment.supporters["Azure Kubernetes Service RBAC Admin"],
│   on ../../../../azure/infra/tf-core-infra/modules/support/pim.tf line 37, in resource "azurerm_pim_eligible_role_assignment" "supporters":
│   37: resource "azurerm_pim_eligible_role_assignment" "supporters" {
│ 
│ waiting for Role Management Policy: (Principal Id "<principal>" / Scope "/subscriptions/<subscription>" / Role Definition Id
│ "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7") to become ready: context canceled
╵
╷
│ Error: waiting for Role Management Policy: (Principal Id "<principal>" / Scope "/subscriptions/<subscription>" / Role Definition Id "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52") to become ready: context canceled
│ 
│   with module.support.azurerm_pim_eligible_role_assignment.supporters["Virtual Machine User Login"],
│   on ../../../../azure/infra/tf-core-infra/modules/support/pim.tf line 37, in resource "azurerm_pim_eligible_role_assignment" "supporters":
│   37: resource "azurerm_pim_eligible_role_assignment" "supporters" {
│ 
│ waiting for Role Management Policy: (Principal Id "<principal>" / Scope "/subscriptions/<subscription>" / Role Definition Id
│ "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52") to become ready: context canceled

I cancelled manually after 5 minutes. The assignments are visible in the portal and created but the provider somehow can not read it back.

Is that related or should I maybe open a new issue?

provider "registry.terraform.io/hashicorp/azurerm" {
  version     = "3.68.0"
  ...
}

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.