[AVM Question/Feedback]: `azurerm_role_assignment` forces replacement

[ZdenekPesek]

Check for previous/existing GitHub issues

• [X] I have checked for previous/existing GitHub issues

Description

Hello,

I use the module for assigning built-in roles (Reader, Network Contributor, DNS Zone Contributor) to several scopes (vnet, dns zone, rg) for sami and uami. Lately I started hitting the same issue as described here https://github.com/hashicorp/terraform-provider-azurerm/issues/4847 with a resource azurerm_role_assignment being wrapped in the module. I am unable to easily workaround it by the lifecycle rule, therefore I would like to ask you if you have any hint how to avoid such a behavior on the module level.

Thanks

[ZdenekPesek]

I have some simple reproducer

resource "azurerm_resource_group" "this" {
  name     = "test-rg"
  location = "eastus2"
}

locals {
  uami = [
    "foo",
    "bar"
  ]
}
module "uami" {
  source = "git::https://github.com/Azure/terraform-azurerm-avm-res-managedidentity-userassignedidentity.git?ref=0.3.1"

  for_each = toset(local.uami)

  location            = azurerm_resource_group.this.location
  resource_group_name = azurerm_resource_group.this.name
  name                = "test-uami-${each.key}"

  enable_telemetry = false
} 
resource "time_sleep" "uami" {
  create_duration = "1m"
  depends_on      = [module.uami]
}

module "role_assignment" {
  source = "git::https://github.com/Azure/terraform-azurerm-avm-res-authorization-roleassignment.git?ref=v0.0.1"

  user_assigned_managed_identities_by_principal_id = {
    foo = module.uami["foo"].principal_id
    bar = module.uami["bar"].principal_id
  }

  role_definitions = {
    reader = "Reader"
  }

  role_assignments_for_resource_groups = {
    rg = {
      resource_group_name = azurerm_resource_group.this.name
      role_assignments = {
        reader = {
          role_definition                  = "reader"
          user_assigned_managed_identities = [
            "foo",
            "bar"
          ]
        }
      }
    }
  }

  depends_on = [
    time_sleep.uami,
  ]
}

When I comment out all the bar lines, it wants to force replace also foo role assignment!

  # module.role_assignment.azurerm_role_assignment.this["resourcegroup-uami-rg-reader-foo"] must be replaced
-/+ resource "azurerm_role_assignment" "this" {
      ~ id                                     = "/subscriptions/0000/resourceGroups/test-rg/providers/Microsoft.Authorization/roleAssignments/94f11018-2446-e411-ef38-96d4a059f37d" -> (known after apply)
      ~ name                                   = "94f11018-2446-e411-ef38-96d4a059f37d" -> (known after apply)
      ~ principal_type                         = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id                     = "/subscriptions/0000/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7" # forces replacement -> (known after apply) # forces replacement
      ~ role_definition_name                   = "Reader" -> (known after apply)
      ~ scope                                  = "/subscriptions/0000/resourceGroups/test-rg" # forces replacement -> (known after apply) # forces replacement
      + skip_service_principal_aad_check       = (known after apply)
        # (5 unchanged attributes hidden)
    }

I also compared behavior without module and this works as intended (commenting out of bar line will destroy all resources related to bar only)

resource "azurerm_resource_group" "this" {
  name     = "test2-rg"
  location = "eastus2"
}

locals {
  uami = [
    "foo",
    "bar"
  ]
}
module "uami" {
  source = "git::https://github.com/Azure/terraform-azurerm-avm-res-managedidentity-userassignedidentity.git?ref=0.3.1"

  for_each = toset(local.uami)

  location            = azurerm_resource_group.this.location
  resource_group_name = azurerm_resource_group.this.name
  name                = "test2-uami-${each.key}"

  enable_telemetry = false
} 

resource "azurerm_role_assignment" "this" {
  for_each = module.uami

  scope                = azurerm_resource_group.this.id
  role_definition_name = "Reader"
  principal_id         = each.value.principal_id
}

Do you have any explanation for this? Thanks

[jchancellor-ms]

@jaredfholgate - would you be able to assist with answering the question above?

[otavioss]

Any updates on this topic? We recently started experiencing the same issue

[jaredfholgate]

Apologies for the delay in responding to this. I will do my best to take a look this week.

[microsoft-github-policy-service[bot]]

[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-terraform) immediate attention as it hasn't been responded to within 6 business days.

[!TIP]

• To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
• Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.

[microsoft-github-policy-service[bot]]

[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-terraform) immediate attention as it hasn't been responded to within 6 business days.

[!TIP]

• To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
• Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.

[microsoft-github-policy-service[bot]]

[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-terraform) immediate attention as it hasn't been responded to within 6 business days.

[!TIP]

• To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
• Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.