search

Azure / terraform-azurerm-avm-res-authorization-roleassignment

AVM Terraform module for role assignments
https://registry.terraform.io/modules/Azure/avm-res-authorization-roleassignment
MIT License
9 stars 4 forks source link

[AVM Module Issue]: Role Assignment to multiple resources issue #68

Closed ele-core-it closed 1 month ago

ele-core-it commented 2 months ago

Check for previous/existing GitHub issues

Issue Type?

Bug

(Optional) Module Version

0.0.1, 0.1.0

(Optional) Correlation Id

No response

Description

Trying to use the Role Assignments module to apply roles to multiple resources fails with error:

`Planning failed. Terraform encountered an error while generating this plan.

╷ │ Error: Invalid index │ │ on .terraform\modules\role_assignments\local.role.assignments.for.resources.tf line 86, in locals: │ 86: scope = data.azurerm_resources.resources_by_resource_group_and_name[key].resources[0].id │ ├──────────────── │ │ data.azurerm_resources.resources_by_resource_group_and_name is object with 3 attributes │ │ The given key does not identify an element in this collection value: the collection has no elements.`

The code works if I only apply roles to one resource at a time, but otherwise I get a variation of the above error.

role_assignments_for_resources = {
    sa1 = {
      resource_name       = azurerm_storage_account.dl_st.name
      resource_group_name = azurerm_resource_group.rg.name
      role_assignments = {
        role_assignment_1 = {
          role_definition = "role2"
          users           = ["user1"]
        }
        role_assignment_2 = {
          role_definition = "role3"
          users           = ["user1"]
        }
      }
    }
    sp1 = {
      resource_name       = azurerm_synapse_spark_pool.syn_spark.name
      resource_group_name = azurerm_resource_group.rg.name
      role_assignments = {
        role_assignment_1 = {
          role_definition = "role3"
          users           = ["user1"]
        }
      }
    }
    syn1 = {
      resource_name       = azurerm_synapse_workspace.workspace.name
      resource_group_name = azurerm_resource_group.rg.name
      role_assignments = {
        role_assignment_1 = {
          role_definition = "role3"
          users           = ["user1"]
        }
      }
    }
  }
microsoft-github-policy-service[bot] commented 2 months ago

[!WARNING] Tagging the AVM Core Team (@Azure/avm-core-team-technical-terraform) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

[!TIP]

  • To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage :mag:" label must be removed as part of the triage process (when the issue is first responded to)!
microsoft-github-policy-service[bot] commented 1 month ago

[!WARNING] Tagging the AVM Core Team (@Azure/avm-core-team-technical-terraform) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

[!TIP]

  • To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
  • To avoid this rule being (re)triggered, the ""Needs: Triage :mag:" label must be removed as part of the triage process (when the issue is first responded to)!
microsoft-github-policy-service[bot] commented 1 month ago

[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-terraform) immediate attention as it hasn't been responded to within 6 business days.

[!TIP]

  • To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
  • Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.
jaredfholgate commented 1 month ago

Thanks for reporting this. I am unable to replicate this issue. I suspect it may be a timing issue. The resources are created and are not being returned in the data source query. The resources output of the azurerm_resources data source would be empty in the scenario it can't find the resource and throw the error you are seeing.

You could try adding an explicit dependency or a timeout to your code. Or alternatively, since you already have access to the resource id in your scenario, you could use the role_assignments_for_scopes variable instead and supply the resource id in the scope attribute.

I am adding a test scenario to cover this.

I am going to close this for now, since there is nothing we can do in the module to resolve it at this time.