Error 400 (RoleAssignmentExists) when modifying existing azuread_privileged_access_group_eligibility_schedule resources

[michvllni]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

• Terraform Version 1.8.5
• AzureAD Provider Version 2.52.0

Affected Resource(s)

• azuread_privileged_access_group_eligibility_schedule

Terraform Configuration Files

resource "azuread_privileged_access_group_eligibility_schedule" "gdap_rolegroup_default_assignments" {
  for_each = { for assignment in flatten([
    for group_key, group in azuread_group.gdap_groups : [
      for user_key, user in data.azuread_user.gdap_rolegroup_default_members : {
        group_key    = group_key
        user_key     = replace(user_key, "/@.*/", "") # remove dots and domain
        group_id     = group.object_id
        principal_id = user.object_id
      }
    ]
    ]) : "${assignment.group_key}-${assignment.user_key}" => assignment
  }
  group_id             = each.value.group_id
  principal_id         = each.value.principal_id
  assignment_type      = "member"
  permanent_assignment = true
}

Debug Output

Panic Output

Expected Behavior

Resource should be updatable

Actual Behavior

Modifying fails on apply with

│ Error: Could not create assignment schedule request, PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post(): unexpected status 400 with OData error: RoleAssignmentExists: The Role assignment already exists.
│ 
│   with module.io-gdap-groups["xxx"].azuread_privileged_access_group_eligibility_schedule.gdap_rolegroup_default_assignments["bcadmin-name"],
│   on modules/io-gdap-groups/adgroups.tf line 52, in resource "azuread_privileged_access_group_eligibility_schedule" "gdap_rolegroup_default_assignments":
│   52: resource "azuread_privileged_access_group_eligibility_schedule" "gdap_rolegroup_default_assignments" {
│ 
│ Could not create assignment schedule request,
│ PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post():
│ unexpected status 400 with OData error: RoleAssignmentExists: The Role
│ assignment already exists.

This is the planned change by terraform plan:

 # module.io-gdap-groups["xxx"].azuread_privileged_access_group_eligibility_schedule.gdap_rolegroup_default_assignments["bcadmin-username"] will be updated in-place
  ~ resource "azuread_privileged_access_group_eligibility_schedule" "gdap_rolegroup_default_assignments" {
        id                   = "REDACTED"
      ~ permanent_assignment = false -> true
        # (10 unchanged attributes hidden)
    }

Steps to Reproduce

1. terraform apply

   Important Factoids

We created the schedules manually before the resource became available and then imported it using terraform import. On the first run after importing, it tries to enable the permanent assignment and fails with the given error

References

[tonirvega]

Same error here