Open Shop-kins opened 2 months ago
The azuread_privileged_access_group_assignment_schedule
cannot be created without azuread_group_role_management_policy
, so you have to set a dependency.
resource "azuread_privileged_access_group_assignment_schedule" "group" {
dependes_on = [
azuread_group_role_management_policy.example
]
...
}
resource "azuread_privileged_access_group_assignment_schedule" "user" {
dependes_on = [
azuread_group_role_management_policy.example
]
...
}
Interesting! while that certainly makes sense logically that is not actually the case. I can create an azuread_privileged_access_group_assignment_schedule
without a azuread_group_role_management_policy
and the process completes successfully!
Ive also done a test where I made the azuread_group_role_management_policy
dependant on the azuread_privileged_access_group_assignment_schedule
which is also completely fine!
Community Note
Terraform (and AzureAD Provider) Version
Terraform Version: 1.9.5 Azuread Version: 2.53.1
Affected Resource(s)
azuread_group_role_management_policy
Terraform Configuration Files
Debug Output
I will try and get you one, but both times Its happened have been without debug
Expected Behavior
azuread_group_role_management_policy is created successfully or errors and does not store an id of the non existent remote object
Actual Behavior
azuread_group_role_management_policy during its create process HERE fetches the existing role and stores it.
However it fails when attempting to get that id. this is due to the role id changing when modified (as noted in the comment on line 925). and the modification is occurring in the first instance of one of the two sets of azuread_privileged_access_group_assignment_schedule.
if the modification occurs between azuread_group_role_management_policy retrieving the member role id and directly calling a get request then the resource will save the broken id and require manual intervention to correct the state file.
Error on inital failed apply
Error on subsequent plans of all types
Steps to Reproduce
Have a terraform setup similar to the above and run terraform apply and destroy over and over again until the error occurs.
Important Factoids
When having one resource always go first (be it azuread_group_role_management_policy or azuread_privileged_access_group_assignment_schedule) results in the issue never arising. It will also never affect the azuread_privileged_access_group_assignment_schedule negatively as that resource does not store the member_role_id directly.
References
Finding actual documentation on the azure behaviour is difficult, my assumption is that the default role id for member is non mutable, but on an edit attempt a mutable copy is created.
A simple solution for this would be to not save the id at that stage in the process, and error out with how this might occur as well as updating relevant documentation. Alternatively, a retry or a more sophisticated internal dependency system could be created as a last resort option just not storing the id, and looking it up each it time
I already have a simple solution for the problem now I am aware of how it arises (using terraforms build in depends_on) however I'm more than happy to assist in resolving this within the provider as I'd rather not have other people have to go through the debugging of this issue!
0000