azurerm_role_assignment `scope` is case sensitive

[nijave]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.6

AzureRM Provider Version

3.59.0

Affected Resource(s)/Data Source(s)

azurerm_role_assignment

Terraform Configuration Files

# module 1
resource "azurerm_role_assignment" "mgmt" {
  scope                = data.azurerm_subscription.primary.id
  role_definition_name = "Contributor"
  principal_id         = azurerm_user_assigned_identity.mgmt.principal_id
}

output "user_assigned_identity" {
  value = azurerm_user_assigned_identity.mgmt
}

# module 2
resource "azurerm_role_assignment" "identity_operator" {
  scope                = var.user_assigned_identity.id
  role_definition_name = "Managed Identity Operator"
  principal_id         = azurerm_kubernetes_cluster.cluster.kubelet_identity.0.object_id
}

Debug Output/Panic Output

# azurerm_role_assignment.identity_operator must be replaced
-/+ resource "azurerm_role_assignment" "identity_operator" {
      ~ id                               = "/subscriptions/.../resourcegroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/Development/providers/Microsoft.Authorization/roleAssignments/..." -> (known after apply)
      ~ name                             = "..." -> (known after apply)
      ~ principal_type                   = "ServicePrincipal" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/.../providers/Microsoft.Authorization/roleDefinitions/..." -> (known after apply)
      ~ scope                            = "/subscriptions/.../resourcegroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/Development" -> "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/Development" # forces replacement
      + skip_service_principal_aad_check = (known after apply)
        # (2 unchanged attributes hidden)

      - timeouts {}
    }

Expected Behaviour

These scopes are equivalent so having resourcegroups vs resourceGroups shouldn't lead to a diff. I see other attributes use a case insensitive diff suppression but it's not clear if this can also be used for scope (maybe certain parts of the scope are case sensitive..?)

Actual Behaviour

A diff is produced

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[wuxu92]

@nijave thanks for filing this issue. could you please make sure that you are using the latest version of azurerm? and if so, could you please share in which location you created these resources and more detail about var.user_assigned_identity.id? because I cannot reproduce this issue with configurations almost like yours.