search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.46k stars 4.54k forks source link

azurerm_pim_eligible_role_assignment waiting for Role Management Policy to become ready: couldn't find resource #23775

Open ChrisTav424 opened 8 months ago

ChrisTav424 commented 8 months ago

Is there an existing issue for this?

Community Note

Terraform Version

1.6.3

AzureRM Provider Version

3.79.0

Affected Resource(s)/Data Source(s)

azurerm_pim_eligible_role_assignment

Terraform Configuration Files

resource "time_static" "main" {}

resource "azurerm_pim_eligible_role_assignment" "main" {
      principal_id       = "8ed7898e-----"
      role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6----"
      scope              = "/subscriptions/6918adf8----"

  schedule {
    start_date_time = time_static.main.rfc3339
expiration {
duration_days  = 365
            }
        }
    }

Debug Output/Panic Output

Error: waiting for Role Management Policy: (Principal Id "ed681489----" / Scope "/subscriptions/6918adf8----" / Role Definition Id "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6----") to become ready: couldn't find resource (21 retries)
│ 
│   with module.pim["6918adf8----"].azurerm_pim_eligible_role_assignment.main,
│   on ..\..\..\..\tfmodules\pim\main.tf line 3, in resource "azurerm_pim_eligible_role_assignment" "main":
│    3: resource "azurerm_pim_eligible_role_assignment" "main" {
│ 
│ waiting for Role Management Policy: (Principal Id
│ "ed681489----" / Scope
│ "/subscriptions/6918adf8----" / Role Definition Id
│ "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6----")
│ to become ready: couldn't find resource (21 retries)

Expected Behaviour

Apply successful

Actual Behaviour

The apply fails with the 'waiting for Role Management Policy to become ready: couldn't find resource (21 retries)'

The PIM roles have been created in the portal and when I run another terraform plan / apply it states that the resource needs to be imported into state.

This only seems to be a problem when you specify a scope at a subscription level

Steps to Reproduce

terraform apply

Important Factoids

No response

References

I have seen this referenced in a few places already but states that it is resolved

https://github.com/hashicorp/terraform-provider-azuread/issues/68 https://github.com/hashicorp/terraform-provider-azurerm/pull/22932

smokedlinq commented 8 months ago

Noticed this yesterday too. It might be an Azure issue, in the activity log we see the Started event but never a completed event. I think the team was going to open a case with MS as well, will report back if they find anything.

ChrisTav424 commented 8 months ago

Thanks @smokedlinq I will raise this with them too

jcframil commented 8 months ago

I have been trying for a couple of days to make it work, and went through a couple of posts, just to find out this issue is marked as resolved. :smiling_face_with_tear:

Also tried changing the scope to RG but it failed.

When I try to create the resource it fails as mentioned before. The import fails too, saying that cannot import a non-existent remote object . Curious thing that the terraform apply shows the resource ID that needs to be imported :thinking:

That's unusable for us at the moment.

Terraform Versions

1.5.7 1.6.3

AzureRM Provider Versions

3.79.0 3.70.0 3.65.0

Output after terraform apply

Error: A resource with the ID "/subscriptions/---/---/---/xxx" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_pim_eligible_role_assignment" for more information.

   with azurerm_pim_eligible_role_assignment.test,
   on elegible.tf line 15, in resource "azurerm_pim_eligible_role_assignment" "test":
   15: resource "azurerm_pim_eligible_role_assignment" "test" {

A resource with the ID "/subscriptions/---/---/---/xxx" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_pim_eligible_role_assignment" for more information.

Output after terraform import

Error: Cannot import non-existent remote object

 While attempting to import an existing object to
 "azurerm_pim_eligible_role_assignment.test", the provider detected that no object exists with the given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.
MohnJadden commented 8 months ago

I have been trying for a couple of days to make it work, and went through a couple of posts, just to find out this issue is marked as resolved. 🥲

Also tried changing the scope to RG but it failed.

When I try to create the resource it fails as mentioned before. The import fails too, saying that cannot import a non-existent remote object . Curious thing that the terraform apply shows the resource ID that needs to be imported 🤔

That's unusable for us at the moment.

Terraform Versions

1.5.7 1.6.3

AzureRM Provider Versions

3.79.0 3.70.0 3.65.0

Output after terraform apply

Error: A resource with the ID "/subscriptions/---/---/---/xxx" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_pim_eligible_role_assignment" for more information.

   with azurerm_pim_eligible_role_assignment.test,
   on elegible.tf line 15, in resource "azurerm_pim_eligible_role_assignment" "test":
   15: resource "azurerm_pim_eligible_role_assignment" "test" {

A resource with the ID "/subscriptions/---/---/---/xxx" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_pim_eligible_role_assignment" for more information.

Output after terraform import

Error: Cannot import non-existent remote object

 While attempting to import an existing object to
 "azurerm_pim_eligible_role_assignment.test", the provider detected that no object exists with the given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.

I had the same issue. If you're using index keys and are working within Windows, you'd have to escape the index values like so. However, I ran into issues where the import claimed to be successful but didn't actually import into the state, so in the end I had to delete the existing PIM assignment from the portal and re-run it.

xinfli commented 7 months ago

Try change your role_definition_id to /subscriptions/6918adf8---/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6----.

We had similar problem, but we are work with management group, it took us several days until we find what's wrong with it:

Refer to section Example Usage (Subscription) and Example Usage (Management Group) in document of azurerm_pim_eligible_role_assignment

drdamour commented 5 months ago

dupe of #23366

TeamDman commented 3 months ago

previously mentioned dupe is closed now, https://github.com/hashicorp/terraform-provider-azurerm/issues/23111 is open with active discussion (more about not-found errors than timeout tho)

manicminer commented 1 month ago

@ChrisTav424, @smokedlinq, @jcframil, @MohnJadden are you still experiencing this error with the latest provider (currently v3.104.2)?

Scarlettliuyc commented 3 weeks ago

hi @manicminer , I have customer still got same issue after update to azureRM 3.104.2 It still states that the Resource with ID XXX already exists - to be managed via Terraform this resource needs to be imported into the State

Is it the case that the fix only works for PIM assignments created with the latest version of the provider and not pre-existing assignments?