azurerm_pim_eligible_role_assignment fails to become ready on resource-group scoped level

[unique-dominik]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.0

AzureRM Provider Version

3.98.0

Affected Resource(s)/Data Source(s)

azurerm_pim_eligible_role_assignment

Terraform Configuration Files

variable "name" {
  type = string
}

variable "subscription_id" {
  type = string
}

variable "resource_group_name" {
  type = string
}

variable "reader_principal_ids" {
  type = list(string)
}

variable "refresh_pim_eligibility" {
  type    = number
  default = 0
}

resource "time_static" "this" {
  triggers = {
    refresh_cycle = var.refresh_pim_eligibility
  }
}

# We use builtin roles for now to keep it simple, if it does not workout we can create a custom role in the parent module and pass the id down
data "azurerm_role_definition" "this" {
  name = "Monitoring Reader"
}

resource "azuread_group" "this" {
  display_name            = "[${var.name}][${var.resource_group_name}] Readers"
  security_enabled        = true
  prevent_duplicate_names = true
  assignable_to_role      = true
}

resource "azuread_group_member" "this" {
  for_each         = toset(var.reader_principal_ids)
  group_object_id  = azuread_group.this.id
  member_object_id = each.value
}

resource "azurerm_pim_eligible_role_assignment" "this" {
  scope              = "/subscriptions/${var.subscription_id}/resourceGroups/${var.resource_group_name}" # can not use data source as we are in different context (enterprise subscription)
  role_definition_id = "/subscriptions/${var.subscription_id}/resourceGroups/${var.resource_group_name}${data.azurerm_role_definition.this.role_definition_id}"
  principal_id       = azuread_group.this.object_id

  schedule {
    start_date_time = time_static.this.rfc3339
    expiration {
      duration_days = 180 # This will force us to rerun tf every 90 days but PIM tf code is young so it is okay.
    }
  }

  justification = "Eligible Readers to the [${var.name}] tenant via the RG [${var.resource_group_name}]."

  ticket {
    number = "UN-6398"
    system = "JIRA"
  }
}

### Debug Output/Panic Output

```shell
│ Error: waiting for Role Management Policy: (Principal Id "<uuid>" / Scope "/subscriptions/<uuid>/resourceGroups/<rgname>" / Role Definition Id "/subscriptions/<uuid>/resourceGroups/<rgname>/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05") to become ready: context canceled
│
│   with module.lz-lion.module.resource_group_readers["<rgname>"].azurerm_pim_eligible_role_assignment.this,
│   on ../../modules/lz-mk2/resource-group-reader/main.tf line 48, in resource "azurerm_pim_eligible_role_assignment" "this":
│   48: resource "azurerm_pim_eligible_role_assignment" "this" {
│
│ waiting for Role Management Policy: (Principal Id "<uuid>" / Scope
│ "/subscriptions/<uuid>/resourceGroups/<rgname>" / Role Definition Id
│ "/subscriptions/<uuid>/resourceGroups/<rgname>/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05")
│ to become ready: context canceled

### Expected Behaviour

The creation in the portal of the eligible assignment actually works, just the saving to the state not.

### Actual Behaviour

Becomes available and gets saved to the state.

### Steps to Reproduce

I actually tried it with like a dozen combinations of roles_definition_id's, data sourced role definitions, using IDs as strings hardcoded, with scopes prefixed, without scope prefixed. It always works to create it in the portal and always times out in terraform afterwards.

### Important Factoids

_No response_

### References

_No response_

[old-guy-coder]

I am getting exactly the same on a resource scoped (storage account) role assignment, management group and subscription scoped assignments work fine but anything lower fails to persist state even though the role assignment gets created