Open davidngs1996 opened 1 month ago
We also run in this issue. For us the plan already fails when something is in the state file (added by an account with more permissions). However for our read only SP we don't want other permissions to be added, only */read.
We is the write permissions needed? And can this be avoided?
Is there an existing issue for this?
Community Note
Terraform Version
1.8.1
AzureRM Provider Version
3.99
Affected Resource(s)/Data Source(s)
azurerm_pim_active_role_assignment, azurerm_pim_eligible_role_assignment
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
Import successfully
Actual Behaviour
When using Read only SP( with Action: "*/read" ): terraform plan is working perfectly import failed due to insufficient permission
Import works only after adding "Microsoft.Authorization/roleAssignments/write".
Why import needs Write permission?
Steps to Reproduce
az login (user level) terraform apply --auto-approve remove azurerm_pim_active_role_assignment manually from tfstate
az login --service-principal -t {Tenant-ID} -u {Client-ID} -p {Client-secret} (To use Read only SP) terraform import azurerm_pim_active_role_assignment.example "/providers/Microsoft.Management/managementGroup/{managementGroupId}|/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}|{objectId}"
Important Factoids
No response
References
No response