Open knuterik-ballestad opened 1 month ago
Before upgrading to latest azurerm+terrform runtime, terraform failed "gracefully", allowing us to re-run the github action with the terraform apply - and then the role assignments was re-created with the correct, updated constraints.
@knuterik-ballestad Presumably, the loop in your case covers all the original owners, including the principal that is running terraform. Also, assuming your workspace has kept track of all these principals' states, when your change introduce a "replace", terraform
will remove the role assignments prior creating the new ones. That's why you saw the error.
If above assumption holds, it looks like a "shoot yourself in the foot" case. My suggestion is to at least keep the principal that runs terraform not included in the sub_owners
.
@knuterik-ballestad Presumably, the loop in your case covers all the original owners, including the principal that is running terraform. Also, assuming your workspace has kept track of all these principals' states, when your change introduce a "replace",
terraform
will remove the role assignments prior creating the new ones. That's why you saw the error.If above assumption holds, it looks like a "shoot yourself in the foot" case. My suggestion is to at least keep the principal that runs terraform not included in the
sub_owners
.
Well, the principal that runs terraform, and certain admin users are set as Owners in the management structure, and not directly on the subscription - though the subscription inherits these Owners of course.
Our script only assigns one Owner directly to the subscription - the requester of a subscription to be created. That is why terraform has trouble when updating the Owner's constraint - because instead of just adding a constraint the whole role assignment is:
So, if terraform could check also inherited Owners, and not only directly assigned, this would be solved.
Is there an existing issue for this?
Community Note
Terraform Version
AzureRM Provider Version
~> 3.104.2
Affected Resource(s)/Data Source(s)
azurerm
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
We expect terraform to either be able to modify the role assignment or fail gracefully.
Actual Behaviour
Terraform removes Owner from all ALZ-subscriptions, and THEN fails in a state that doesn't even let us re-run TF to apply the role assignmens again.
Steps to Reproduce
Important Factoids
No response
References
No response