Unable to determine the Resource Manager ID for Managed HSM Data Plane Role Assignment ID

cameron-cpu commented 3 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.2

AzureRM Provider Version

3.105.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault_managed_hardware_security_module_role_assignment

Terraform Configuration Files

resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "xxxx" {
  count = var.hsm && !var.cmk ? 1 : 0
  name               = one(random_uuid.xxxx[*].result)
  managed_hsm_id     = data.azurerm_key_vault_managed_hardware_security_module.xxxx.id
  scope              = "/keys/${var.name}"
  role_definition_id = data.azurerm_key_vault_managed_hardware_security_module_role_definition.user.id
  principal_id       = var.uas_principal_id
  depends_on = [
    ciso_hsm.cmkdisk
  ]
}

Debug Output/Panic Output

│ Error: unable to determine the Resource Manager ID for Managed HSM Data Plane Role Assignment ID (Managed HSM Name "xxxxxx" | Domain Suffix Name "managedhsm.azure.net" | Scope "/keys/xxxxxxxxxx" | Role Assignment Name "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)

│

│   with module.storage-account["xxxxxxx"].azurerm_key_vault_managed_hardware_security_module_role_assignment.xxxx[0],

│   on modules\storage-account\main.tf line 140, in resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "xxxx":

│  140: resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "xxxx" {

│

│ unable to determine the Resource Manager ID for Managed HSM Data Plane Role

│ Assignment ID (Managed HSM Name "xxxxxx" | Domain Suffix Name

│ "managedhsm.azure.net" | Scope "/keys/xxxxxxxx" | Role Assignment

│ Name "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")

╵

Expected Behaviour

Nothing, no error ideally.

Actual Behaviour

Getting the error every time we complete a terraform plan after we tried removing a role and got the same error.

Steps to Reproduce

We gave read rights to the HSM (as per previous raised request - https://github.com/hashicorp/terraform-provider-azurerm/issues/26211 we then created a identity and assigned it the role to access a key, however following this we are unable to remove the role. The linked error is then generated every single time we do a plan/write.

Important Factoids

No response

References

https://github.com/hashicorp/terraform-provider-azurerm/issues/26211

tombuildsstuff commented 3 months ago

hey @cameron-cpu

As mentioned in #26211, Terraform will need access to List the Managed HSMs within the Subscription and permission to retrieve the Managed HSM in question - as such can you confirm the permissions being used where Terraform is running, so that we can better understand the issue here?

Thanks!

riemers commented 3 months ago

Would this already be sufficient? As this did allow to 'set' the role. The HSM though, is in another subscription where we don't have much rights on. So this 'list' you also refer too, i am not aware off. Everything is closed down here, but if there are options i can always ask changes (as long as it does not compromise stuff) any particular thing that i can ask to check if it then will work as i have them in co-operation mode currently :)

hashicorp / terraform-provider-azurerm