Assignable Scope keeps reporting a deleted scope

[rknabben]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.3

AzureRM Provider Version

3.106.0

Affected Resource(s)/Data Source(s)

azurerm_role_definition

Terraform Configuration Files

resource "azurerm_role_definition" "customRole" { 
    name: "Web App Restarter Role"
    scope: "/providers/Microsoft.Management/managementGroups/xxxxxx"
    description: "Allows the user to restart a web app"
    actions:["Microsoft.Web/sites/restart/Action", "Microsoft.Web/sites/read"]
    not_actions: []
    data_actions: []
    not_data_actions: []
    assignable_scopes: []
}

Debug Output/Panic Output

# module.xxxx_azure_custom_roles.azurerm_role_definition.customRole["Web App Restarter Role"] will be updated in-place
  ~ resource "azurerm_role_definition" "customRole" {
      ~ assignable_scopes           = [
          - "/providers/Microsoft.Management/managementGroups/xxxxxx",
        ]
        id                          = "/providers/Microsoft.Authorization/roleDefinitions/***************|/providers/Microsoft.Management/managementGroups/xxxxxx"
        name                        = "Web App Restarter Role"
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Expected Behaviour

Nothing.

The result should have been: "No changes"

Actual Behaviour

The message was shown that the assignable scopes would be removed.

Which in theory is true, as the assignable scopes list is empty in the call. However as per the documentation, the scope of the role is automatically added to the assignable scope list if it is empty, so there will be no removal, and thus the output is wrong as it is not based on the final version of the assignable scope list (which includes the scope), and it keeps showing the scope to be removed from the "assignable scopes"where in fact it is not removed at all.

Currently the only workaround is to manually add the scope to the assignable scope list to avoid this "invalid" response.

Steps to Reproduce

terraform plan or terraform apply

Important Factoids

No response

References

No response

[xuzhang3]

@rknabben did you add assignable_scopes = [] to your HCL config? You should remove this from your script. The diff is generated from on the difference between state file and the HCL config.

[rknabben]

Yes, the module does indeed add assignable_scopes = [] to the config as I didn't use dynamic for this parameter. So apart from you being correct on that aspect, i still consider this to be a "bug", because:

The terraform plan states it is going to remove the assignable_scope, where terraform apply does not actually remove the assignable_scope, as the scope is added to this assignable scope.

So in my humble opinion, the terraform should not state it is going to remove something that it will not actually remove. e.g. the statefile vs HCL config behaves differently from the actual "apply" execution of the plan.

[xuzhang3]

This is the tricky part between service and Terraform. The sate file based on the service response while local HCl is user based. In some cases, some properties have default values ​​from the service side. Take assignable_scopes for example, local HCL set it to [] while service will set it with a different value.
Several workarounds for this:

1. Ignore the change of assignable_scopes
2. Not set assignable_scopes in the HCl, let service handle it.
3. Update the assignable_scopes based on the plan output.