azurerm_role_assignment resource throws no error on wrong subscription level scope

[derbl4ck]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.5

AzureRM Provider Version

4.6.0

Affected Resource(s)/Data Source(s)

azurerm_role_assignment

Terraform Configuration Files

data "azurerm_billing_enrollment_account_scope" "xyz" {
  billing_account_name    = "1234"
  enrollment_account_name = "1234"
}

resource "azurerm_subscription" "xyz" {
  subscription_name = "xyz"
  billing_scope_id  = data.azurerm_billing_enrollment_account_scope.xyz.id
}

resource "azuread_group" "xyz" {
  ...
}

resource "azurerm_role_assignment" "xyz" {
  role_definition_name = "Contributor"
  principal_id         = azuread_group.xyz.object_id
  scope                = azurerm_subscription.xyz.id
}

Debug Output/Panic Output

First time running:
azurerm_role_assignment.landingzone_maintainers_rbac_contrib: Still creating... [20s elapsed]
azurerm_role_assignment.xyz: Creation complete after 22s [id=/providers/Microsoft.Subscription/aliases/12341234-1234-1234-1234-123412341234/providers/Microsoft.Authorization/roleAssignments/7be64568-757d-fbe6-74db-f75c60dddf3f]

After first tf apply:
No changes. Your infrastructure matches the configuration.

Expected Behaviour

If an invalid scope is provided, or ARM API did not create an role assignment, there should be a sufficient error message.

Actual Behaviour

The ID attribute of the azurerm_subscription resource and data source should match. Due to a change mentioned in #22919 the ID of the azurerm_subscription resource now is equal to "/providers/Microsoft.Subscription/aliases/12341234-1234-1234-1234-123412341234" instead of "/subscriptions/12341234-1234-1234-1234-123412341234". While using this as scope for the azurerm_role_assignment resource, there is no error thrown in the terraform output. If you navigate to the Azure Portal or Check it via ARM API, you can verify that no role assignment was created. We should add a sufficient error message if a scope of this scheme is provided.

Steps to Reproduce

1. create an azure subscription via terraform azurerm provider
2. use this azurerm_subscription resource as scope. Make sure you are NOT using the data source
3. Navigate to the azure portal or verify via ARM API that no role assignment was created

Important Factoids

No response

References

22919

[tiwood]

The role assignment you've created is valid, it's just not the one you expected or required for your use case.

As long as the role definition is available at the given (valid) scope, you can assign it, otherwise the API will throw.

To assist the practitioner here, we would need to do sanity checks on the provider side, which is probably out of scope as this has to be hard-coded, example:

Billing reader does not make sense on /providers/Microsoft.Foo, therefore throw an error during plan.