azurerm_pim_eligible_role_assignment fails with err 400 when User Access Administrator permission of deploying identity is limited using conditions #28067
Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.
│ Error: retrieving Scoped Role Eligibility Schedule Request (Scope: "/subscriptions/xxx"
│ Role Eligibility Schedule Request Name: "b61a08cd-dd7e-d0df-a9a6-33736553862f"): unexpected status 400 (400 Bad Request) with error: InsufficientPermissions: The requestorxxx does not have permissions for this request. Please use $filter=asTarget() to filter on the requestor's assignments.
│
│ with module.workloadSubscriptions["xxx"].azurerm_pim_eligible_role_assignment.readerGroup[0],
│ on ../../modules/subscription/workloadEligibleRoleAssignments.tf line 34, in resource "azurerm_pim_eligible_role_assignment" "readerGroup":
│ 34: resource "azurerm_pim_eligible_role_assignment" "readerGroup" {
│ │ retrieving Scoped Role Eligibility Schedule Request (Scope:
│ "/subscriptions/xxx"
│ Role Eligibility Schedule Request Name:
│ "b61a08cd-dd7e-d0df-a9a6-33736553862f"): unexpected status 400 (400 Bad
│ Request) with error: InsufficientPermissions: The requestor
│ xxx does not have permissions for this
│ request. Please use $filter=asTarget() to filter on the requestor's
│ assignments.
Expected Behaviour
The deploying service principal has the following permissions on the affected subscriptions:
Contributor
User Access Administrator limited with Conditions
The deployment should create an eligible role assignment.
Actual Behaviour
The role assignment cannot be created due to a permission error. This is most likely due to the principal_type not being properly specified in the azurerm_pim_eligible_role_assignment resource.
When we want to create a role assignment using azurerm_role_assignment when using conditions for the User Access Administrator permissions we have to specify principal_type or the role assignment will fail with a similar error.
As soon as we assign User Access Administrator permissions without conditions the role assignment works.
Is there an existing issue for this?
Community Note
Terraform Version
1.8.0
AzureRM Provider Version
4.8.0
Affected Resource(s)/Data Source(s)
azurerm_pim_eligible_role_assignment
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
The deploying service principal has the following permissions on the affected subscriptions:
The deployment should create an eligible role assignment.
Actual Behaviour
The role assignment cannot be created due to a permission error. This is most likely due to the principal_type not being properly specified in the azurerm_pim_eligible_role_assignment resource.
When we want to create a role assignment using azurerm_role_assignment when using conditions for the User Access Administrator permissions we have to specify principal_type or the role assignment will fail with a similar error.
As soon as we assign User Access Administrator permissions without conditions the role assignment works.
Steps to Reproduce
No response
Important Factoids
No response
References
No response