azurerm_role_assignment Error loading role assignment after azurerm provider version upgrade

Question

We had created role assignments with version 2.57.0, and then we tried to bump the version to 3.49.0, but it started failing. Then we tried to incrementally increase the version and it works only till 2.61.0. Beyond this, we get the authorization failure error.

We even tried updating the resource type to azurerm_management_group_policy_assignment as these assignments are on the root management group.

The same code with the latest version works on newly created assignments and roles. But the issue is only with the existing roles assignments that were created with version 2.57.0.

Here is the code:

locals {
     rolename = ["Monitoring Contributor", "Log Analytics Contributor"]
     management_group_scope = "/providers/Microsoft.Management/managementgroups/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    }
    
resource "azurerm_policy_assignment" "dine_policy" {

.....

}

resource "azurerm_role_assignment" "law_roles" {
 count = length (local.rolename)

 scope = local.management_group_scope
 role_definition_name = local.rolename[count.index]
 principal_id = azurerm_policy_assignment.dine_policy.idenity[0].principal_id
}

And here is the error:

Error loading Role assignment "/providers/Microsoft.Management/managementgroups/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleAssignments/<ROLE_ID>": authorization.RoleAssignmentsClient#GetByID: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned ane error. Status=403 Code="AuthorizationFailed" Message="The client '<CLIENT ID>' with object id '<OBJECT ID>' does not have authorization to perform action 'Microsoft.Management.managementGroups/Microsoft.Management/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Microsoft.Authorization/<ROLE_ID>/read' over scope '/providers/Microsoft.Management/managementGroups/providers/Microsoft.Management/managementgroups/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleAssignments' or the scope is invalid. If access was recent;y granted, please refresh your credentials.

What we see is that the "/providers/Microsoft.Management/managementGroups/providers/Microsoft.Management/managementgroups" is repeating in the following string from the error message:

"/providers/Microsoft.Management/managementGroups/providers/Microsoft.Management/managementgroups/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleAssignments"

The SPN has management group contributor on the root tenant, so it has enough permissions to read the role assignments. The same code works for newly created role assignments.

Answer 1

I tried troubleshooting azurerm_role_assignment Error loading role assignment after azurerm provider version upgrade & I came across certain observations for this behavior.

Going through the query it seems like you are encountering an issue with Terraform while managing Azure Role Assignments.

• Upgrading from version 2.57.0 to 3.49.0 is a significant jump and there might be breaking changes or updates in the AzureRM provider that could affect existing infrastructure.
• You mentioned changing the resource type to azurerm_management_group_policy_assignment. Ensure that this change is compatible with your existing setup and that all necessary permissions are in place for this resource type.
• The error message indicates that the scope string is being repeated. This might be causing the authorization system to fail to correctly identify the resource. Double-check the local.management_group_scope variable and ensure that it is correctly formatted. It should typically be in the format: /providers/Microsoft.Management/managementGroups/{management-group-id}
• Also check the code works with newly created role assignments, there might be an issue with how existing role assignments are being managed or identified.

My Demo Terraform Configuration:

provider "azurerm" {
    features {}
}


locals {
  rolename = ["Monitoring Contributor", "Log Analytics Contributor"]
  management_group_scope = "/providers/Microsoft.Management/managementGroups/actual-management-group-id"  # Replace with actual management group ID
  tag_name = "Environment"
}

# Create a custom policy definition
resource "azurerm_policy_definition" "custom" {
  name         = "audit-resources-without-tag"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Audit Resources Without Specific Tag"

  policy_rule = <<POLICY_RULE
{
  "if": {
    "field": "[concat('tags[', parameters('tagName'), ']')]",
    "exists": "false"
  },
  "then": {
    "effect": "audit"
  }
}
POLICY_RULE

  parameters = <<PARAMETERS
{
  "tagName": {
    "type": "String",
    "metadata": {
      "displayName": "Tag Name",
      "description": "Name of the tag to audit for"
    }
  }
}
PARAMETERS
}

# Create a policy assignment on the management group
resource "azurerm_management_group_policy_assignment" "example" {
  name                 = "ex-policy-assign"
  policy_definition_id = azurerm_policy_definition.custom.id
  management_group_id  = "your-actual-management-group-id"  # Replace with your actual management group ID

  parameters = jsonencode({
    "tagName" = local.tag_name
  })
}


# Assign roles to the policy assignment
resource "azurerm_role_assignment" "law_roles" {
  count = length(local.rolename)

  scope                = local.management_group_scope
  role_definition_name = local.rolename[count.index]
  principal_id         = azurerm_management_group_policy_assignment.example.identity[0].principal_id
}

This code is for reference purposes so please check with respective placeholders.

You can also check with the error bug request raised which was caused by the change in the provider version.