Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot create role definition and assign to mgmn group #37

Closed
magnus78boy opened this issue Feb 16, 2021 · 1 comment · Fixed by #44
Closed

Cannot create role definition and assign to mgmn group #37

magnus78boy opened this issue Feb 16, 2021 · 1 comment · Fixed by #44
Labels
external bug

Comments

@magnus78boy
Copy link

We are getting problem to create new roles.

We are trying to add to new role definitions.
One for netops and secops.

We are trying to assign to root.

Ex of netops:
{
"name": "88888888-8888-8888-8888-888888888888",
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-01-01-preview",
"properties": {
"roleName": "ES-NetOps",
"description": "Enterprise-scale custom Role Definition. Grants access for network operations",
"type": "customRole",
"permissions": [
{
"actions": [
"/read",
"Microsoft.Network/vpnGateways/",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/vpnSites/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"assignableScopes": [
"/"
]
}
}

In archetype_definition_es_root:
"role_definitions": [
"ES-NetOps",
"ES-SecOps"
]

First time the create of roles:

Error message:
Error: authorization.RoleDefinitionsClient#Get: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="RoleDefinitionDoesNotExist" Message="The specified role definition with ID '**' does not exist."

Re-Run(without updates to code):
Error: A resource with the ID "/providers/Microsoft.Authorization/roleDefinitions/**/providers/Microsoft.Management/managementGroups/es" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_role_definition" for more information.

Reflection of error:
Could it have something to do with it uuidv5?
#7

Do you have any suggestions on what we do wrong?
@krowlandson
Copy link
Contributor

Unfortunately this is a known issue related to Azure and the way the AzureRM provider works. It's being investigated internally and is also logged here:

hashicorp/terraform-provider-azurerm#10442

The cause appears to be related to a front end cache in Azure which only updates every 10 minutes and can result in the above errors.

If you look in your environment you should see the role definition is successfully created so you need to follow the instructions in the 2nd error to import this to your state file. This can also fail if you don't wait for the cache to update so please allow 10 minutes after creation before trying.

Also please be careful to use the correct resource ID format resource_id|scope as specified in the error message.

Hopefully there will be a fix soon but please add your comments to the provider issue as this is being tracked by MS support.

@krowlandson krowlandson added bug Something isn't working external bug and removed bug Something isn't working labels Feb 16, 2021
@krowlandson krowlandson mentioned this issue Mar 6, 2021
Merged
13 tasks
krowlandson pushed a commit that referenced this issue Mar 6, 2021
Library template update automation, and bug fixes (#44)
d8bd5bf 
- Update Unit and E2E test pipelines to use YML templates and dynamic matrix generation.
- Add custom PS module for `Enterprise Scale Library Tools` to handle automated library template updates.
- Add script and GitHub Action to enable automated library template updates from [Azure/Enterprise-Scale](https://github.com/Azure/Enterprise-Scale) repository using a CI pipeline.
- Add offline ProviderApiVersions cache in `Enterprise Scale Library Tools` to negate the need for Azure credentials.
- Update Library Templates (automated) using new CI process.
- Manual remediations to updated library templates to ensure full compatibility with Terraform (needs to be fixed at source to prevent regression).
- Update Policy Assignments and archetypes to provide parity with [WingTip reference Enterprise-Scale foundations](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md).
- Update Resource definitions in base module to use `name` field instead of `properties.displayName` to allow setting a more "human-friendly" displayName on policies and roles.
- Fix bug where duplicate roles are created at the same scope for policy assignments with managed identity.
- Add customizable delay between deployment of different resource types to reduce deployment errors due to caching and replication in the Azure API (Improvement to help Fix #37).
- Update `root_parent_id` validation regex to include support for additional supported characters (Fix #43).
@ghost ghost locked as resolved and limited conversation to collaborators Dec 14, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
external bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Library template update automation, and bug fixes krowlandson/terraform-azurerm-caf-enterprise-scale
2 participants
@krowlandson @magnus78boy