diff --git a/internal/services/authorization/role_assignment_resource.go b/internal/services/authorization/role_assignment_resource.go index 40ebcee8028c..50f7b906096b 100644 --- a/internal/services/authorization/role_assignment_resource.go +++ b/internal/services/authorization/role_assignment_resource.go @@ -138,15 +138,14 @@ func resourceArmRoleAssignment() *pluginsdk.Resource { Type: pluginsdk.TypeString, Optional: true, ForceNew: true, - RequiredWith: []string{"condition_version"}, ValidateFunc: validation.StringIsNotEmpty, }, "condition_version": { - Type: pluginsdk.TypeString, - Optional: true, - ForceNew: true, - RequiredWith: []string{"condition"}, + Type: pluginsdk.TypeString, + Optional: true, + ForceNew: true, + Computed: true, ValidateFunc: validation.StringInSlice([]string{ "1.0", "2.0", @@ -238,11 +237,15 @@ func resourceArmRoleAssignmentCreate(d *pluginsdk.ResourceData, meta interface{} condition := d.Get("condition").(string) conditionVersion := d.Get("condition_version").(string) - if condition != "" && conditionVersion != "" { + switch { + case condition != "" && conditionVersion != "": properties.RoleAssignmentProperties.Condition = utils.String(condition) properties.RoleAssignmentProperties.ConditionVersion = utils.String(conditionVersion) - } else if condition != "" || conditionVersion != "" { - return fmt.Errorf("`condition` and `conditionVersion` should be both set or unset") + case condition != "" && conditionVersion == "": + properties.RoleAssignmentProperties.Condition = utils.String(condition) + properties.RoleAssignmentProperties.ConditionVersion = utils.String("2.0") + case condition == "" && conditionVersion != "": + return fmt.Errorf("`conditionVersion` should not be set without `condition`") } skipPrincipalCheck := d.Get("skip_service_principal_aad_check").(bool) diff --git a/internal/services/authorization/role_assignment_resource_test.go b/internal/services/authorization/role_assignment_resource_test.go index fe48ab290a1e..4081b02a7886 100644 --- a/internal/services/authorization/role_assignment_resource_test.go +++ b/internal/services/authorization/role_assignment_resource_test.go @@ -214,6 +214,23 @@ func TestAccRoleAssignment_condition(t *testing.T) { }) } +func TestAccRoleAssignment_implicitCondition(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_role_assignment", "test") + id := uuid.New().String() + + r := RoleAssignmentResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.implicitConditionVersion(id), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep("skip_service_principal_aad_check"), + }) +} + func TestAccRoleAssignment_resourceScoped(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_role_assignment", "test") id := uuid.New().String() @@ -576,8 +593,32 @@ resource "azurerm_role_assignment" "test" { role_definition_name = "Monitoring Reader" principal_id = data.azurerm_client_config.test.object_id description = "Monitoring Reader except " - condition = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'" - condition_version = "1.0" + condition = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEqualsIgnoreCase 'foo_storage_container'" + condition_version = "2.0" +} +`, groupId) +} + +func (RoleAssignmentResource) implicitConditionVersion(groupId string) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +data "azurerm_subscription" "primary" { +} + +data "azurerm_client_config" "test" { +} + +resource "azurerm_role_assignment" "test" { + + name = "%s" + scope = data.azurerm_subscription.primary.id + role_definition_name = "Monitoring Reader" + principal_id = data.azurerm_client_config.test.object_id + description = "Monitoring Reader except " + condition = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEqualsIgnoreCase 'foo_storage_container'" } `, groupId) }