Cannot update or delete an azurerm_role_definition

[Supermathie]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7

• provider.azurerm v1.8.0
• provider.random v1.3.1

Affected Resource(s)

• azurerm_role_definition

Terraform Configuration Files

original state:

resource "azurerm_role_definition" "blob_contributor" {
  name               = "Blob Contributor - ${var.label}"
  scope              = "${azurerm_storage_account.app.id}"
  description        = "${var.label} role that allows read/write/delete on blobs"

  permissions {
    actions     = ["*"]
    not_actions = []
  }

  assignable_scopes = [
    "${azurerm_storage_account.app.id}",
  ]
}

and the update attempt:

resource "azurerm_role_definition" "blob_contributor" {
  name               = "Blob Contributor - ${var.label}"
  scope              = "${azurerm_storage_account.app.id}"
  description        = "${var.label} role that allows read/write/delete on blobs"

  permissions {
    actions     = []
    not_actions = []
  }

  assignable_scopes = [
    "${azurerm_storage_account.app.id}",
  ]
}

The problem is that terraform is unable to update or delete existing azurerm_role_definition resources:

update attempt:

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ module.discuss_cluster.azurerm_role_definition.blob_contributor
      permissions.0.actions.#: "1" => "0"
      permissions.0.actions.0: "*" => ""

  ~ module.meta_cluster.azurerm_role_definition.blob_contributor
      permissions.0.actions.#: "1" => "0"
      permissions.0.actions.0: "*" => ""


Plan: 0 to add, 2 to change, 0 to destroy.

------------------------------------------------------------------------

This plan was saved to: .terraform/7e1f85afb14d53c2fb4ae7628fb414b2d5e73fed-xxxx-dev-michael.plan

To perform exactly these actions, run the following command to apply:
    terraform apply ".terraform/7e1f85afb14d53c2fb4ae7628fb414b2d5e73fed-xxxx-dev-michael.plan"

[tf] Your plan was successfully created. Please review the above very carefully ^^^
Apply?
module.meta_cluster.azurerm_role_definition.blob_contributor: Modifying... (ID: /subscriptions/16b9f5dc-3276-4b32-91b2-...s/2592290c-a8db-38a9-5db4-553d8bf0d3dc)
  permissions.0.actions.#: "1" => "0"
  permissions.0.actions.0: "*" => ""
module.discuss_cluster.azurerm_role_definition.blob_contributor: Modifying... (ID: /subscriptions/16b9f5dc-3276-4b32-91b2-...s/00556f74-7daa-73b3-2ae8-0a1e54753d73)
  permissions.0.actions.#: "1" => "0"
  permissions.0.actions.0: "*" => ""

Error: Error applying plan:

2 error(s) occurred:

* module.meta_cluster.azurerm_role_definition.blob_contributor: 1 error(s) occurred:

* azurerm_role_definition.blob_contributor: authorization.RoleDefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="RoleDefinitionWithSameNameExists" Message="A role definition cannot be updated with a name that already exists."
* module.discuss_cluster.azurerm_role_definition.blob_contributor: 1 error(s) occurred:

* azurerm_role_definition.blob_contributor: authorization.RoleDefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="RoleDefinitionWithSameNameExists" Message="A role definition cannot be updated with a name that already exists."

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

deletion attempt:

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  - module.discuss_cluster.azurerm_role_definition.blob_contributor

  - module.meta_cluster.azurerm_role_definition.blob_contributor


Plan: 0 to add, 0 to change, 2 to destroy.

------------------------------------------------------------------------

This plan was saved to: .terraform/7e1f85afb14d53c2fb4ae7628fb414b2d5e73fed-xxxx-dev-michael.plan

To perform exactly these actions, run the following command to apply:
    terraform apply ".terraform/7e1f85afb14d53c2fb4ae7628fb414b2d5e73fed-xxxx-dev-michael.plan"

[tf] Your plan was successfully created. Please review the above very carefully ^^^
Apply?
module.meta_cluster.azurerm_role_definition.blob_contributor: Destroying... (ID: /subscriptions/16b9f5dc-3276-4b32-91b2-...s/2592290c-a8db-38a9-5db4-553d8bf0d3dc)
module.discuss_cluster.azurerm_role_definition.blob_contributor: Destroying... (ID: /subscriptions/16b9f5dc-3276-4b32-91b2-...s/00556f74-7daa-73b3-2ae8-0a1e54753d73)

Error: Error applying plan:

2 error(s) occurred:

* module.discuss_cluster.azurerm_role_definition.blob_contributor (destroy): 1 error(s) occurred:

* azurerm_role_definition.blob_contributor: Error deleting Role Definition "": authorization.RoleDefinitionsClient#Delete: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidRoleDefinitionId" Message="The role definition ID '' is not valid."
* module.meta_cluster.azurerm_role_definition.blob_contributor (destroy): 1 error(s) occurred:

* azurerm_role_definition.blob_contributor: Error deleting Role Definition "": authorization.RoleDefinitionsClient#Delete: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidRoleDefinitionId" Message="The role definition ID '' is not valid."

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Debug Output

(I can get a full sanitized output if need be)

modify attempt:

2018-07-11T13:46:19.298-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: 2018/07/11 13:46:19 [DEBUG] AzureRM Request:
2018-07-11T13:46:19.298-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: PUT //subscriptions/16b9f5dc-3276-4b32-91b2-xxxx/resourceGroups/xxxx-dev-michael-meta/providers/Microsoft.Storage/storageAccounts/xxxxdevmichaelmeta/providers/Microsoft.Authorization/roleDefinitions/18c69403-04d6-a9c8-31b4-xxxx?api-version=2018-01-01-preview HTTP/1.1
2018-07-11T13:46:19.298-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Host: management.azure.com
2018-07-11T13:46:19.298-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: User-Agent: Go/go1.9.2 (amd64-linux) go-autorest/v10.11.4 Azure-SDK-For-Go/v17.4.0 authorization/2018-01-01-preview;HashiCorp-Terraform-v0.11.3
2018-07-11T13:46:19.298-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Content-Length: 360
2018-07-11T13:46:19.298-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Authorization: Bearer xxx
2018-07-11T13:46:19.298-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Content-Type: application/json; charset=utf-8
2018-07-11T13:46:19.298-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Accept-Encoding: gzip
2018-07-11T13:46:19.298-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: 

13:46:20 [DEBUG] AzureRM Response for https://management.azure.com//subscriptions/16b9f5dc-3276-4b32-91b2-xxxx/resourceGroups/xxxx-dev-michael-meta/providers/Microsoft.Storage/storageAccounts/xxxxdevmichaelmeta/providers/Microsoft.Authorization/roleDefinitions/18c69403-04d6-a9c8-31b4-xxxx?api-version=2018-01-01-preview:
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: HTTP/1.1 409 Conflict
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Content-Length: 134
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Cache-Control: no-cache
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Content-Type: application/json; charset=utf-8
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Date: Wed, 11 Jul 2018 17:46:20 GMT
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Expires: -1
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Pragma: no-cache
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Server: Microsoft-IIS/10.0
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Set-Cookie: x-ms-gateway-slice=productionb; path=/; secure; HttpOnly
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: Strict-Transport-Security: max-age=31536000; includeSubDomains
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: X-Content-Type-Options: nosniff
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: X-Ms-Correlation-Request-Id: d9de272b-525e-43ca-8ef0-76ab84852d42
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: X-Ms-Ratelimit-Remaining-Subscription-Writes: 1199
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: X-Ms-Request-Id: 139e0f69-3cfd-4250-a889-6eea7984b270
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: X-Ms-Routing-Request-Id: WESTUS:20180711T174620Z:d9de272b-525e-43ca-8ef0-76ab84852d42
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: X-Powered-By: ASP.NET
2018-07-11T13:46:20.777-0400 [DEBUG] plugin.terraform-provider-azurerm_v1.8.0_x4: 

References

Ø

[Supermathie]

The workaround for this is to delete the affected resource from the AWS console Azure portal or CLI then re-apply your terraform.

[guillaumedsde]

can confirm I also have this problem with Terraform v0.11.7 and provider.azurerm v1.9.0

edit: @Supermathie for the workaround I assume you meant the Azure CLI? If so, I did and it did not work. More specifically, I applied, tried to destroy, it failed, so I deleted the custom role with the CLI, then I applied again and finally tried to destroy but it failed:

Error: Error applying plan:

1 error(s) occurred:

* azurerm_role_definition.newCustomRole (destroy): 1 error(s) occurred:

* azurerm_role_definition.newCustomRole: Error deleting Role Definition "": authorization.RoleDefinitionsClient#Delete: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidRoleDefinitionId" Message="The role definition ID '' is not valid."

[Supermathie]

@guillaumedsde oops - yes I meant the Azure Portal or CLI

[clippermadness]

Still an issue in 1.11.0.

Azure CLI to delete a role:
az role definition delete --name [rolename]

For the record, tainting the resource in terraform as a means of recreating it doesn't appear to work either.

* azurerm_role_definition.myrole (destroy): 1 error(s) occurred:

* azurerm_role_definition.myrole: Error deleting Role Definition "": authorization.RoleDefinitionsClient#Delete: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidRoleDefinitionId" Message="The role definition ID '' is not valid."

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!