-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_role_assignment
: Fix assignments to resources
#12076
azurerm_role_assignment
: Fix assignments to resources
#12076
Conversation
705c7c7
to
df14777
Compare
df14777
to
00f0880
Compare
@aristosvo thanks for this PR. I just provide another way to quick fix that might be simpler:
then we could construct the correct resource ID by following, and use it in the read function:
|
@njuCZ I don't see how your suggestion might fix the bug, but happy to help. I believe this PR is complete and a forward compatible improvement, not just a fix, but correct me please if I'm wrong. |
azurerm/internal/services/authorization/parse/role_assignment.go
Outdated
Show resolved
Hide resolved
@aristosvo thanks for this PR, I just left some personal thought. Hopes to see it merged soon. |
Can someone help with some kind of script to repair the mess that 2.62.0 created? Importing them is a PITA, especially since the ID is generated by Azure and not something you can easily piece together. So you'll have to query with the Azure CLI to get the IDs to properly import in Terraform. Something that mimicks an "auto-import" feature would be a perfect solution. I have to fix this in tens of projects and not looking forward to a manual process. |
@sdebruyn Dependent on your experience with the Azure provider forTerraform.., one dangerous and wild option is to remove the logic which is preventing recreating unimported resources for this specific resource, build your custom Azure TF provider and run it against your projects...? It's probably better to have this discussion in one of the issues, as it is now cluttering this PR. |
I have a script ready and I'll share it when it succeeds. But I can't pin on .61 anymore since it won't decode azurerm_api_management_subscription from the state anymore with that version (another change in .62) |
@sdebruyn I can help you, but please post your question/solution under one of 8 open issues regarding this fix, not under the PR! I want this to be merged ASAP, this doesn't help with oversight. Check DMs in Slack for direct communication:) |
Can this be patched? The bug causing state corruption for existing role assignments. The existing role assignments are being removed when state is applied. We needed to rollback to 2.61 and then import the assignments to get them back into state. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a ton @aristosvo - this LGTM 🚀
Fixes #12074 Fixes #12060 Fixes #12057 Fixes #12079 Fixes #12078 Fixes #12087 Related to/similar for [go-azure-helpers](https://github.com/hashicorp/go-azure-helpers): [this PR](hashicorp/go-azure-helpers#79)
Thank you!! |
This has been released in version 2.62.1 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.62.1"
}
# ... other configuration ... |
@sdebruyn - Just wondering if you were able to share your script to fix the state file? |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
Fixes #12074
Fixes #12060
Fixes #12057
Fixes #12079
Fixes #12078
Fixes #12087
Related to/similar for go-azure-helpers: this PR
Done:
Diagnose the problem:
/subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.Storage/storageAccounts/<storage_account_name>/providers/Microsoft.Authorization/roleAssignments/<UUID>
became/subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.Authorization/roleAssignments/<UUID>
Implement the fix
id.SecondaryProvider
, which solved the problems for the resources which have multiple provider entries in their IDs