Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error 400 (RoleAssignmentExists) when modifying existing azuread_privileged_access_group_eligibility_schedule resources #1412

Open
michvllni opened this issue Jun 21, 2024 · 4 comments
Open

Error 400 (RoleAssignmentExists) when modifying existing azuread_privileged_access_group_eligibility_schedule resources #1412

michvllni opened this issue Jun 21, 2024 · 4 comments

Comments

@michvllni
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

  • Terraform Version 1.8.5
  • AzureAD Provider Version 2.52.0

Affected Resource(s)

  • azuread_privileged_access_group_eligibility_schedule

Terraform Configuration Files

resource "azuread_privileged_access_group_eligibility_schedule" "gdap_rolegroup_default_assignments" {
  for_each = { for assignment in flatten([
    for group_key, group in azuread_group.gdap_groups : [
      for user_key, user in data.azuread_user.gdap_rolegroup_default_members : {
        group_key    = group_key
        user_key     = replace(user_key, "/@.*/", "") # remove dots and domain
        group_id     = group.object_id
        principal_id = user.object_id
      }
    ]
    ]) : "${assignment.group_key}-${assignment.user_key}" => assignment
  }
  group_id             = each.value.group_id
  principal_id         = each.value.principal_id
  assignment_type      = "member"
  permanent_assignment = true
}

Debug Output

Panic Output

Expected Behavior

Resource should be updatable

Actual Behavior

Modifying fails on apply with

│ Error: Could not create assignment schedule request, PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post(): unexpected status 400 with OData error: RoleAssignmentExists: The Role assignment already exists.
│ 
│   with module.io-gdap-groups["xxx"].azuread_privileged_access_group_eligibility_schedule.gdap_rolegroup_default_assignments["bcadmin-name"],
│   on modules/io-gdap-groups/adgroups.tf line 52, in resource "azuread_privileged_access_group_eligibility_schedule" "gdap_rolegroup_default_assignments":
│   52: resource "azuread_privileged_access_group_eligibility_schedule" "gdap_rolegroup_default_assignments" {
│ 
│ Could not create assignment schedule request,
│ PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post():
│ unexpected status 400 with OData error: RoleAssignmentExists: The Role
│ assignment already exists.

This is the planned change by terraform plan:

 # module.io-gdap-groups["xxx"].azuread_privileged_access_group_eligibility_schedule.gdap_rolegroup_default_assignments["bcadmin-username"] will be updated in-place
  ~ resource "azuread_privileged_access_group_eligibility_schedule" "gdap_rolegroup_default_assignments" {
        id                   = "REDACTED"
      ~ permanent_assignment = false -> true
        # (10 unchanged attributes hidden)
    }

Steps to Reproduce

  1. terraform apply

Important Factoids

We created the schedules manually before the resource became available and then imported it using terraform import.
On the first run after importing, it tries to enable the permanent assignment and fails with the given error

References
@tonirvega
Copy link

Same error here

@EwanNoble EwanNoble mentioned this issue Jul 10, 2024
Closed
@EwanNoble
Copy link

Also getting the same issue, I've had a brief look at the provider code and Graph documentation and I believe the issue may stem from this line:

terraform-provider-azuread/internal/services/identitygovernance/privileged_access_group_eligiblity_schedule_resource.go

Line 214 in 6594e1c

Action: msgraph.PrivilegedAccessGroupActionAdminAssign,

On an update operation it is using Action = msgraph.PrivilegedAccessGroupActionAdminAssign which is the same as the Create() operation. Based on the Graph documentation here I believe this should instead be using Action = msgraph.PrivilegedAccessGroupActionAdminUpdate however I've not yet been able to test this.

@sunevnuahs sunevnuahs mentioned this issue Jul 23, 2024
Open
@sunevnuahs
Copy link

We have experienced this issue when trying to update a schedule duration, this is the case for both azuread_privileged_access_group_eligibility_schedule and azuread_privileged_access_group_assignment_schedule.

Current workaround is to remove then recreate the schedules with the new value.

@Eternious
Copy link

I've come across a similar issue when creating >1 azuread_privileged_access_group_eligibility_schedule for one group. Not sure if it's the same/similar cause but it's an intermittent issue that pops up.

Error: Could not create assignment schedule request, PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post(): unexpected status 400 with OData error: PendingRoleAssignmentRequest: There is already an existing pending Role assignment request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sunevnuahs @EwanNoble @michvllni @tonirvega @Eternious