Azure/terraform-azurerm-lz-vending

bug: Invalid API Version Parameter when assigning RBAC assignment

lukemurraynz opened this issue ยท 2 comments

lukemurraynz commented

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

Please paste the output of terraform version command from within the initialized directory:

[terraform_1.7.2](https://releases.hashicorp.com/terraform/1.7.2/)

Please enter the module version that you are using:

4.0.1

Description

โ•ท

โ”‚ Error: loading Role Definition List: authorization.RoleDefinitionsClient#List: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidApiVersionParameter" Message="The api-version '2018-01-01-preview' is invalid. The supported versions are '2023-07-01,2023-07-01-preview,2023-03-01-preview,2022-12-01,2022-11-01-preview,2022-09-01,2022-06-01,2022-05-01,2022-03-01-preview,2022-01-01,2021-04-01,2021-01-01,2020-10-01,2020-09-01,2020-08-01,2020-07-01,2020-06-01,2020-05-01,2020-01-01,2019-11-01,2019-10-01,2019-09-01,2019-08-01,2019-07-01,2019-06-01,2019-05-10,2019-05-01,2019-03-01,2018-11-01,2018-09-01,2018-08-01,2018-07-01,2018-06-01,2018-05-01,2018-02-01,2018-01-01,2017-12-01,2017-08-01,2017-06-01,2017-05-10,2017-05-01,2017-03-01,2016-09-01,2016-07-01,2016-06-01,2016-02-01,2015-11-01,2015-01-01,2014-04-01-preview,2014-04-01,2014-01-01,2013-03-01,2014-02-26,2014-04'."

โ”‚

โ”‚ with module.lz_vending["az_sbx_landing_zone_1.yaml"].module.roleassignment["contrib_user_workbooks"].azurerm_role_assignment.this,

โ”‚ on .terraform/modules/lz_vending/modules/roleassignment/main.tf line 1, in resource "azurerm_role_assignment" "this":

โ”‚ 1: resource "azurerm_role_assignment" "this" {

โ”‚

โ•ต

Steps to Reproduce

Target a resource outside of the Landing Zone creation: contrib_user_workbooks = {
principal_id = azuread_group.contributor[each.key].id
definition = "Reader"
relative_scope = "/subscriptions/0000-00000-0000-000/resourceGroups/rg-management-001"
}

Screenshots

Additional context

matt-FFFFFF commented

Hi there!

Thanks for raising this but this is by design. It is not supported to create role assignments at scopes outside the subscription. This is why we named the variable relative_scope.

The thinking behind this decision was that the principal creating the subscription and performing the management group operations would likely be highly privileged and we didn't want to allow creation of roles at any scope.

  • ๐Ÿ‘1
lukemurraynz commented

Understood - I got it sorted by doing the role assignment outside of the module successfully. Relative_scope made sense when I read: https://registry.terraform.io/modules/Azure/lz-vending/azurerm/latest#relative_scope. I wonder if it might be worth renaming: Scope relative to the created subscription. to: Scope relative within the created subscription, so people like me pre-coffee don't attempt the same thing! Just a thought!

  • ๐Ÿ‘1