bug: Invalid API Version Parameter when assigning RBAC assignment
lukemurraynz opened this issue ยท 2 comments
Community Note
- Please vote on this issue by adding a ๐ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Versions
Please paste the output of terraform version
command from within the initialized directory:
[terraform_1.7.2](https://releases.hashicorp.com/terraform/1.7.2/)
Please enter the module version that you are using:
4.0.1
Description
โท
โ Error: loading Role Definition List: authorization.RoleDefinitionsClient#List: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidApiVersionParameter" Message="The api-version '2018-01-01-preview' is invalid. The supported versions are '2023-07-01,2023-07-01-preview,2023-03-01-preview,2022-12-01,2022-11-01-preview,2022-09-01,2022-06-01,2022-05-01,2022-03-01-preview,2022-01-01,2021-04-01,2021-01-01,2020-10-01,2020-09-01,2020-08-01,2020-07-01,2020-06-01,2020-05-01,2020-01-01,2019-11-01,2019-10-01,2019-09-01,2019-08-01,2019-07-01,2019-06-01,2019-05-10,2019-05-01,2019-03-01,2018-11-01,2018-09-01,2018-08-01,2018-07-01,2018-06-01,2018-05-01,2018-02-01,2018-01-01,2017-12-01,2017-08-01,2017-06-01,2017-05-10,2017-05-01,2017-03-01,2016-09-01,2016-07-01,2016-06-01,2016-02-01,2015-11-01,2015-01-01,2014-04-01-preview,2014-04-01,2014-01-01,2013-03-01,2014-02-26,2014-04'."
โ
โ with module.lz_vending["az_sbx_landing_zone_1.yaml"].module.roleassignment["contrib_user_workbooks"].azurerm_role_assignment.this,
โ on .terraform/modules/lz_vending/modules/roleassignment/main.tf line 1, in resource "azurerm_role_assignment" "this":
โ 1: resource "azurerm_role_assignment" "this" {
โ
โต
Steps to Reproduce
Target a resource outside of the Landing Zone creation: contrib_user_workbooks = {
principal_id = azuread_group.contributor[each.key].id
definition = "Reader"
relative_scope = "/subscriptions/0000-00000-0000-000/resourceGroups/rg-management-001"
}
Screenshots
Additional context
Hi there!
Thanks for raising this but this is by design. It is not supported to create role assignments at scopes outside the subscription. This is why we named the variable relative_scope.
The thinking behind this decision was that the principal creating the subscription and performing the management group operations would likely be highly privileged and we didn't want to allow creation of roles at any scope.
Understood - I got it sorted by doing the role assignment outside of the module successfully. Relative_scope made sense when I read: https://registry.terraform.io/modules/Azure/lz-vending/azurerm/latest#relative_scope. I wonder if it might be worth renaming: Scope relative to the created subscription. to: Scope relative within the created subscription, so people like me pre-coffee don't attempt the same thing! Just a thought!