terraform-provider-azure
How to configure azurerm_role_management_policy at resource scope?
I have created different Terraform modules to manage scope at 3 different levels. Subscription, Resource Group and Resource. The first two are working fine since they are quite generic in nature. However for the last one I am facing problem with the scope. Can someone please suggest what should be the way to configure the scope at a specific resource level for allowing me to configure azurerm_role_management_policy rules?
resource "azurerm_role_management_policy" "role_policy_resource" {
for_each = toset(var.role_definition_names)
scope = data.azurerm_key_vault.statickv.id # Scope of the role management policy
role_definition_id = data.azurerm_role_definition.roles[each.value].id # ID of the role definition
active_assignment_rules {
expire_after = var.role_policy_rules.active_assignment_rules_expire_after # Expiration period for active assignments
}
eligible_assignment_rules {
expiration_required = false # Whether expiration is required for eligible assignments
}
activation_rules {
maximum_duration = var.role_policy_rules.activation_rules_maximum_duration # Maximum duration for activation
require_approval = var.role_policy_rules.activation_rules_require_approval # Whether approval is required for activation
dynamic "approval_stage" {
for_each = var.role_policy_rules.activation_rules_require_approval ? ["this"] : []
content{
primary_approver {
object_id = var.role_policy_rules.activation_rules_approver_object_id # Primary approver for activation
type = var.role_policy_rules.activation_rules_approver_type # Type of the primary approver
}
}
}
}
notification_rules {
eligible_assignments {
admin_notifications {
notification_level = var.role_policy_rules.notification_rules_eligible_assignments_admin_notifications_notification_level # Notification level for admin notifications
default_recipients = var.role_policy_rules.notification_rules_eligible_assignments_admin_notifications_default_recipients # Whether to use default recipients for admin notifications
additional_recipients = var.role_policy_rules.notification_rules_eligible_assignments_admin_notifications_additional_recipients # Additional recipients for admin notifications
}
approver_notifications {
notification_level = var.role_policy_rules.notification_rules_eligible_assignments_approver_notifications_notification_level # Notification level for approver notifications
default_recipients = var.role_policy_rules.notification_rules_eligible_assignments_approver_notifications_default_recipients # Whether to use default recipients for approver notifications
additional_recipients = var.role_policy_rules.notification_rules_eligible_assignments_approver_notifications_additional_recipients # Additional recipients for approver notifications
}
assignee_notifications {
notification_level = var.role_policy_rules.notification_rules_eligible_assignments_assignee_notifications_notification_level # Notification level for assignee notifications
default_recipients = var.role_policy_rules.notification_rules_eligible_assignments_assignee_notifications_default_recipients # Whether to use default recipients for assignee notifications
additional_recipients = var.role_policy_rules.notification_rules_eligible_assignments_assignee_notifications_additional_recipients
}
}
eligible_activations {
admin_notifications {
notification_level = var.role_policy_rules.notification_rules_eligible_activations_admin_notifications_notification_level # Notification level for assignee notifications
default_recipients = var.role_policy_rules.notification_rules_eligible_activations_admin_notifications_default_recipients # Whether to use default recipients for assignee notifications
additional_recipients = var.role_policy_rules.notification_rules_eligible_activations_admin_notifications_additional_recipients
}
assignee_notifications {
notification_level = var.role_policy_rules.notification_rules_eligible_activations_assignee_notifications_notification_level # Notification level for assignee notifications
default_recipients = var.role_policy_rules.notification_rules_eligible_activations_assignee_notifications_default_recipients # Whether to use default recipients for assignee notifications
additional_recipients = var.role_policy_rules.notification_rules_eligible_activations_assignee_notifications_additional_recipients
}
}
active_assignments {
admin_notifications {
notification_level = var.role_policy_rules.notification_rules_active_assignments_admin_notifications_notification_level # Notification level for assignee notifications
default_recipients = var.role_policy_rules.notification_rules_active_assignments_admin_notifications_default_recipients # Whether to use default recipients for assignee notifications
additional_recipients = var.role_policy_rules.notification_rules_active_assignments_admin_notifications_additional_recipients
}
approver_notifications {
notification_level = var.role_policy_rules.notification_rules_active_assignments_approver_notifications_notification_level # Notification level for assignee notifications
default_recipients = var.role_policy_rules.notification_rules_active_assignments_approver_notifications_default_recipients # Whether to use default recipients for assignee notifications
additional_recipients = var.role_policy_rules.notification_rules_active_assignments_approver_notifications_additional_recipients
}
assignee_notifications {
notification_level = var.role_policy_rules.notification_rules_active_assignments_assignee_notifications_notification_level # Notification level for assignee notifications
default_recipients = var.role_policy_rules.notification_rules_active_assignments_assignee_notifications_default_recipients # Whether to use default recipients for assignee notifications
additional_recipients = var.role_policy_rules.notification_rules_active_assignments_assignee_notifications_additional_recipients
}
}
}
timeouts {
create = "10m"
delete = "10m"
}
}
Below is the error I am getting when I try to create above resource.
Error: parsing "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv": parsing segment "providers": parsing the ManagementGroup ID: the segment at position 0 didn't match
│
│ Expected a ManagementGroup ID that matched:
│
│ > /providers/Microsoft.Management/managementGroups/groupIdValue
│
│ However this value was provided:
│
│ > /subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv
│
│ The parsed Resource ID was missing a value for the segment at position 0
│ (which should be the literal value "providers").
│
│
│
│ with module.pim-assignment-re.azurerm_role_management_policy.role_policy_resource["Contributor"],
│ on pim-assignment-re\role_policy_rule.tf line 6, in resource "azurerm_role_management_policy" "role_policy_resource":
│ 6: scope = data.azurerm_key_vault.statickv.id # Scope of the role management policy
│
╵
╷
│ Error: parsing "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv": unexpected segment "providers/Microsoft.KeyVault/vaults/XXXX-static-kv" present at the end of the URI (input "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv")
│
│ with module.pim-assignment-re.azurerm_role_management_policy.role_policy_resource["Contributor"],
│ on pim-assignment-re\role_policy_rule.tf line 6, in resource "azurerm_role_management_policy" "role_policy_resource":
│ 6: scope = data.azurerm_key_vault.statickv.id # Scope of the role management policy
│
╵
╷
│ Error: parsing "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv": unexpected segment "resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv" present at the end of the URI (input "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv")
│
│ with module.pim-assignment-re.azurerm_role_management_policy.role_policy_resource["Contributor"],
│ on pim-assignment-re\role_policy_rule.tf line 6, in resource "azurerm_role_management_policy" "role_policy_resource":
│ 6: scope = data.azurerm_key_vault.statickv.id # Scope of the role management policy
Solution
How to configure azurerm_role_management_policy at resource scope?
The error you encountered is because Terraform does not support resource level assignment for Management policies. It only supports management groups, subscriptions, or resource groups, not resource-level in the Role Management Policy block. Refer to the Terraform registry here for more details.
When I try to assign a policy at the Key Vault resource level, I encounter the same error
provider "azurerm" {
features {}
}
data "azurerm_key_vault" "example" {
name = "venkatvault567"
resource_group_name = "venkatesan-rg"
}
data "azurerm_role_definition" "mg_contributor" {
name = "Owner"
scope = data.azurerm_key_vault.example.id
}
data "azuread_group" "example" {
display_name = "Venkatgroup"
security_enabled = true
}
data "azurerm_role_management_policy" "example" {
scope = data.azurerm_key_vault.example.id
role_definition_id = data.azurerm_role_definition.mg_contributor.id
}
resource "azurerm_role_management_policy" "example" {
scope = data.azurerm_key_vault.example.id
role_definition_id = data.azurerm_role_definition.mg_contributor.id
active_assignment_rules {
expire_after = "P365D"
}
eligible_assignment_rules {
expiration_required = false
}
activation_rules {
maximum_duration = "PT1H"
require_approval = true
approval_stage {
primary_approver {
object_id = data.azuread_group.example.object_id
type = "Group"
}
}
}
notification_rules {
eligible_assignments {
approver_notifications {
notification_level = "Critical"
default_recipients = false
additional_recipients = ["[email protected]"]
}
}
eligible_activations {
assignee_notifications {
notification_level = "All"
default_recipients = true
additional_recipients = ["[email protected]"]
}
}
}
}
Response:
Reference: Microsoft.Authorization roleManagementPolicyAssignments
Where can i find role management policies? by VasimTamboli
- Terraform script to disable multiple functions in Azure Function app
- Azure postgresql flexible server restore with terraform
- Azure Container App Fails to Pull Image from ACR: UNAUTHORIZED Authentication Required
- Terraform resource group name for the creation of alerts for azure front door
- Terraform code not creating multiple rules in Azure Storage lifecycle
- Adding additional storage to VM with terraform
- How to get the "Function Url" which is with in a Function-App deployed using Terraform?
- Unable to ping azure vm1 to azure vm2
- Having one Azure Monitor Alert Rule for all severities
- Terraform Initialize Error on Azure Devops release pipeline
- Azure DevOps Pipeline Throwing Error with Terraform While Deploying to Azure
- How I can to import my automation account job schedule in Terraform?
- terraform kubernetes provider depending on azurerm_kubernetes_cluster resource
- "context deadline exceeded" after running Terraform apply but Azure resource still created. Terraform Import wants to recreate resource
- Principals of type Application cannot validly be used in role assignments
- Failing to create azurerm_private_endpoint getting error unexpected status 400 (400 Bad Request) with error: SubscriptionNotRegisteredForFeature:
- trying to write module for azurerm_storage_management_policy
- How to update Azure's load balancer from basic to standard in Terraform?
- Can't create data collection rule for Azure log analytics using Terraform - missing Terraform options?
- Terraform resource creation from yaml input file
- azurerm_virtual_machine does not have attribute identity.0.principal_id
- How to set the virtual machine image details e.g. publisher, offer, sku and version
- Azure Logic app standard - set vnetPrivatePortsCount via Terraform
- AKS with user defined routes
- Terraform azurerm_virtual_machine_extension
- Adding sql server logins and user in a loop via Terraform in azure
- Terraform the Creation on a Azure Standard Logic App and "SQL Connector"
- Trying to use terraform if/else statement on a block in terraform
- Terraform rollback/state update after failed apply on Azure
- How to Start postgres.exe and Change Postgres Account on an Azure Virtual Machine Using Terraform