I have created different Terraform modules to manage scope at 3 different levels. Subscription, Resource Group and Resource. The first two are working fine since they are quite generic in nature. However for the last one I am facing problem with the scope. Can someone please suggest what should be the way to configure the scope at a specific resource level for allowing me to configure azurerm_role_management_policy rules?
resource "azurerm_role_management_policy" "role_policy_resource" {
for_each = toset(var.role_definition_names)
scope = data.azurerm_key_vault.statickv.id # Scope of the role management policy
role_definition_id = data.azurerm_role_definition.roles[each.value].id # ID of the role definition
active_assignment_rules {
expire_after = var.role_policy_rules.active_assignment_rules_expire_after # Expiration period for active assignments
}
eligible_assignment_rules {
expiration_required = false # Whether expiration is required for eligible assignments
}
activation_rules {
maximum_duration = var.role_policy_rules.activation_rules_maximum_duration # Maximum duration for activation
require_approval = var.role_policy_rules.activation_rules_require_approval # Whether approval is required for activation
dynamic "approval_stage" {
for_each = var.role_policy_rules.activation_rules_require_approval ? ["this"] : []
content{
primary_approver {
object_id = var.role_policy_rules.activation_rules_approver_object_id # Primary approver for activation
type = var.role_policy_rules.activation_rules_approver_type # Type of the primary approver
}
}
}
}
notification_rules {
eligible_assignments {
admin_notifications {
notification_level = var.role_policy_rules.notification_rules_eligible_assignments_admin_notifications_notification_level # Notification level for admin notifications
default_recipients = var.role_policy_rules.notification_rules_eligible_assignments_admin_notifications_default_recipients # Whether to use default recipients for admin notifications
additional_recipients = var.role_policy_rules.notification_rules_eligible_assignments_admin_notifications_additional_recipients # Additional recipients for admin notifications
}
approver_notifications {
notification_level = var.role_policy_rules.notification_rules_eligible_assignments_approver_notifications_notification_level # Notification level for approver notifications
default_recipients = var.role_policy_rules.notification_rules_eligible_assignments_approver_notifications_default_recipients # Whether to use default recipients for approver notifications
additional_recipients = var.role_policy_rules.notification_rules_eligible_assignments_approver_notifications_additional_recipients # Additional recipients for approver notifications
}
assignee_notifications {
notification_level = var.role_policy_rules.notification_rules_eligible_assignments_assignee_notifications_notification_level # Notification level for assignee notifications
default_recipients = var.role_policy_rules.notification_rules_eligible_assignments_assignee_notifications_default_recipients # Whether to use default recipients for assignee notifications
additional_recipients = var.role_policy_rules.notification_rules_eligible_assignments_assignee_notifications_additional_recipients
}
}
eligible_activations {
admin_notifications {
notification_level = var.role_policy_rules.notification_rules_eligible_activations_admin_notifications_notification_level # Notification level for assignee notifications
default_recipients = var.role_policy_rules.notification_rules_eligible_activations_admin_notifications_default_recipients # Whether to use default recipients for assignee notifications
additional_recipients = var.role_policy_rules.notification_rules_eligible_activations_admin_notifications_additional_recipients
}
assignee_notifications {
notification_level = var.role_policy_rules.notification_rules_eligible_activations_assignee_notifications_notification_level # Notification level for assignee notifications
default_recipients = var.role_policy_rules.notification_rules_eligible_activations_assignee_notifications_default_recipients # Whether to use default recipients for assignee notifications
additional_recipients = var.role_policy_rules.notification_rules_eligible_activations_assignee_notifications_additional_recipients
}
}
active_assignments {
admin_notifications {
notification_level = var.role_policy_rules.notification_rules_active_assignments_admin_notifications_notification_level # Notification level for assignee notifications
default_recipients = var.role_policy_rules.notification_rules_active_assignments_admin_notifications_default_recipients # Whether to use default recipients for assignee notifications
additional_recipients = var.role_policy_rules.notification_rules_active_assignments_admin_notifications_additional_recipients
}
approver_notifications {
notification_level = var.role_policy_rules.notification_rules_active_assignments_approver_notifications_notification_level # Notification level for assignee notifications
default_recipients = var.role_policy_rules.notification_rules_active_assignments_approver_notifications_default_recipients # Whether to use default recipients for assignee notifications
additional_recipients = var.role_policy_rules.notification_rules_active_assignments_approver_notifications_additional_recipients
}
assignee_notifications {
notification_level = var.role_policy_rules.notification_rules_active_assignments_assignee_notifications_notification_level # Notification level for assignee notifications
default_recipients = var.role_policy_rules.notification_rules_active_assignments_assignee_notifications_default_recipients # Whether to use default recipients for assignee notifications
additional_recipients = var.role_policy_rules.notification_rules_active_assignments_assignee_notifications_additional_recipients
}
}
}
timeouts {
create = "10m"
delete = "10m"
}
}
Below is the error I am getting when I try to create above resource.
Error: parsing "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv": parsing segment "providers": parsing the ManagementGroup ID: the segment at position 0 didn't match
│
│ Expected a ManagementGroup ID that matched:
│
│ > /providers/Microsoft.Management/managementGroups/groupIdValue
│
│ However this value was provided:
│
│ > /subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv
│
│ The parsed Resource ID was missing a value for the segment at position 0
│ (which should be the literal value "providers").
│
│
│
│ with module.pim-assignment-re.azurerm_role_management_policy.role_policy_resource["Contributor"],
│ on pim-assignment-re\role_policy_rule.tf line 6, in resource "azurerm_role_management_policy" "role_policy_resource":
│ 6: scope = data.azurerm_key_vault.statickv.id # Scope of the role management policy
│
╵
╷
│ Error: parsing "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv": unexpected segment "providers/Microsoft.KeyVault/vaults/XXXX-static-kv" present at the end of the URI (input "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv")
│
│ with module.pim-assignment-re.azurerm_role_management_policy.role_policy_resource["Contributor"],
│ on pim-assignment-re\role_policy_rule.tf line 6, in resource "azurerm_role_management_policy" "role_policy_resource":
│ 6: scope = data.azurerm_key_vault.statickv.id # Scope of the role management policy
│
╵
╷
│ Error: parsing "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv": unexpected segment "resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv" present at the end of the URI (input "/subscriptions/XXXXX-1081-4bff-9256-9feda89161f1/resourceGroups/XXXX-static-rg/providers/Microsoft.KeyVault/vaults/XXXX-static-kv")
│
│ with module.pim-assignment-re.azurerm_role_management_policy.role_policy_resource["Contributor"],
│ on pim-assignment-re\role_policy_rule.tf line 6, in resource "azurerm_role_management_policy" "role_policy_resource":
│ 6: scope = data.azurerm_key_vault.statickv.id # Scope of the role management policy
How to configure azurerm_role_management_policy at resource scope?
The error you encountered is because Terraform
does not support resource level assignment for Management policies. It only supports management groups
, subscriptions
, or resource groups
, not resource-level in the Role Management Policy block. Refer to the Terraform
registry here for more details.
When I try to assign a policy at the Key Vault resource level, I encounter the same error
provider "azurerm" {
features {}
}
data "azurerm_key_vault" "example" {
name = "venkatvault567"
resource_group_name = "venkatesan-rg"
}
data "azurerm_role_definition" "mg_contributor" {
name = "Owner"
scope = data.azurerm_key_vault.example.id
}
data "azuread_group" "example" {
display_name = "Venkatgroup"
security_enabled = true
}
data "azurerm_role_management_policy" "example" {
scope = data.azurerm_key_vault.example.id
role_definition_id = data.azurerm_role_definition.mg_contributor.id
}
resource "azurerm_role_management_policy" "example" {
scope = data.azurerm_key_vault.example.id
role_definition_id = data.azurerm_role_definition.mg_contributor.id
active_assignment_rules {
expire_after = "P365D"
}
eligible_assignment_rules {
expiration_required = false
}
activation_rules {
maximum_duration = "PT1H"
require_approval = true
approval_stage {
primary_approver {
object_id = data.azuread_group.example.object_id
type = "Group"
}
}
}
notification_rules {
eligible_assignments {
approver_notifications {
notification_level = "Critical"
default_recipients = false
additional_recipients = ["[email protected]"]
}
}
eligible_activations {
assignee_notifications {
notification_level = "All"
default_recipients = true
additional_recipients = ["[email protected]"]
}
}
}
}
Response:
Reference: Microsoft.Authorization roleManagementPolicyAssignments
Where can i find role management policies? by VasimTamboli