Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting 400 Bad Request when creating Eligible role assignment with conditions #692

Open
alitenah opened this issue Dec 12, 2024 · 1 comment
Open

Getting 400 Bad Request when creating Eligible role assignment with conditions #692

alitenah opened this issue Dec 12, 2024 · 1 comment
Labels
upstream-api

Comments

@alitenah
Copy link

alitenah commented Dec 12, 2024
edited
Loading

When creating eligible role assignment (Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview api version) with conditions, apply fails with 400 Bad Request - ERROR CODE: ScopeDoesNotMatchRoleDefinition.
When conditions are removed, eligible role assignment is created without issues.

Code snippet for creating role with conditions included:

resource "azapi_resource" "pim_assignments" {
  type      = "Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview"
  name      = random_uuid.pim_role_assignment_random_guid.id
  parent_id = "/subscriptions/${data.azurerm_subscription.data_sub_corp.subscription_id}"
  body = {
    properties = {
      requestType      = "AdminAssign"
      roleDefinitionId = data.azurerm_role_definition.data_sub_owner_corp.id
      principalId      = data.azuread_user.data_sub_owner_user.object_id
      condition        = "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR  (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635}})) AND (( !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR  (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635}}))"
      conditionVersion = "2.0"
      scheduleInfo = {
        expiration = {
          duration = "P365D"
          type     = "AfterDuration"
        }
        startDateTime = time_static.pim_role_assignment_creation_time.rfc3339
      }
    }
  }
}

Error received:
Image

Once conditions are removed, there is no scope error. If the assignable scope was incorrect, I would expect it to fail with or without conditions.
@ms-henglu
Copy link
Member

ms-henglu commented Dec 18, 2024
edited
Loading

Hi @alitenah ,

Thank you for taking time to report this issue and apologize for late response.

This error message comes from the API, I think it's better to open an Azure support ticket to help improve it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
upstream-api
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alitenah @ms-henglu