azuread_directory_role_eligibility_schedule_request resources disappear and can't be recreated #1306
Comments
|
Did a test of this and the eligibility schedule request was created with no end time, i.e. "End Time -> Permanent" in "PIM -> Eligible assignments" in the Azure portal. Given that I don't see how this can be an issue with the TF provider. Most likely the request was removed manually. |
|
Perhaps I wasn’t clear on the issue. All of my role aaasignments are still
present, the problem is that when terraform refreshed the state it no
longer sees the eligibility REQUESTS in our tenant, so it tries to recreate
the resources. This then fails because the role assignment the request is
trying to create already exists.
There doesn’t seem to be a direct correlation between the eligibility
request resource terraform is creating and the actual eligible role
assignment in Entra.
What I THINK is happening is that the role eligibility schedule request is
the equivalent of the form you fill out on the portal saying “I want to
assign eligibility for this role for this duration”, and creating that
resource causes Entra to create a separate resource for the actual role
assignment. Eventually Entra cleans up those old requests (for us it took
a couple months), but the actual role assignments remained since I
requested they be permanent.
…On Fri, Feb 9, 2024 at 5:44 AM Anders Julton ***@***.***> wrote:
Did a test of this and the eligibility schedule request was created with
no end time, i.e. "End Time -> Permanent" in "PIM -> Eligible assignments"
in the Azure portal.
Given that I don't see how this can be an issue with the TF provider. Most
likely the request was removed manually.
—
Reply to this email directly, view it on GitHub
<#1306 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AL5CX62MP2D6QAL2ZBPHFFDYSX4ZDAVCNFSM6AAAAABC73CHDGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZVGY4TOMRRG4>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
To add some more detail, i believe the issue here has to do with the distinction between a roleEligibilitySchedule and a roleEligibilityScheduleRequest. It looks like when you create an eligible role assignment using an eligibilityScheduleRequest the Schedule itself is created with the permanent lifespan that was requested, but the eligibilityScheduleRequest itself appears to have a separate lifecycle. When i search with powershell using the Get-MgRoleManagementDirectoryRoleEligibilitySchedule cmdlet i still see my eligible role assignments with a status of "provisioned", however when i search with the Get-MgRoleManagementDirectoryRoleEligibilityScheduleRequest the requests all show a status of "Revoked" The same problem happened after roughly the same duration in both our production and test tenants. I'm the only one managing role managements in our test tenant so i know for a fact no manual action was done to remove them. The eligible assignments were deployed using terraform near the end of December, and i was deploying new eligible role assignments with this template successfully until a couple weeks ago. Then when i tried to update it again yesterday the requests had all rolled off and terraform wanted to recreate them all. So i suspect the requests have a one month lifecycle, but i'm not positive. Unfortunately that means if you want to try and replicate it i think you'll have to deploy the resources and wait a month or so then try generating a new plan, you should see that the role assignments are still there but terraform thinks the schedule requests need to be recreated, which will fail. |
|
I agree, seems like Entra has separate resources for the request and the actual schedule. Checked in our test tenant and most requests were The only way, using the MS Graph API at least, to create a schedule is to create the request. There is no POST method for the schedule resource. A solution might be to change the read resource method in the provider to look at the schedule rather than the request to determine if the request must be recreated. Refs: |
|
Looking in my environment today i see that all of the "revoked" schedule requests have now completely vanished. It really seems like the only path forward to make this resource even viable for use is to somehow link it to the created schedule instead of the request. In fact, i'd go a step further and say it might be more appropriate to
In any case it doesn't seem particularly useful to have the terraform state pointing to a resource that is going to self-destruct automatically |
|
Just to give this some additionnal light, I also have the same issue as mentionned here. The request actually expires but the assignment is still active. |
I agree with these proposed changes. |
|
@manicminer Would that issue be the same one that was happening in the azurerm provider that you fixed in PR #25956? |
|
@kenchan0130 Any news on this? Just checking out as I would really like to be able to keep all my resources in the state. I actually have to remove them after 45 days as a workaround. |
|
To add another bit of information, if you manually delete the assignment in the Azure Portal, Terraform does not see any changes on the next run and does not try to recreate it, so state and actual no longer match. |
|
I've same behavior like @Darkfogel mentioned. After 45 days our drift detection shows creation of all Terraform created permanent "Eligible assignments". Because Terraform cannot match the state with real world anymore, my workaround was also manual removal of these assignments and execution of our Terraform workflow again. Azure Portal: Drift detection shows: Terraform plan: Now, when I run Terraform workflow it fails because it's saying that the same resources already exists: Are there any news regarding this topic? |
|
We are being affected by this as well. We have around 100 Entra Eligible role assignments managed by TF, and they just started to show up as inexistent in the plan. Moreover, we expect new Entra Eligible role assignments to be required, more and more often. This issue was identified in February, and is a major blocker for a significant amount of people, who have already commented on this Issue. But there's still no progress whatsoever. We cannot be constantly blocked and have to manually delete these resources, or import them into the state. Please give us an update on this. If you don't plan to fix this, we will need to consider an alternative. |
Community Note
Terraform (and AzureAD Provider) Version
Terraform v1.5.7
on darwin_arm64
Affected Resource(s)
azuread_directory_role_eligibility_schedule_requestTerraform Configuration Files
Debug Output
Panic Output
Expected Behavior
The role eligibility assignment should be created, and in the absence of any other changes being made should remain indefinitely.
Actual Behavior
The role eligibility assignment is created but within a month or two (not positive on the exact duration), the Schedule Request seems to automatically expire and disappear. This leads terraform to attempt to recreate it on the next run, but as the actual role assignment still exists it results in an error similar to the below
Steps to Reproduce
terraform applyterraform applyI'm not sure this is an issue with the resource itself per se, but given that the behavior of Entra seems to be
I do wonder whether it's even useful to have this as a resource in the provider. Perhaps there's a way to skip step 1 and create the schedule request directly? or alternately once the request is created in terraform have it tie the resource ID to the actual eligible role assignment somehow instead of tying it to the schedule request, which seems to not be a permanent resource?
Important Factoids
References
The text was updated successfully, but these errors were encountered: