Azure Question posted in
The official documentation to get you started can be found here.

Terraform import azurerm_role_assignment id

I want to import an azurerm_role_assignment (Azure) in Terraform dependent on my environment (dev, test, prod) by using an import block such as

import {
  to = azurerm_role_assignment.test_role_assignment
  id = "<scope>/.../<GUID>"
}

At the moment I use

az role assignment list --assignee ... --all

which returns a list of role assignments and now based on matching roleDefinitionName I copy the related id manually into the import block and it works. But it is different for the other environments. I want to avoid copying a lot of IDs manually.

So I was thinking within the scope I can use a variable "env" in order to import from the correct environment. But the changing GUID is required – for example:

import {
  to = azurerm_role_assignment.test_role_assignment
  id = "/subscriptions/.../resourcegroups/$(var.env)-rg/$(data.<something>.id)"
}

Is there a way to get the GUID in a data block or similar so that I can put the GUID in the id of the import block? I don’t want to manually import all role assignments for all environments manually. Thank you!

Tags:

2

Answers


  1. 0

    —Not an answer—

    Wanted to say I’m currently facing this as well, and haven’t found a way to resolve it.

    If there was a data block for azurerm_role_assignment, I think that would’ve helped to get the GUID. But it seems Azure doesn’t support that

    Login or Signup to reply.
  2. 0

    For this answer I’ll go with: You have a role definition name you can match with, and you require the GUID for the role assignment to be returned to you as a value so you can use it for your imports.
    Probably in this case, if it must be az cli, I would try the az rest command.

    az rest --method get --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=atScope()+and+assignedTo('{objectId}')"

    With this you can go over the subscriptions, and get the GUID for the role assignment. Read docs here.

    Perhaps, if your logic is something like:

    • Store all subscriptions for the loop

    for each subscription:

    • Find the role definition ID for ‘roledefinitionname’
    • Extract all role assignment IDs for the role
      Perhaps something like will help you out:
    az account list --query '[].id' -o tsv

role_definition_name="roledefinitionname"

for subscription in $(az account list --query '[].id' -o tsv); do

    az account set --subscription $subscription
    
    role_definition_id=$(az role definition list --name $role_definition_name --query '[0].id' -o tsv)
    
    if [ -n "$role_definition_id" ]; then
        echo "Role definition ID for $role_definition_name: $role_definition_id"
        
        az role assignment list --query "[?roleDefinitionId=='$role_definition_id'].{assignmentId:id}" -o tsv
    else
        echo "Role definition $role_definition_name not found in subscription $subscription"
    fi

done

    Granted this is written for Windows. But the az commands are there for your personal fine-tuning. Hope it helps.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search