skip to Main Content

I am getting a role definition in terraform from azure with the following command:

data "azurerm_role_definition" "test_role" {
  name = "Test Role"
  scope = data.azurerm_subscription.test-subscription.id
}

With the id of the role I am trying to create a role assignment with terraform:

resource "azuread_app_role_assignment" "test_assignment" {
  app_role_id         = data.azurerm_role_definition.test_role.id
  ...
}

But when I run terraform plan I am getting the error:

Error: Value must be a valid UUID

I also tried:

resource "azuread_app_role_assignment" "test_assignment" {
  app_role_id         = data.azurerm_role_definition.test_role.role_definition_id
  ...
}

This gave me the same error message.

Do you have any idea how to get the UUID of a role in terraform?

2

Answers


  1. As discussed in the comments:

    You mixed up the different role assignments. What you are looking for is the RBAC assignment azurerm_role_assignment

    Login or Signup to reply.
  2. I tried below code and receieved same error:

    resource "azuread_app_role_assignment" "aks_test_assignment" {
      app_role_id         =azurerm_role_definition.aks_cluster_admin_role.id
      principal_object_id = azuread_group.aks_admins_group.id
      resource_object_id  = azurerm_kubernetes_cluster.example.id
    }
    

    Error:

    Value must be a valid UUID
    │
    │   with azuread_app_role_assignment.aks_test_assignment,
    │   on main.tf line 225, in resource "azuread_app_role_assignment" "aks_test_assignment":
    │  225:   resource_object_id  = azurerm_kubernetes_cluster.example.id
    

    enter image description here

    Here resource_object_id must be service principal object Id .
    Service principal can be obtained from creating application in azure ad.

    Or

    When the system assigned identity is used, the id of the system managed identity must be used.

    Azure ad role is different from azurerm role:

    enter image description here

    Try below code:

    resource "azurerm_role_assignment" "example" {
      scope              = azurerm_kubernetes_cluster.example.id
      role_definition_id = azurerm_role_definition.aks_cluster_admin_role.role_definition_id
      principal_id=     azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
    }
    

    or

    resource "azurerm_role_definition" "aks_cluster_admin_role" {
      name        = "Network Contributor" #"AKSClusterAdminRole"
      description = "Allows management network of an AKS cluster"
      scope       = "/subscriptions/f10xxxxa71c"
      permissions {
        actions     = [
          "Microsoft.ContainerService/managedClusters/*",
          "Microsoft.ContainerService/locations/*"
        ]
        not_actions = []
      }
      assignable_scopes = [
        azurerm_kubernetes_cluster.example.id
      ]
    }
    
    data "azuread_service_principal" "aks-aci_identity" {
      display_name = "sp${azurerm_kubernetes_cluster.example.name}"
      depends_on   = [azurerm_kubernetes_cluster.example]
    }
    
    resource "azurerm_role_assignment" "aks-aci-vnet-assignment" {
      scope                = azurerm_virtual_network.example.id
      role_definition_name = "Reader"
      principal_id         = data.azuread_service_principal.aks-aci_identity.id
    }
    
    resource "azurerm_role_assignment" "aks-aci-subnet-assignment" {
      scope                = azurerm_subnet.example-aci.id
      role_definition_name = "Network Contributor"
      principal_id         = data.azuread_service_principal.aks-aci_identity.id
    
    }
    
    
      resource "azurerm_role_assignment" "example" {
      scope              =  "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/example-aks1"
      principal_id=     azuread_service_principal.aks-aci_identity.id
      role_definition_name = "Contributor"
    }
    

    enter image description here

    enter image description here

    Also below code worked:

    resource "azurerm_role_assignment" "example" {
      scope              =  "/subscriptions/xxxc/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/example-aks1" #azurerm_container_registry.acr.id
      role_definition_name = "Contributor"
      principal_id  = azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
     
    }
    

    enter image description here

    Reference :

    1. Aks issues | Github
    2. Azure role assignment Acr /aks | StackOverflow
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search