Using azurerm_pim_eligible_role_assignment results in HTTP 400 Bad request Error

[midhun-mohan]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

v1.9.5

AzureRM Provider Version

4.3.0

Affected Resource(s)/Data Source(s)

azurerm_pim_eligible_role_assignment

Terraform Configuration Files

data "azurerm_subscription" "subscription" {
}

data "azurerm_role_definition" "kv_secrets_officer" {
  name = "Key Vault Secrets Officer"
}

resource "time_static" "static" {}

module "pim_assignment_kv_secrets_user_vce_mt" {
  source             = "../modules/pim_assignment"
  scope              = data.azurerm_subscription.subscription.id
  principal_id       = "xxxxxxxxxxxxxxxxxxxxxxxxx"
  role_definition_id = data.azurerm_role_definition.kv_secrets_officer.id
  schedule = {
    start_date_time          = time_static.static.rfc3339
    expiration_duration_days = 360
  }
  justification = "Access for team"
}



module looks like below : 

resource "azurerm_pim_eligible_role_assignment" "pim_assignment" {
  scope              = var.scope
  role_definition_id = "${var.scope}${var.role_definition_id}"
  principal_id       = var.principal_id

  schedule {
    start_date_time = var.schedule.start_date_time
    expiration {
      duration_days = var.schedule.expiration_duration_days
    }
  }
  justification = var.justification
}

Debug Output/Panic Output

2024-10-16T20:36:35.119Z [DEBUG] provider.terraform-provider-azurerm: [DEBUG] PUT https://management.azure.com/subscriptions/dfdfdfdfdfdfdfdfdfdffdfdfdfdfdfdfdf/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/c355c019-bc26-48a9-b876-1c6e51347bf0?api-version=2020-10-01
2024-10-16T20:36:37.242Z [DEBUG] provider.terraform-provider-azurerm: [DEBUG] AzureRM Response for https://management.azure.com/subscriptions/dfdfdfdfdfdfdfdfdfdffdfdfdfdfdfdfdf/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/c355c019-bc26-48a9-b876-1c6e51347bf0?api-version=2020-10-01: 
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: HTTP/2.0 400 Bad Request
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: Content-Length: 223
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: Access-Control-Allow-Headers: content-Type, accept, origin, X-Requested-With, Authorization, name, x-ms-client-session-id, accept-language, x-ms-client-request-id, x-ms-effective-locale, x-ms-command-name
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: Access-Control-Allow-Methods: POST, PUT, DELETE, GET, OPTIONS, PATCH
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: Access-Control-Allow-Origin: *
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: Cache-Control: no-cache
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: Content-Type: application/json; charset=utf-8
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: Date: Wed, 16 Oct 2024 21:54:31 GMT
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: Expires: -1
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: Mspimslice: PROD
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: Pragma: no-cache
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: Strict-Transport-Security: max-age=31536000; includeSubDomains
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: X-Cache: CONFIG_NOCACHE
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: X-Content-Type-Options: nosniff
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: X-Ms-Client-Request-Id: 98c7b941-a43d-4822-9e20-7dad4d9f2772
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: X-Ms-Correlation-Request-Id: 126fcbc8-60c0-38ae-9022-895aeb321004
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: X-Ms-Ratelimit-Remaining-Subscription-Global-Reads: 3749
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: X-Ms-Ratelimit-Remaining-Subscription-Reads: 249
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: X-Ms-Request-Id: 78e1c580-dfea-4aaa-98e5-e100bef00ae2
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: X-Ms-Routing-Request-Id: EASTUS:20241016T215432Z:78e1c580-dfea-4aaa-98e5-e100bef00ae2
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: X-Msedge-Ref: Ref A: A05A020F1D4A4462AC4A65115145A1D9 Ref B: MNZ221060619025 Ref C: 2024-10-16T21:54:31Z
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm
2024-10-16T21:54:32.438Z [DEBUG] provider.terraform-provider-azurerm: {"error":{"code":"InsufficientPermissions","message":"The requestor cxcxcxcxcxcxcxcxcxcxcxcxcxcxc does not have permissions for this request. Please use $filter=asTarget() to filter on the requestor's assignments."}}



Error: -16T21:54:32.438Z [ERROR] provider.terraform-provider-azurerm: Response contains error diagnostic: @caller=/home/runner/work/terraform-provider-azurerm/terraform-provider-azurerm/provider/vendor/github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/diag/diagnostics.go:58 @module=sdk.proto
  diagnostic_detail=
  | retrieving Scoped Role Eligibility Schedule Request (Scope: "/subscriptions/dfdfdfdfdfdfdfdfdfdffdfdfdfdfdfdfdf"
  | Role Eligibility Schedule Request Name: "b752a90c-4612-2795-1718-228714a0c4d5"): unexpected status 400 (400 Bad Request) with error: InsufficientPermissions: The requestor cxcxcxcxcxcxcxcxcxcxcxcxcxcxc does not have permissions for this request. Please use $filter=asTarget() to filter on the requestor's assignments.
   diagnostic_severity=ERROR
  diagnostic_summary=
  | retrieving Scoped Role Eligibility Schedule Request (Scope: "/subscriptions/dfdfdfdfdfdfdfdfdfdffdfdfdfdfdfdfdf"
  | Role Eligibility Schedule Request Name: "b752a90c-4612-2795-1718-228714a0c4d5"): unexpected status 400 (400 Bad Request) with error: InsufficientPermissions: The requestor cxcxcxcxcxcxcxcxcxcxcxcxcxcxc does not have permissions for this request. Please use $filter=asTarget() to filter on the requestor's assignments.
   tf_resource_type=azurerm_pim_eligible_role_assignment tf_proto_version=5.6 tf_provider_addr=registry.terraform.io/hashicorp/azurerm tf_req_id=43b8231e-0394-54ff-3136-490eed416fc3 tf_rpc=ApplyResourceChange timestamp=2024-10-16T21:54:32.438Z

Expected Behaviour

Runs without problems and pim assignment is created successfully

Actual Behaviour

PIM assignments are created. But still fails in the fetch call making terraform apply fail

Steps to Reproduce

terraform init
terraform apply

Important Factoids

No response

References

No response

[quilleo]

I was able to do an apply and plan successfully with Owner role assignment at the management group level above the subscriptions but as soon as I removed Owner and only was left with Reader I am not able to do a terraform plan.
I get the exact same error.

I of course do not expect to be able to do an apply any longer without activating Owner.

Point being this seems like a bug since I am only trying to do a plan and probably related to this same issue.

Ed