azurerm_pim_eligible_role_assignment waiting for Role Management Policy to become ready: couldn't find resource

[ChrisTav424]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.3

AzureRM Provider Version

3.79.0

Affected Resource(s)/Data Source(s)

azurerm_pim_eligible_role_assignment

Terraform Configuration Files

resource "time_static" "main" {}

resource "azurerm_pim_eligible_role_assignment" "main" {
      principal_id       = "8ed7898e-----"
      role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6----"
      scope              = "/subscriptions/6918adf8----"

  schedule {
    start_date_time = time_static.main.rfc3339
expiration {
duration_days  = 365
            }
        }
    }

Debug Output/Panic Output

Error: waiting for Role Management Policy: (Principal Id "ed681489----" / Scope "/subscriptions/6918adf8----" / Role Definition Id "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6----") to become ready: couldn't find resource (21 retries)
│ 
│   with module.pim["6918adf8----"].azurerm_pim_eligible_role_assignment.main,
│   on ..\..\..\..\tfmodules\pim\main.tf line 3, in resource "azurerm_pim_eligible_role_assignment" "main":
│    3: resource "azurerm_pim_eligible_role_assignment" "main" {
│ 
│ waiting for Role Management Policy: (Principal Id
│ "ed681489----" / Scope
│ "/subscriptions/6918adf8----" / Role Definition Id
│ "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6----")
│ to become ready: couldn't find resource (21 retries)

Expected Behaviour

Apply successful

Actual Behaviour

The apply fails with the 'waiting for Role Management Policy to become ready: couldn't find resource (21 retries)'

The PIM roles have been created in the portal and when I run another terraform plan / apply it states that the resource needs to be imported into state.

This only seems to be a problem when you specify a scope at a subscription level

Steps to Reproduce

terraform apply

Important Factoids

No response

References

I have seen this referenced in a few places already but states that it is resolved

hashicorp/terraform-provider-azuread#68
#22932

[smokedlinq]

Noticed this yesterday too. It might be an Azure issue, in the activity log we see the Started event but never a completed event. I think the team was going to open a case with MS as well, will report back if they find anything.

[ChrisTav424]

Thanks @smokedlinq I will raise this with them too

[jcframil]

I have been trying for a couple of days to make it work, and went through a couple of posts, just to find out this issue is marked as resolved. 🥲

Also tried changing the scope to RG but it failed.

When I try to create the resource it fails as mentioned before. The import fails too, saying that cannot import a non-existent remote object . Curious thing that the terraform apply shows the resource ID that needs to be imported 🤔

That's unusable for us at the moment.

Terraform Versions

1.5.7
1.6.3

AzureRM Provider Versions

3.79.0
3.70.0
3.65.0

Output after terraform apply

Error: A resource with the ID "/subscriptions/---/---/---/xxx" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_pim_eligible_role_assignment" for more information.
 
   with azurerm_pim_eligible_role_assignment.test,
   on elegible.tf line 15, in resource "azurerm_pim_eligible_role_assignment" "test":
   15: resource "azurerm_pim_eligible_role_assignment" "test" {
 
A resource with the ID "/subscriptions/---/---/---/xxx" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_pim_eligible_role_assignment" for more information.

Output after terraform import

Error: Cannot import non-existent remote object
 
 While attempting to import an existing object to
 "azurerm_pim_eligible_role_assignment.test", the provider detected that no object exists with the given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.

[MohnJadden]

I have been trying for a couple of days to make it work, and went through a couple of posts, just to find out this issue is marked as resolved. 🥲

Also tried changing the scope to RG but it failed.

When I try to create the resource it fails as mentioned before. The import fails too, saying that cannot import a non-existent remote object . Curious thing that the terraform apply shows the resource ID that needs to be imported 🤔

That's unusable for us at the moment.

Terraform Versions

1.5.7 1.6.3

AzureRM Provider Versions

3.79.0 3.70.0 3.65.0

Output after terraform apply

Error: A resource with the ID "/subscriptions/---/---/---/xxx" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_pim_eligible_role_assignment" for more information.
 
   with azurerm_pim_eligible_role_assignment.test,
   on elegible.tf line 15, in resource "azurerm_pim_eligible_role_assignment" "test":
   15: resource "azurerm_pim_eligible_role_assignment" "test" {
 
A resource with the ID "/subscriptions/---/---/---/xxx" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_pim_eligible_role_assignment" for more information.

Output after terraform import

Error: Cannot import non-existent remote object
 
 While attempting to import an existing object to
 "azurerm_pim_eligible_role_assignment.test", the provider detected that no object exists with the given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.

I had the same issue. If you're using index keys and are working within Windows, you'd have to escape the index values like so. However, I ran into issues where the import claimed to be successful but didn't actually import into the state, so in the end I had to delete the existing PIM assignment from the portal and re-run it.

[xinfli]

Try change your role_definition_id to /subscriptions/6918adf8---/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6----.

We had similar problem, but we are work with management group, it took us several days until we find what's wrong with it:

• If the scope is a management group, the role_definition_id should not contains scope, it should be like /providers/Microsoft.Authorization/roleDefinitions/ab8e14d6----
• If the scop is a subscription, scope is mandatory for role_definition_id: /subscriptions/6918adf8----/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6----

Refer to section Example Usage (Subscription) and Example Usage (Management Group) in document of azurerm_pim_eligible_role_assignment

[drdamour]

dupe of #23366

[TeamDman]

previously mentioned dupe is closed now, #23111 is open with active discussion (more about not-found errors than timeout tho)

[manicminer]

@ChrisTav424, @smokedlinq, @jcframil, @MohnJadden are you still experiencing this error with the latest provider (currently v3.104.2)?

[Scarlettliuyc]

hi @manicminer , I have customer still got same issue after update to azureRM 3.104.2
It still states that the Resource with ID XXX already exists - to be managed via Terraform this resource needs to be imported into the State

Is it the case that the fix only works for PIM assignments created with the latest version of the provider and not pre-existing assignments?

[yashshah0809]

Hi @manicminer - i have been following this issue, was this issue only fixed in azurerm version >= 3.104.2? I ask cause i am still seeing this issue persist in v3.86.0

[manicminer]

@yashshah0809 Yes, this was ultimately resolved in v3.104 - you will need to upgrade your provider version if you are on v3.86

[manicminer]

@Scarlettliuyc Importing should work with PIM assignments created in earlier provider versions, as long as you first upgrade the provider version (and your state) to v3.104.2 or later.

[jchryst-pack]

Still seeing the time out using v3.113.0. The assignment was created but the run fails.

resource "azurerm_pim_eligible_role_assignment" "pim" { scope = azurerm_resource_group.resource_group.id role_definition_id = "${azurerm_resource_group.resource_group.id}/providers/Microsoft.Authorization/roleDefinitions/8e3af6------" principal_id = local.teams[var.team] schedule { expiration { duration_days = "365" } } }

Error: waiting for Scoped Role Eligibility Schedule Request (Scope: "/subscriptions/-----/resourceGroups/--"
│ Role Eligibility Schedule Request Name: "-------") to become found: context deadline exceeded
│
│ with module.rg.azurerm_pim_eligible_role_assignment.pim,
│ on .terraform/modules/rg/main.tf line 11, in resource "azurerm_pim_eligible_role_assignment" "pim":
│ 11: resource "azurerm_pim_eligible_role_assignment" "pim" {
│
│ waiting for Scoped Role Eligibility Schedule Request (Scope: "/subscriptions/e-----/resourceGroups/-----"
│ Role Eligibility Schedule Request Name: "----") to become found: context deadline exceeded