feat: set implicit condition_version on azurerm_role_assignment

internal/services/authorization/role_assignment_resource.go

@@ -138,15 +138,14 @@ func resourceArmRoleAssignment() *pluginsdk.Resource {
 				Type:         pluginsdk.TypeString,
 				Optional:     true,
 				ForceNew:     true,
-				RequiredWith: []string{"condition_version"},
 				ValidateFunc: validation.StringIsNotEmpty,
 			},
 
 			"condition_version": {
-				Type:         pluginsdk.TypeString,
-				Optional:     true,
-				ForceNew:     true,
-				RequiredWith: []string{"condition"},
+				Type:     pluginsdk.TypeString,
+				Optional: true,
+				ForceNew: true,
+				Computed: true,
 				ValidateFunc: validation.StringInSlice([]string{
 					"1.0",
 					"2.0",
@@ -238,11 +237,15 @@ func resourceArmRoleAssignmentCreate(d *pluginsdk.ResourceData, meta interface{}
 	condition := d.Get("condition").(string)
 	conditionVersion := d.Get("condition_version").(string)
 
-	if condition != "" && conditionVersion != "" {
+	switch {
+	case condition != "" && conditionVersion != "":
 		properties.RoleAssignmentProperties.Condition = utils.String(condition)
 		properties.RoleAssignmentProperties.ConditionVersion = utils.String(conditionVersion)
-	} else if condition != "" || conditionVersion != "" {
-		return fmt.Errorf("`condition` and `conditionVersion` should be both set or unset")
+	case condition != "" && conditionVersion == "":
+		properties.RoleAssignmentProperties.Condition = utils.String(condition)
+		properties.RoleAssignmentProperties.ConditionVersion = utils.String("2.0")
+	case condition == "" && conditionVersion != "":
+		return fmt.Errorf("`conditionVersion` should not be set without `condition`")
 	}
 
 	skipPrincipalCheck := d.Get("skip_service_principal_aad_check").(bool)

internal/services/authorization/role_assignment_resource_test.go

@@ -214,6 +214,23 @@ func TestAccRoleAssignment_condition(t *testing.T) {
 	})
 }
 
+func TestAccRoleAssignment_implicitCondition(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_role_assignment", "test")
+	id := uuid.New().String()
+
+	r := RoleAssignmentResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.implicitConditionVersion(id),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("skip_service_principal_aad_check"),
+	})
+}
+
 func TestAccRoleAssignment_resourceScoped(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_role_assignment", "test")
 	id := uuid.New().String()
@@ -576,8 +593,32 @@ resource "azurerm_role_assignment" "test" {
   role_definition_name = "Monitoring Reader"
   principal_id         = data.azurerm_client_config.test.object_id
   description          = "Monitoring Reader except "
-  condition            = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'"
-  condition_version    = "1.0"
+  condition            = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEqualsIgnoreCase 'foo_storage_container'"
+  condition_version    = "2.0"
+}
+`, groupId)
+}
+
+func (RoleAssignmentResource) implicitConditionVersion(groupId string) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_subscription" "primary" {
+}
+
+data "azurerm_client_config" "test" {
+}
+
+resource "azurerm_role_assignment" "test" {
+
+  name                 = "%s"
+  scope                = data.azurerm_subscription.primary.id
+  role_definition_name = "Monitoring Reader"
+  principal_id         = data.azurerm_client_config.test.object_id
+  description          = "Monitoring Reader except "
+  condition            = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEqualsIgnoreCase 'foo_storage_container'"
 }
 `, groupId)
 }