azurerm_role_assignment - Support scope to be /providers/Subscription

[magodo]

Fix #17397.

The prerequisite to assign role to the subscription scope is described at https://docs.microsoft.com/en-us/answers/questions/604740/user-does-not-have-access-microsoftsubscriptionali.html. I've elevated my running account and manage the role assignment to anther sp using this scope locally successfully, via terraform apply/plan/destroy.

I've also tested for the management group scope, i.e. /providers/Microsoft.Management, where the API failed saying that this is an invalid scope.

[katbyte]

Could we add a test for this?

[magodo]

@katbyte Unfortunately, I was only able to manage to run it via my user account. When I use a SP, the API failed with:

│ Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'f4ed124d-*-*-*-*' with object id 'f4ed124d-*-*-*-*' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/providers/Microsoft.Subscription/providers/Microsoft.Authorization/roleAssignments/85b074a6-*-*-*-*' or the scope is invalid. If access was recently granted, please refresh your credentials."

[katbyte]

we should still have a test for it? and if that is a limitation we should be documenting it?

[magodo]

@katbyte I believe currently we don't have a way to test via CLI auth? I've put down a comment to mention the prerequisite when setting the scope to /providers/Subscription.

[katbyte]

@magodo - you can still write the test and run them locally, we just don't have a way to run them in TC yet so if you can detect UA/no SP and skip that would be good

[magodo]

@katbyte I've added the test which will always be skipped. As I failed to figure out a way to run acctest via CLI auth (as the PreCheck will always ensure the ARM_CLIENT_ID and ARM_CLIENT_SECRET is specified). The only way to fallback to CLI auth is to inlining the data.ResourceTest? But I think this would expose the SDK details to the test package, which should be avoided?

[katbyte]

as long as the test is there for future use all good - LGTM provided the config passes for you locally

[github-actions]

This functionality has been released in v3.21.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.