Upgrading AzureRM Provider 2.57 to 2.66 cause azurerm_role_assignment on root management group with incorrect Resource ID during plan

[markwong-synechron]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Upgraded the AzureRM Provider version from 2.57 to 2.66.

• Using 2.57 terraform plan show no changes and completed successfully.
• Using 2.66 terraform plan result with errors in loading "Role Assignment" with incorrect scope.
• Switching back to 2.57 plan runs successfully with no change

(Switching is done using Provider "azurerm" block's version)

Terraform (and AzureRM Provider) Version

Terraform version 12.20
AzureRM provider:

• 2.57 (Current)
• 2.66 (Issue happen)

Affected Resource(s)

• azurerm_role_assignment

Terraform Configuration Files

resource "azurerm_role_assignment" "example" {
  scope                = local.root_management_group_scope
  role_definition_name = "Monitoring Contributor"
  principal_id         = azurerm_policy_assignment.xxx.identity[0].principal_id
}

Debug Output

Panic Output

Expected Behaviour

Terraform plan runs fine with 2.57

Actual Behaviour

Error: Error loading Role Assignment "/providers/Microsoft.Management/managementgroups/03beb921-c16c-4a69-a0df-0c9b1fb22415/providers/Microsoftuthorization/roleAssignments/4c50bcad-52c8-0ea7-c740-12c79eaa0b03": authorization.RoleAssignmentsClient#GetByID: Failure responding to request:tatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '56b2a40145c-4e94-bb36-ccf932b272df' with object id '56b2a401-445c-4e94-bb36-ccf932b272df' does not have authorization to perform action 'Microsoft.Manament/managementGroups/Microsoft.Management/<redacted>/Microsoft.Authorization/4c50bcad-52c8-0ea7-c740-12c79eaa0b03/re' over scope '/providers/Microsoft.Management/managementGroups/providers/Microsoft.Management/managementgroups/<redacted>/providers/Microsoft.Authorization/roleAssignments' or the scope is invalid. If access was recently granted, please refresh your credentials.

Note: the scope /providers/Microsoft.Management/managementGroups/providers/Microsoft.Management/managementgroups/03beb921-c16c-4a69-a0df-0c9b1fb215/providers/Microsoft.Authorization/roleAssignments

/providers/Microsoft.Management/managementgroups is repeated twice (different case on managementGroups).

Steps to Reproduce

I have role assignment to a policy assignment's identity. Switch between provider 2.57 in provider version and then 2.66

Important Factoids

Azure Public

• #0000

[johhess40]

This is the same behavior that causes #12320 per the issue that I posted as well!

[tombuildsstuff]

Duplicate of / consolidating into #12320

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.