"azurerm_role_assignment" supports property "delegated_managed_identity_resource_id"

[njuCZ]

fix #9348

docs: https://docs.microsoft.com/en-us/azure/lighthouse/how-to/deploy-policy-remediation

this property does not mean the managed identity resource id, but the resource which contains a managed identity.
It's used for a cross tenant scenario. assume there are two tenants and two service principals in each tenant:

Tenant	subscription	User
tenantA	subscriptionA	userA
tenantB	subscriptionB	userB

By this new property, userA in tenantA could do role assignment in subscriptionB.

specific test step:

1. userB should delegate subscriptionB to userA by using lighthouse RP. userB could do it in terraform in following script

provider "azurerm" {
  features {}
}

variable "managing_tenant_id" {
  type = string
  // default = tenantA
}

variable "managing_principal_id" {
  type = string
  // default = userA
}

data "azurerm_role_definition" "user_access_administrator" {
  role_definition_id = "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"
}

data "azurerm_role_definition" "contributor" {
  role_definition_id = "b24988ac-6180-42a0-ab88-20f7382dd24c"
}

data "azurerm_subscription" "test" {}

resource "azurerm_lighthouse_definition" "test" {
  name                     = "acctest-delegate"
  description              = "Acceptance Test Lighthouse Definition"
  managing_tenant_id       = var.managing_tenant_id
  scope                    = data.azurerm_subscription.test.id

  authorization {
    principal_id           = var.managing_principal_id
    role_definition_id     = data.azurerm_role_definition.user_access_administrator.role_definition_id
    delegated_role_definition_ids = [
      data.azurerm_role_definition.contributor.role_definition_id,
    ]
  }

  authorization {
    principal_id           = var.managing_principal_id
    role_definition_id     = data.azurerm_role_definition.contributor.role_definition_id
  }
}

resource "azurerm_lighthouse_assignment" "test" {
  scope                    = data.azurerm_subscription.test.id
  lighthouse_definition_id = azurerm_lighthouse_definition.test.id
}

2. userA should switch to use subscriptionB
3. userA execute the acctest

notes, there is an api limitation:
for cross tenant role assignment, we should pass the tenantId in the request, otherwise it could not read the resource.
But in normal cases, we could not pass the tenantId property, otherwise it will report error.

changes in this PR:
to fix the above limitation, in normal case, I don't change the id format. For cross tenant scenario, I append the tenantId into the id. This is not breaking change.

[katbyte]

Thanks @njuCZ - LGTM 👍

[njuCZ]

this should be pluginsdk.TimeoutCreate, I will submit a PR to fix it soon

[katbyte]

ty i was trying to resolve it via github - didn't go as well as i'd hoped 😓

[ghost]

This has been released in version 2.62.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.62.0"
}
# ... other configuration ...

[w0ut0]

Is it possible this causes #12060?

[HarleyB123]

Hey, I think @w0ut0 is right, see my findings on that issue here.

@njuCZ I'm not sure how all the pieces fit together - hoping you might be able to see where it's going wrong 😄

[aristosvo]

The problem seems to be surfacing when the scope is on resource level instead of subscription, resource group etc.

Unfortunately this is not a scenario covered in the Acceptance Tests as far as I can see.

[njuCZ]

@w0ut0, @HarleyB123, @aristosvo sorry for causing the problem. I am glad to see that PR #12076 could fix it.

[etaham]

Can this be patched? It is causing state corruption for existing role assignments.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.