Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
i
icy-jordan-58549
11/06/2020, 5:27 PMTrying to do role assignment for subnet (Network Contributor) and getting this issue:
Diagnostics:
azure-nextgen:authorization/latest:RoleAssignment (network-contributor):
error: Code="RoleAssignmentUpdateNotPermitted" Message="Tenant ID, application ID, principal ID, and scope are not allowed to be updated."the code:
new azure_nextgen.authorization.latest.RoleAssignment('network-contributor', {
properties: {
principalId: cluster.identity.principalId,
roleDefinitionId: pulumi.interpolate`/subscriptions/${config.subscription.then(
s => s.subscriptionId
)}/providers/Microsoft.Authorization/roleDefinitions/${
networkContributorRole.name
}`
},
roleAssignmentName: networkContributorRole.name,
scope: subnet.id
});diff:
+ azure-nextgen:authorization/latest:RoleAssignment: (create)
[urn=urn:pulumi:dev::hub-spoke::azure-nextgen:authorization/latest:RoleAssignment::network-contributor]
[provider=urn:pulumi:dev::hub-spoke::pulumi:providers:azure-nextgen::default_0_2_4::bfbd2cf1-762e-4990-b41c-055e8026c657]
properties : {
principalId : "9bf80adb-087f-4d26-8920-5a3aa3e4feb5"
roleDefinitionId: "/subscriptions/393dab78-686f-41be-b9d5-f244fb11eba7/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
}
roleAssignmentName: "4d97b98b-1d4f-4787-a291-c67834d212e7"
scope : "/subscriptions/393dab78-686f-41be-b9d5-f244fb11eba7/resourceGroups/hub-spoke-rg/providers/Microsoft.Network/virtualNetworks/spoke-vnet/subnets/aks-subnet"with `az cli`I can apply assignment and get it without any issues,
az role assignment create --assignee 9bf80adb-087f-4d26-8920-5a3aa3e4feb5 --role "4d97b98b-1d4f-4787-a291-c67834d212e7" --scope "/subscriptions/393dab78-686f-41be-b9d5-f244fb11eba7/resourceGroups/hub-spoke-rg/providers/Microsoft.Network/virtualNetworks/spoke-vnet/subnets/aks-subnet"new azure.authorization.Assignment('network-contributor', {
principalId: cluster.identity.principalId,
roleDefinitionName: networkContributorRole.roleName,
scope: subnet.id
});the old way works without any issues
FIXED: thanks to @tall-librarian-49374, the name must be GUID. It’s hidden in the docs of azure
"roleNameGuid": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "A new GUID used to identify the role assignment"
}
}