Open
Description
👋
Terraform recently added support for managing Role Definitions (which uses the Azure API's via the Azure SDK for Go).
Generally speaking this works well - however we've discovered that the Read/GET API is eventually consistent for Updates - as shown in the following API Responses which were taken ~10 seconds apart:
Request 1:
{
"properties": {
"roleName": "tom-custom-tf",
"type": "CustomRole",
"description": "This is a custom role created via Terraform",
"assignableScopes": ["/subscriptions/00000000-0000-0000-0000-000000000000"],
"permissions": [{
"actions": ["*"],
"notActions": ["Microsoft.Authorization/*/read"]
}],
"createdOn": "2017-12-12T15:43:36.7863750Z",
"updatedOn": "2017-12-12T15:45:48.1361754Z",
"createdBy": "00000000-0000-0000-0000-000000000000",
"updatedBy": "00000000-0000-0000-0000-000000000000"
},
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "00000000-0000-0000-0000-000000000000"
}
Request 2:
{
"properties": {
"roleName": "tom-custom-tf",
"type": "CustomRole",
"description": "This is a custom role created via Terraform",
"assignableScopes": ["/subscriptions/00000000-0000-0000-0000-000000000000"],
"permissions": [{
"actions": ["*"],
"notActions": []
}],
"createdOn": "2017-12-12T15:43:36.7863750Z",
"updatedOn": "2017-12-12T15:43:36.7863750Z",
"createdBy": "00000000-0000-0000-0000-000000000000",
"updatedBy": "00000000-0000-0000-0000-000000000000"
},
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "00000000-0000-0000-0000-000000000000"
}
Request 3:
{
"properties": {
"roleName": "tom-custom-tf",
"type": "CustomRole",
"description": "This is a custom role created via Terraform",
"assignableScopes": ["/subscriptions/00000000-0000-0000-0000-000000000000"],
"permissions": [{
"actions": ["*"],
"notActions": ["Microsoft.Authorization/*/read"]
}],
"createdOn": "2017-12-12T15:43:36.7863750Z",
"updatedOn": "2017-12-12T15:45:48.1361754Z",
"createdBy": "00000000-0000-0000-0000-000000000000",
"updatedBy": "00000000-0000-0000-0000-000000000000"
},
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "00000000-0000-0000-0000-000000000000"
}
Request 4:
{
"properties": {
"roleName": "tom-custom-tf",
"type": "CustomRole",
"description": "This is a custom role created via Terraform",
"assignableScopes": ["/subscriptions/00000000-0000-0000-0000-000000000000"],
"permissions": [{
"actions": ["*"],
"notActions": []
}],
"createdOn": "2017-12-12T15:43:36.7863750Z",
"updatedOn": "2017-12-12T15:43:36.7863750Z",
"createdBy": "00000000-0000-0000-0000-000000000000",
"updatedBy": "00000000-0000-0000-0000-000000000000"
},
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "00000000-0000-0000-0000-000000000000"
}
Whilst we can look into checking the UpdatedOn field as a workaround in the short-term - would it be possible to look into fixing the API so that it's consistent across API responses? I feel this API in particular needs to be consistent seeing as it's Identity/Security related?
Thanks!