Malformed AzureRM API URL invoked when trying to assign role on container to principal id

[rmsilva1973]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.12.1

AzureRM Provider Version

4.31.0

Affected Resource(s)/Data Source(s)

azurerm_role_assignment

Terraform Configuration Files

# We strongly recommend using the required_providers block to set the
# Azure Provider source and version being used
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=4.31.0"
    }
  }
}

resource "azurerm_user_assigned_identity" "my_identity" {
  name                = "my-identity"
  location            = "eastus2"
  resource_group_name = "rg-shd-enecad"
}

# Configure the Microsoft Azure Provider
provider "azurerm" {
  features {}
  subscription_id = "<sub-id>"
  storage_use_azuread = true
}

data "azurerm_storage_account" "st_mytest" {
  name                = "stmystorageaccount"
  resource_group_name = "<rg-name>"
}

data "azurerm_storage_container" "st_mytest_container" {
  name                  = "files"
  storage_account_name  = data.azurerm_storage_account.st_mytest.name
}

resource "azurerm_role_assignment" "mytest_blob_contributor" {
  principal_id   = azurerm_user_assigned_identity.my_identity.principal_id
  role_definition_name = "Storage Blob Data Contributor"
  scope          = data.azurerm_storage_container.st_mytest_container.id
}

Debug Output/Panic Output

2025-05-31T16:34:12.181-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5: GET /https://mystorageaccount.blob.core.windows.net/files/providers/Microsoft.Authorization/roleDefinitions?%24filter=roleName+eq+%27Storage+Blob+Data+Contributor%27&api-version=2022-05-01-preview HTTP/1.1
2025-05-31T16:34:12.181-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5: Host: management.azure.com
2025-05-31T16:34:12.181-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5: User-Agent: HashiCorp/go-azure-sdk (Go-http-Client/1.1 roledefinitions/2022-05-01-preview) HashiCorp Terraform/1.12.1 (+https://www.terraform.io) terraform-provider-azurerm/4.31.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
2025-05-31T16:34:12.181-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5: Accept: application/json; charset=utf-8; IEEE754Compatible=false
2025-05-31T16:34:12.181-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5: Content-Type: application/json; charset=utf-8
2025-05-31T16:34:12.181-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5: Odata-Maxversion: 4.0
2025-05-31T16:34:12.181-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5: Odata-Version: 4.0
2025-05-31T16:34:12.181-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5: X-Ms-Correlation-Request-Id: 58159c29-a482-2a7d-45dc-a442918431d1
2025-05-31T16:34:12.181-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5: Accept-Encoding: gzip
2025-05-31T16:34:12.181-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5
2025-05-31T16:34:12.181-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5
2025-05-31T16:34:12.181-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5: [DEBUG] GET https://management.azure.com/https://mystorageaccount.blob.core.windows.net/files/providers/Microsoft.Authorization/roleDefinitions?%24filter=roleName+eq+%27Storage+Blob+Data+Contributor%27&api-version=2022-05-01-preview
2025-05-31T16:34:12.461-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5: [DEBUG] AzureRM Response for https://management.azure.com/https://mystorageaccount.blob.core.windows.net/files/providers/Microsoft.Authorization/roleDefinitions?%24filter=roleName+eq+%27Storage+Blob+Data+Contributor%27&api-version=2022-05-01-preview: 
2025-05-31T16:34:12.461-0300 [DEBUG] provider.terraform-provider-azurerm_v4.31.0_x5: HTTP/2.0 404 Not Found

Expected Behaviour

The role should have been granted on the container to the managed identity

Actual Behaviour

Error below presented:

╷
│ Error: listing role definitions: unexpected status 404 (404 Not Found) with error: MissingSubscription: The request did not have a subscription or a valid tenant level resource provider.
│
│ with azurerm_role_assignment.moutest_blob_contributor,
│ on main.tf line 35, in resource "azurerm_role_assignment" "moutest_blob_contributor":
│ 35: resource "azurerm_role_assignment" "moutest_blob_contributor" {
│

Steps to Reproduce

terraform apply

Important Factoids

If I replace the line:

scope          = data.azurerm_storage_container.st_mytest_container.id

with

scope          = data.azurerm_storage_container.st_mytest_container.resource_manager_id

it works but shows the deprecated warning below:

╷
│ Warning: Deprecated attribute
│
│ on main.tf line 38, in resource "azurerm_role_assignment" mytest_blob_contributor":
│ 38: scope = data.azurerm_storage_container.st_mytest_container.resource_manager_id
│
│ The attribute "resource_manager_id" is deprecated. Refer to the provider documentation for details.
│
│ (and 3 more similar warnings elsewhere)
╵

References

No response

[magodo]

You shall use the storage_account_id instead of storage_account_name in your data source of azurerm_storage_container, which ends up with a management plane ID for this data source, that you can put at the scope.

[leireroman12]

Hi,

I’m experiencing the same issue where resource_manager_id is reported as deprecated by Terraform’s plan output, but according to the documentation, it is still a valid attribute exported in azurerm_storage_container and required for defining the scope in azurerm_role_assignment.

Versions

• Terraform: 1.7.4
• AzureRM Provider: 4.32.0

Terraform Configuration Files

resource "azurerm_storage_container" "tfstate_storage_container" {
  name                  = "tfstate-backend"
  storage_account_id    = module.tfstate_storage.storage_account_id
  container_access_type = "private"
}

resource "azurerm_role_assignment" "iam_role_assignments_statestore_blobcontrib" {
  for_each = local.iam_statestore_blob_contributors

  principal_id         = var.aad_group_ids[each.value]
  scope                = azurerm_storage_container.tfstate_storage_container.resource_manager_id
  role_definition_name = local.roledef_blobcontrib
}

Actual Behaviour (Terraform plan)

│ Warning: Deprecated attribute
│
│ on tf_mod_storage_statestore.tf line 76, in resource "azurerm_role_assignment" "iam_role_assignments_statestore_blobcontrib":
│ 76: scope = azurerm_storage_container.tfstate_storage_container.resource_manager_id
│
│ The attribute "resource_manager_id" is deprecated. Refer to the provider documentation for details.

[linusryl]

I am experiencing the same using AzureRm 4.29.0 and Terraform 1.11.4

[ilmax]

@magodo any hint on how to fix the warning?

[magodo]

@leireroman12 In this case, you shall directly use the id, which has the same value as the resource_manager_id (that's why it is deprecated):

 scope                = azurerm_storage_container.tfstate_storage_container.id

[black-snow]

I see this with azurerm_storage_container_immutability_policy and storage_container_resource_manager_id - which is not deprecated https://registry.terraform.io/providers/hashicorp/azurerm/4.66.0/docs/resources/storage_container_immutability_policy

@magodo