azuread_directory_role_assignment Replaces Role Assignment on Every Apply

[colinoly]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.6

AzureRM Provider Version

3.108.0

Affected Resource(s)/Data Source(s)

azuread_directory_role_assignment

Terraform Configuration Files

resource "azuread_directory_role" "directory_readers" {
  display_name = "Directory Readers"
}

resource "azuread_group" "entraid_group_entra" {
  display_name       = "entra_group_name_1"
  description        = "For Entra ID Access"
  security_enabled   = true
  assignable_to_role = true
}

resource "azuread_directory_role_assignment" "entraid_group_entra_role_assignment" {
  role_id             = azuread_directory_role.directory_readers.id
  principal_object_id = azuread_group.entraid_group_entra.id
}

Debug Output/Panic Output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
-/+ destroy and then create replacement

Terraform planned the following actions, but then encountered a problem:

  # module.entraid_group.azuread_directory_role_assignment.entraid_group_entra_role_assignment must be replaced
-/+ resource "azuread_directory_role_assignment" "entraid_group_entra_role_assignment" {
      + app_scope_id              = (known after apply)
      + app_scope_object_id       = (known after apply)
      ~ directory_scope_id        = "/" -> (known after apply)
      ~ directory_scope_object_id = "/" -> (known after apply)
      ~ id                        = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" -> (known after apply)
      ~ role_id                   = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b" -> "ce1fcd5e-0a2e-428c-b642-f06ad0b404d4" # forces replacement
        # (1 unchanged attribute hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Expected Behaviour

Entra Role "Directory Readers" is assigned to created Entra group

Actual Behaviour

The apply is successful
Every run after, each plan wants to replace the ID

~ role_id = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b" -> "ce1fcd5e-0a2e-428c-b642-f06ad0b404d4" # forces replacement

ce1fcd5e-0a2e-428c-b642-f06ad0b404d4 does not exist, https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference

Steps to Reproduce

terraform plan
terraform apply

Important Factoids

No response

References

Similar to hashicorp/terraform-provider-azurerm#19847

[rcskosir]

👋 Thank you for taking the time to open this issue. I am going to move it to the terraform azuread repo that is responsible for this resource.