azuread_group_role_management_policy incorrect role_id provisioned (the owner instead of a member)

[sbareika]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.5.7
on darwin_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.53.1

Affected Resource(s)

• azuread_group_role_management_policy

Terraform Configuration Files

resource "azuread_group" "pim_test" {
  display_name     = "pim-test-group"
  security_enabled = true
}

resource "azuread_group_role_management_policy" "pim_test_member" {
  group_id = azuread_group.pim_test.id
  role_id  = "member"

  eligible_assignment_rules {
    expiration_required = false
  }
}

Debug Output

The debug log is taken for a limited configuration (in order to exlude logs, related to a group creation):

resource "azuread_group_role_management_policy" "pim_test_member" {
  group_id = "391eb67c-8dc1-4416-9ad5-7c0f30208314"
  role_id  = "member"

  eligible_assignment_rules {
    expiration_required = false
  }
}

https://gist.github.com/sbareika/1b1e842282d26ddf08d0625acbe18181

Expected Behavior

The member PIM policy is configured for the provided Group

Actual Behavior

During the first apply run the owner role policy is configured instead of the member:

The following plan run shows the required changes and the second apply is actually provisions the member policy:

Terraform will perform the following actions:

  # azuread_group_role_management_policy.pim_test_member will be updated in-place
  ~ resource "azuread_group_role_management_policy" "pim_test_member" {
        id           = "Group_96fe48d8-f023-449c-99c6-3676c7f28a5f_6951bc8d-6e96-4ce2-bdbe-9723132f839f"
        # (4 unchanged attributes hidden)

      ~ eligible_assignment_rules {
          ~ expiration_required = true -> false
            # (1 unchanged attribute hidden)
        }

        # (3 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

1. Run terraform apply to create a new Group and a PIM policy

Workaround

As a workaround the following code works fine (i.e. create an empty owner role policy before the member one):

resource "azuread_group" "pim_test" {
  display_name     = "pim-test-group"
  security_enabled = true
}

resource "azuread_group_role_management_policy" "pim_test_owner" {
  group_id = azuread_group.pim_test.id
  role_id  = "owner"
}

resource "azuread_group_role_management_policy" "pim_test_member" {
  group_id = azuread_group.pim_test.id
  role_id  = "member"

  depends_on = [azuread_group_role_management_policy.pim_test_owner]

  eligible_assignment_rules {
    expiration_required = false
  }
}