Assign Azure AD group to Azure AD role in multiple subscriptions

Terraform Providers Azure
1

Hello
I want to add Azure AD group to the built-in Azure AD role in multiple subscriptions. Created below code:

locals {
  multi_subs = [
  "sub1",
  "sub2",
  .
  .
  .
  "subX"
  ]
}

data "azurerm_subscription" "subs" {
  for_each = toset(local.multi_subs)
}

resource "azurerm_role_assignment" "example" {
  for_each             = data.azurerm_subscription.subs
  scope                = data.azurerm_subscription.validation.id
  role_definition_name = "User Access Administrator"
  principal_id         = "xxxxxxxxx" - ID of Azure AD users group
}

after terraform plan i got the following error:
Error: Reference to undeclared resource

│ on main.tf line 22, in resource “azurerm_role_assignment” “example”:
│ 22: scope = data.azurerm_subscription.validation.id

│ A data resource “azurerm_subscription” “validation” has not been declared in the root module.

I’m not sure how to handle it or if it’s good way of doing this task in that way in terraform

2

What were you expecting

to refer to? As the Terraform error message has pointed out to you,

Indeed, there’s nothing else called validation anywhere in the code you posted?

I wonder if you were trying to use the subscriptions from the for_each? In which case you would write:

  scope                = each.value.id
3

@maxb thank you for the answer. Yes i changed it and now looks better, but scope is not changing

Terraform will perform the following actions:

  # azurerm_role_assignment.example["sub1"] will be created
  + resource "azurerm_role_assignment" "example" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = "xxxx"
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "User Access Administrator"
      + scope                            = "/subscriptions/aaaaaa"
      + skip_service_principal_aad_check = (known after apply)
    }

  # azurerm_role_assignment.example["sub2"] will be created
  + resource "azurerm_role_assignment" "example" {
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = "xxxxx"
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "User Access Administrator"
      + scope                            = "/subscriptions/aaaaaa"
      + skip_service_principal_aad_check = (known after apply)
    }

it’s taking the same /subscription/id for all subscriptions

4

For the data source you aren’t specifying subscription_id which according to the docs means it will use the subscription ID of the current Azure Resource Manager provider. So while you are having lots of instances of that data source I’d expect them to all have identical values.

5

Do you know how to handle it? Are you able to provide me some tips?

6

Set subscription_id = each.value inside the data source?

7

After added it to

data “azurerm_subscription” “subs” {
for_each = toset(local.multi_subs)
subscription_id = each.value
}

i got the errors

│ Error: retrieving Subscription (Subscription: “xxx”): subscriptions.Client#Get: Failure responding to request: StatusCode=400 – Original Error: autorest/azure: Service returned an error. Status=400 Code=“InvalidSubscriptionId” Message=“The provided subscription identifier ‘xxx’ is malformed or invalid.”

│ with data.azurerm_subscription.subs[“xxx”],
│ on main.tf line 33, in data “azurerm_subscription” “subs”:
│ 33: data “azurerm_subscription” “subs” {

8

So, specify valid subscription IDs then?