I can’t differentiate between scope vs assignable_scope. What I understood…
scope - Where do you want to create role defination.
assignable_scope - where you want to apply that role.
Created and running below module, want to create role at subscription level but want to apply only one resource group under that Sub. Getting following error -
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 – Original Error: autorest/azure: Service returned an error. Status=400 Code=“RoleAssignmentScopeNotAssignableToRoleDefinition” Message=“The role TerraTesting-Role-role is not available for assignment at the requested scope.”
Here is code
module “az-role” {
source = “./modules/az-role”
role = {
role_name = “TerraTesting-Role”
environment = “production”
permissions = [“Microsoft.Compute/virtualMachines/read”, “Microsoft.Compute/virtualMachines/start/action”]
scope = “/subscriptions/XXXXXXXX-6764-48a4-abe3-5bdXXXXXXXXX/”
principal_id = “12fabb45-e26c-4b2c-b25b-eXXXXXX”
}
assignable_scopes = [“/subscriptions/XXXXXXXX-6764-48a4-abe3-5bdXXXXXXXXX/resourceGroups/US240-RG-Terra-Testing”]
depends_on = [module.az-resource-group-main]
}