Unable to create Azure Custom IAM Role

alwaysharsha · May 2, 2023, 2:48pm

Below is the code snippet to pass multiple json file names to create the IAM definition. But I am getting the error code 405. Am I missing anything here?

Error

│ Error: authorization.RoleDefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=405 -- Original Error: autorest/azure: Service returned an error. Status=405 Code="" Message="The requested resource does not support http method 'PUT'."
│
│   with azurerm_role_definition.iam_role_def["manage-resource-group"],
│   on main.tf line 5, in resource "azurerm_role_definition" "iam_role_def":
│    5: resource "azurerm_role_definition" "iam_role_def" {
│

variable.tf

variable "iam_definition_list" {
  type        = list(string)
  description = "Name to be used for this IAM definition. Changing this forces a new resource to be created."
  default     = []
}

main.tf


data "azurerm_subscription" "az_subscription" {
}

resource "azurerm_role_definition" "iam_role_def" {
  for_each = toset(var.iam_definition_list)

  name        = jsondecode(file("${path.cwd}/definition/${each.value}.json")).roleName
  scope       = data.azurerm_subscription.az_subscription.id
  description = jsondecode(file("${path.cwd}/definition/${each.value}.json")).description

  permissions {
    actions = jsondecode(file("${path.cwd}/definition/${each.value}.json")).permissions[0].actions
    not_actions = jsondecode(file("${path.cwd}/definition/${each.value}.json")).permissions[0].notActions
    data_actions = jsondecode(file("${path.cwd}/definition/${each.value}.json")).permissions[0].dataActions
    not_data_actions = jsondecode(file("${path.cwd}/definition/${each.value}.json")).permissions[0].notDataActions
  }

  assignable_scopes = [data.azurerm_subscription.az_subscription.id]

  role_definition_id = "${data.azurerm_subscription.az_subscription.id}/providers/Microsoft.Authorization/roleDefinitions/${replace(lower(each.value)," ","-")}"
}

manage-resource-group.json

{
    "assignableScopes": [
        "/subscriptions/xxx-xxx-xxx",
        "/subscriptions/yyy-yyy-yyyy",
        "/subscriptions/zzz-zzz-zzz"
    ],
    "description": "Provides permission to create and delete resource groups.",
    "permissions": [
        {
            "actions": [
                "Microsoft.Resources/subscriptions/resourceGroups/read",
                "Microsoft.Resources/subscriptions/resourceGroups/write",
                "Microsoft.Resources/subscriptions/resourceGroups/delete"
            ],
            "notActions": [],
            "dataActions": [],
            "notDataActions": []
        }
    ],
    "roleName": "Manage Resource Group",
    "roleType": "Custom",
    "type": "Microsoft.Authorization/roleDefinitions"
}