<title>Unable to assign container level permissions on Azure Data Lake Gen2 Account using terraform azure

[rahulgulati89]

Is there an existing issue for this?

• I have searched the existing issues

Example Name

Terraform Azure RM Role assignment

Terraform Version

1.3.1

Current Behavior

I am trying to add the azure Roles for a Principal Id on my azure storage account(Gen2 DataLake with hierarchical namespace) but getting the error in the pipeline.

Code ->

## Add conformed layer file system resource "azurerm_storage_data_lake_gen2_filesystem" "datahubdatalakesaxoconformed" { name = var.datalake_conformed_file_system storage_account_id = azurerm_storage_account.datahubdatalake.id }

# Assign Blob Data reader role 
resource "azurerm_role_assignment" "roleassignmentconformed" {
  principal_id         = var.unity_catalog_global_access
  role_definition_name = "Storage Blob Data Contributor"
  scope                = azurerm_storage_data_lake_gen2_filesystem.datahubdatalakesaxoconformed.id
}

Error ->

Error: expected scope to be one of [/providers/Microsoft.Subscription], got https://saxodatahubdatalakedev.dfs.core.windows.net/datahub-conformed │ │ with azurerm_role_assignment.roleassignmentconformed, │ on main.tf line 193, in resource "azurerm_role_assignment" "roleassignmentconformed": │ 193: scope = azurerm_storage_data_lake_gen2_filesystem.datahubdatalakesaxoconformed.id │ ╵

However if i change the above code like below, then it works but the issue is that the working one will assign the "Storage Account Contributor" role at the account level. I need to assign roles for an Azure Managed Identity at the data lake filesystem level to make it bit more restrictive. Is it possible to do that?

# Assign Blob Data reader role to
resource "azurerm_role_assignment" "roleassignment" {
  principal_id         = var.databricks_global_reader
  role_definition_name = "Storage Blob Data reader"
  scope                = azurerm_storage_account.datahubdatalake.id
    depends_on = [
    azurerm_storage_account.datahubdatalake
  ]
}

Expected Behavior

I am expecting a possibility of role assignment to work at the container/file system level as well as mentioned in the code above.

Steps To Reproduce

No response

Anything else?

No response

[ridicolos]

I found a workaround for this.
It isn't pretty but it works.
Because there is no id we can reference we just create our own.

resource "azurerm_storage_data_lake_gen2_filesystem" "template-default" {
  name               = var.container_name
  storage_account_id = var.storage_account_id
}


locals {
  container_scope = "${azurerm_storage_data_lake_gen2_filesystem.template-default.storage_account_id}/blobServices/default/containers/${azurerm_storage_data_lake_gen2_filesystem.template-default.name}"
}

resource "azurerm_role_assignment" "template_read_assignment" {
  scope                = local.container_scope
  role_definition_name = "Storage Blob Data Reader"
  ...
}