Azure cannot get UUID from role in terraform

I am getting a role definition in terraform from azure with the following command:

data "azurerm_role_definition" "test_role" {
  name = "Test Role"
  scope = data.azurerm_subscription.test-subscription.id
}

With the id of the role I am trying to create a role assignment with terraform:

resource "azuread_app_role_assignment" "test_assignment" {
  app_role_id         = data.azurerm_role_definition.test_role.id
  ...
}

But when I run terraform plan I am getting the error:

> Error: Value must be a valid UUID

I also tried:

resource "azuread_app_role_assignment" "test_assignment" {
  app_role_id         = data.azurerm_role_definition.test_role.role_definition_id
  ...
}

This gave me the same error message.

Do you have any idea how to get the UUID of a role in terraform?

I tried below code and receieved same error:

resource "azuread_app_role_assignment" "aks_test_assignment" {
  app_role_id         =azurerm_role_definition.aks_cluster_admin_role.id
  principal_object_id = azuread_group.aks_admins_group.id
  resource_object_id  = azurerm_kubernetes_cluster.example.id
}

Error:

Value must be a valid UUID
│
│   with azuread_app_role_assignment.aks_test_assignment,
│   on main.tf line 225, in resource "azuread_app_role_assignment" "aks_test_assignment":
│  225:   resource_object_id  = azurerm_kubernetes_cluster.example.id

Here resource_object_id must be service principal object Id .
Service principal can be obtained from creating application in azure ad.

Or

When the system assigned identity is used, the id of the system managed identity must be used.

Azure ad role is different from azurerm role:

Try below code:

resource "azurerm_role_assignment" "example" {
  scope              = azurerm_kubernetes_cluster.example.id
  role_definition_id = azurerm_role_definition.aks_cluster_admin_role.role_definition_id
  principal_id=     azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
}

or

resource "azurerm_role_definition" "aks_cluster_admin_role" {
  name        = "Network Contributor" #"AKSClusterAdminRole"
  description = "Allows management network of an AKS cluster"
  scope       = "/subscriptions/f10xxxxa71c"
  permissions {
    actions     = [
      "Microsoft.ContainerService/managedClusters/*",
      "Microsoft.ContainerService/locations/*"
    ]
    not_actions = []
  }
  assignable_scopes = [
    azurerm_kubernetes_cluster.example.id
  ]
}

data "azuread_service_principal" "aks-aci_identity" {
  display_name = "sp${azurerm_kubernetes_cluster.example.name}"
  depends_on   = [azurerm_kubernetes_cluster.example]
}

resource "azurerm_role_assignment" "aks-aci-vnet-assignment" {
  scope                = azurerm_virtual_network.example.id
  role_definition_name = "Reader"
  principal_id         = data.azuread_service_principal.aks-aci_identity.id
}

resource "azurerm_role_assignment" "aks-aci-subnet-assignment" {
  scope                = azurerm_subnet.example-aci.id
  role_definition_name = "Network Contributor"
  principal_id         = data.azuread_service_principal.aks-aci_identity.id

}


  resource "azurerm_role_assignment" "example" {
  scope              =  "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/example-aks1"
  principal_id=     azuread_service_principal.aks-aci_identity.id
  role_definition_name = "Contributor"
}

Also below code worked:

resource "azurerm_role_assignment" "example" {
  scope              =  "/subscriptions/xxxc/resourceGroups/xxx/providers/Microsoft.ContainerService/managedClusters/example-aks1" #azurerm_container_registry.acr.id
  role_definition_name = "Contributor"
  principal_id  = azurerm_kubernetes_cluster.example.kubelet_identity[0].object_id
 
}

Reference :

1. Aks issues | Github
2. Azure role assignment Acr /aks | StackOverflow

As discussed in the comments:

You mixed up the different role assignments. What you are looking for is the RBAC assignment azurerm_role_assignment