Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There must be at least one subscription that is eligible to contain resources. #385

Closed
SapanPatibandha opened this issue Apr 1, 2023 · 13 comments
Labels
permission question Further information is requested

Comments

@SapanPatibandha
Copy link

SapanPatibandha commented Apr 1, 2023

Hi
I need some help to import Azure resource from other subscription in terraform file.

I am able to import infrastructure from my own account and subscription successfully.
But when I try to import from other subscription I am getting some error, not sure what is the issue in command.

Name                         |CloudName    |SubscriptionId                        |State    |IsDefault
---------------------------  |-----------  |------------------------------------  |-------  |-----------
Patibandha                   |AzureCloud   |bc3ee41c-XXXX-XXXX-XXXX-XXXXXXXX3d23  |Enabled  |False
Eduberance-Subscription      |AzureCloud   |43c0581c-XXXX-XXXX-XXXX-XXXXXXXX7cb6  |Enabled  |True

Patibandha --- is my own subscription, from where I can import infrastructure
Eduberance-Subscription - when I try to import from this subscription, i get this error.

I am trying following command.

aztfexport rg --log-level DEBUG --log-path log.txt --s 43c0581c-XXXX-XXXX-XXXX-XXXXXXXX7cb6 Eduberance-Prod

Error is as following.

 listing resource set: executing ARG query "Resources | where resourceGroup =~ \"Eduberance-Prod\" | order by id desc": POST
  https://management.azure.com/providers/Microsoft.ResourceGraph/resources
  --------------------------------------------------------------------------------
  RESPONSE 400: 400 Bad Request
  ERROR CODE: BadRequest
  --------------------------------------------------------------------------------
  {
    "error": {
      "code": "BadRequest",
      "message": "Please provide below info when asking for support: timestamp = 2023-04-01T16:36:55.4831156Z, correlationId =
  6e47f8a4-4662-4f32-8e01-b3dec3fee8b4.",
      "details": [
        {
          "code": "NoValidSubscriptionsInQueryRequest",
          "message": "There must be at least one subscription that is eligible to contain resources. Given: ''."
        }
      ]
    }
  }
  --------------------------------------------------------------------------------

log.txt

Thanks in advance for any help.

@magodo
Copy link
Collaborator

magodo commented Apr 3, 2023

@SapanPatibandha Thank you for reaching out! Does your user account has the proper role to the Eduberance-Subscription subscription? Or probably the subscription hasn't register the ARG RP?

@magodo magodo added question Further information is requested permission labels Apr 3, 2023
@SapanPatibandha
Copy link
Author

Hi @magodo to verify this point I perform following two things.

  • Login to Azure portal through my login, switch subscription and change to Eduberance-Subscription and try to create VM in 'Eduberance-Prod' resource group. This is working successfully.
  • Try to login to Azure CLI and switch to Eduberance-Subscription and try to create VM through AZ command, which is also working fine.
    So I can see that my user has proper permission. Do you suggest any specific action to confirm on this? Is there any specific error in log.txt?
    Thanks

@magodo
Copy link
Collaborator

magodo commented Apr 4, 2023

@SapanPatibandha The error you were getting is when sending the POST request to ARG to query resources. Would you please try to login to Eduberance-Subscription subscritpion, follow this guide to construct the same ARG request to see whether it works via things like azure CLI? The query ran by aztfexport is "Resources | where resourceGroup =~ \"Eduberance-Prod\" | order by id desc".

@SapanPatibandha
Copy link
Author

Hi @magodo

I check and try few commands

when i check version of cli it shows as following.
az -v

So it looks like it is already installed, because i am able to generate terraform from my 'patibandha' subscription.
install addins

I fun following query also and that works fine on cli. az graph query -q 'Resources | project name, type, resourceGroup | where resourceGroup =~ \"Eduberance-Prod\" | order by name asc '
graph query

I think problem is something else..
How can i check that while i run aztfexport rg --log-level DEBUG --log-path log.txt --s 43c0581c-XXXX-XXXX-XXXX-XXXXdac67cb6 Eduberance-Prod is it referring to 'patibandha' subscription or 'Eduberance-Subscription'? I am not sure but i think it is referring to wrong subscription and not the one which is supplied in --s. Can i add more debug log while i run this command?

@magodo
Copy link
Collaborator

magodo commented Apr 11, 2023

@SapanPatibandha Yes, you can enable the log via --log-path <log file path> --log-level TRACE, then search the POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources in the log file to see the actual request being issued.

@magodo
Copy link
Collaborator

magodo commented Apr 11, 2023

@SapanPatibandha Another suspicious is that you are targeting to cloud rather than public (like #331 and #288)?

@SapanPatibandha
Copy link
Author

What i understood from last reference (like #331 and #288) that i am not working in US Government. This is related to normal Azure cloud hosting. I am not sure if i can verify ARM_ENVIRONMENT variable to confirm.

I am going to try --log-path <log file path> --log-level TRACE in a moment and will update with that.

@SapanPatibandha
Copy link
Author

I tried this command aztfexport rg --log-level TRACE --log-path log.txt --s 43c058XX-XXXX-XXXX-XXXX-XXXXXXXX7cb6 Eduberance-Prod and attached is the log is get.

log.txt

@magodo
Copy link
Collaborator

magodo commented Apr 13, 2023

@SapanPatibandha From the log, I saw:

2023-04-12T20:59:05.031+0530 [TRACE] aztfexport: Authentication: *azidentity.ClientSecretCredential.GetToken() acquired a token for scope https://management.core.windows.net//.default
2023-04-12T20:59:05.034+0530 [TRACE] aztfexport: Authentication: DefaultAzureCredential authenticated with EnvironmentCredential

This indicates that you are authenticating using the service principal (client). So would you please check if that client has the proper role (e.g. contributor) in the subscription? Alternatively, you can unset those environment variables to fallback to using the azure CLI auth, which will use your user account instead.

@SapanPatibandha
Copy link
Author

What i underside from your comment is, I need to execute following command to clear altercation .

$env:AZURE_CLIENT_ID = $null
$env:AZURE_CLIENT_SECRET = $null
$env:AZURE_TENANT_ID = $null

are you suggesting that only?

@magodo
Copy link
Collaborator

magodo commented Apr 17, 2023

@SapanPatibandha Yes, you'll want to unset these environment variables (not so sure how to do it in powershell though)

@SapanPatibandha
Copy link
Author

I think i am doing some silly mistake. :(

i check command for power shell to remove that evn variable and that is as following.
Remove-Item env:AZURE_CLIENT_ID, env:AZURE_TENANT_ID, env:AZURE_CLIENT_SECRET
response for this is

+ Remove-Item env:AZURE_CLIENT_ID, env:AZURE_TENANT_ID, env:AZURE_CLIEN ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Env:\AZURE_CLIENT_ID:String) [Remove-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

Remove-Item : Cannot find path 'Env:\AZURE_TENANT_ID' because it does not exist.
At line:1 char:1
+ Remove-Item env:AZURE_CLIENT_ID, env:AZURE_TENANT_ID, env:AZURE_CLIEN ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Env:\AZURE_TENANT_ID:String) [Remove-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

Remove-Item : Cannot find path 'Env:\AZURE_CLIENT_SECRET' because it does not exist.
At line:1 char:1
+ Remove-Item env:AZURE_CLIENT_ID, env:AZURE_TENANT_ID, env:AZURE_CLIEN ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Env:\AZURE_CLIENT_SECRET:String) [Remove-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

So, i think even this env variable not set it is going to different subscription. I cant understand what else to verify.

@SapanPatibandha
Copy link
Author

I think i found this issue.

I think I was looking to the wrong variables.

Get-ChildItem Env:ARM_CLIENT_ID, Env:ARM_CLIENT_SECRET, Env:ARM_TENANT_ID, Env:ARM_SUBSCRIPTION_ID

This command gave proper detail about all 4 ARM variables.
I remove all of them with Remove-Item Env:ARM_CLIENT_ID, Env:ARM_CLIENT_SECRET, Env:ARM_TENANT_ID, Env:ARM_SUBSCRIPTION_ID this command .

this looks working fine.

Thanks for all the help.. really thanks from the bottom of my heart to get this resolved.
Thanks again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
permission question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants