Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Data Source azurerm_api_management fails when not having the required service level permission #19582

Closed
1 task done
arkiaconsulting opened this issue Dec 6, 2022 · 11 comments · Fixed by #19626
Closed
1 task done

Comments

@arkiaconsulting
Copy link

arkiaconsulting commented Dec 6, 2022

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.5

AzureRM Provider Version

3.34.0

Affected Resource(s)/Data Source(s)

azurerm_api_management

Terraform Configuration Files

data "azurerm_api_management" "apim" {
  provider            = azurerm.apim
  name                = local.specific.apim.name
  resource_group_name = local.specific.apim.resource_group_name
}

Debug Output/Panic Output

Error: retrieving tenant access properties for Api Management: (Service Name "**redacted**" / Resource Group "**redacted**"): apimanagement.TenantAccessClient#ListSecrets: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '**redacted**' with object id '**redacted**' does not have authorization to perform action 'Microsoft.ApiManagement/service/tenant/listSecrets/action' over scope '/subscriptions/**redacted**/resourceGroups/**redacted**/providers/Microsoft.ApiManagement/service/**redacted**/tenant/access' or the scope is invalid. If access was recently granted, please refresh your credentials."

Expected Behaviour

The Azure Api management resource is populated correctly (was the case in 3.33.0)

Actual Behaviour

Unauthorized error when the data source is fetched.

Steps to Reproduce

terraform plan

Important Factoids

For organization reasons, the identity executing the plan has restricted access to the Azure APIM service level resources..

References

#19422

@github-actions github-actions bot removed the bug label Dec 6, 2022
@martin-fuhrer
Copy link

I have the same issue and I consider this a bug. The tenant information should only be read if the tenant_access block is specified.

@arkiaconsulting
Copy link
Author

arkiaconsulting commented Dec 7, 2022

@martin-fuhrer the tenant_access block is an output block, thus it cannot be specified. As a result, the behaviour of this data source may be either:

  • don't fill the tenant_access block if not having the right permission (ie swallow the 403)
  • provide an input parameter allowing the consumer to specify that he doesn't want the tenant_access block to be filled

@xuzhang3
Copy link
Contributor

xuzhang3 commented Dec 8, 2022

@martin-fuhrer what roles or permission your SPN have if use SPN to run the Terraform? Assume u use SPN to do the auth, can you try grant the API Management Service Operator Role role to your SPN and try again?

@arkiaconsulting
Copy link
Author

@martin-fuhrer what roles or permission your SPN have if use SPN to run the Terraform? Assume u use SPN to do the auth, can you try grant the API Management Service Operator Role role to your SPN and try again?

@xuzhang3 In the organization which I work for, it's not an option. The Api Management resource is managed organization wide by another Team. Each consumer team have permission for their own Api, but very few permissions at APIM level.

@xuzhang3

This comment was marked as off-topic.

@arkiaconsulting
Copy link
Author

arkiaconsulting commented Dec 8, 2022

@xuzhang3 Downgrading the provider version means getting stuck to this version forever

@xuzhang3

This comment was marked as off-topic.

@tombuildsstuff
Copy link
Contributor

hey @arkiaconsulting

Thanks for opening this issue.

Please disregard the comments about downgrading the provider version from @xuzhang3 here, this is a bug in the Provider - whilst we do require new permissions from time-to-time in Resources (since we need to retrieve additional information to be able to manage it effectively) - Data Sources should handle the missing permissions gracefully by outputting this as an empty list instead.

I've tagged this as a bug - @sinbai since you introduced this change to the Data Source, would you mind sending a PR to fix this?

Thanks!

@sinbai
Copy link
Contributor

sinbai commented Dec 9, 2022

Hi @arkiaconsulting, thanks for raising this issue. I have submitted PR to fix this issue. Could you track if for more updates?

@stephybun stephybun added this to the v3.36.0 milestone Dec 14, 2022
@github-actions
Copy link

This functionality has been released in v3.36.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 15, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.