AzureRM Provider - Creating Management Grp/Associating to Subscription - Errors- Can not parse "parent_management_group_id" AND Can not parse "management_group_id" AND "expected 2 segments within the Resource ID but got 1"

[adi-garg]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

v1.4.5

AzureRM Provider Version

3.52.0

Affected Resource(s)/Data Source(s)

azurerm_management_group,azurerm_management_group_subscription_association

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.52.0"
    }
  }
}

provider "azurerm" { 
tenant_id="<TO BE POPULATED APPROPRIATELY>"
subscription_id="<TO BE POPULATED APPROPRIATELY>"
client_id="<TO BE POPULATED APPROPRIATELY>"
client_secret="<TO BE POPULATED APPROPRIATELY>"

  features {
  

  }
}

#MGMT GRP-------->
resource "azurerm_management_group" "root_mgmt_grp" {
  #name= #Let UUID get auto generated
  display_name               = "MGMT-GRP-1"
  parent_management_group_id = "<ENTER ID OF ANY EXISTING MGMT GRP>"
  #IGNORE
#subscription_ids = var.subscription_ids #LINK NEW SUBSCRIPTIONS AS THEY ARE CREATED VIA A SEPARATE BLOCK
}


#Associating a subscription to MGMT GRP--------->
resource "azurerm_management_group_subscription_association" "root_mgmt_grp_subs_asscn" {
  management_group_id = "<ENTER ID OF ANY EXISTING MGMT GRP>"
  subscription_id     = "<ENTER ID OF ANY EXISTING SUBSCRIPTION>"
}

Debug Output/Panic Output

The following errors get generated:
1.Can not parse "parent_management_group_id" as a management group id: Unable to parse Management Group ID "<HIDDEN>"

2.Can not parse "management_group_id" as a management group id: Unable to parse Management Group ID "<HIDDEN>"

3.(For subscription ID):
parsing "dc7530bd-0ede-445e-8bff-2af4679c8eab": expected 2 segments within the Resource ID but got 1 for "dc7530bd-0ede-445e-8bff-2af4679c8eab"

Expected Behaviour

1.Expected creation of a new management group under a parent management group(pre existing).
2.Expected tieing up of a pre-existing subscription to a Management Group ID.

Actual Behaviour

The listed 3 errors get generated.
It works fine if just Management group is created without mentioning the parent /without having subscription to management link resource.

Steps to Reproduce

1.terraform init
2.terraform plan

Important Factoids

No response

References

No response

[adi-garg]

Poor Terraform Azure RM provider documentation, after spending 2 full days and checking permissions as well(app registration vs users--both allowed to create mgmt groups by default unless a toggle on root mgmt group is turned on for "Require write permissions for creating new management groups")

the issue is related to how the input for management group id/root management group id is given-DONT JUST MENTION THE ID BUT GIVE A PATH LIKE THIS:

parent_mgmt_grp_id="e07c60d1-c69c-4bb0-a90c-ec0938338365"

REPLACED BY
parent_mgmt_grp_id="/providers/Microsoft.Management/managementGroups/e07c60d1-c69c-4bb0-a90c-ec0938338365"

And,this will not be visible to you in the portal though terraform creates it.One needs to elevate oneself to User Access Admin role(even if Global Admin) on the Tenant(Directory) Level as described here.

Same logic applies for subscription id (THOUGH PATH SEEMS VERY DIFFERENT/NO PROPER INFO AVAILABLE ONLINE):
REPLACE
subscription_id = "1234567"

by
subscription_id = "subscriptions/1234567"

[adi-garg]

Further,it may be noted that if attempting to modify/read/write existing management groups,the above run may need additional permissions as mentioned here:

Moving management groups and subscriptions

To move a management group or subscription to be a child of another management group, three rules need to be evaluated as true.

If you're doing the move action, you need:
1-Management group write and role assignment write permissions on the child subscription or management group.
Built-in role example: Owner

2-Management group write access on the target parent management group.
Built-in role example: Owner, Contributor, Management Group Contributor

3-Management group write access on the existing parent management group.
Built-in role example: Owner, Contributor, Management Group Contributor

Exception: If the target or the existing parent management group is the root management group, the permissions requirements don't apply. Since the root management group is the default landing spot for all new management groups and subscriptions, you don't need permissions on it to move an item.

If the Owner role on the subscription is inherited from the current management group, your move targets are limited. You can only move the subscription to another management group where you have the Owner role. You can't move it to a management group where you're a Contributor because you would lose ownership of the subscription. If you're directly assigned to the Owner role for the subscription (not inherited from the management group), you can move it to any management group where you're assigned the Contributor role.

===========
In summary,creation of new/movement of existing management groups requires Management Group Contributor Access given to terraform app registration at the Management Group Scope ON BOTH SOURCE AND TARGET SIDE(best to assign at Root if possible,flows down to child management groups).

Management group built in roles have been covered in same article here.

Further,moving subscription from one mgmt group to other requires OWNER access given to terraform app registration at the SUBSCRIPTION Scope(Subscription being moved). This is in addition to previous 2 permissions described.

NOTE:Azure Resource Manager caches management group hierarchy details for up to 30 minutes. As a result, moving a management group may not immediately be reflected in the Azure portal.

Regards,
Aditya Garg

[tombuildsstuff]

hi @adi-garg

Thanks for opening this issue here.

Taking a look through here, it appears that we're referencing the Resource ID in the Example Usage, rather than the Management Group and Subscription UUID's, so this looks correct to me: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_subscription_association#example-usage

Where a UUID is required we explicitly call that out as a UUID in the documentation, however a Resource ID is called out as The ID of a {Thing} (since the phrase Resource ID is ambiguous between a Terraform and an Azure Resource ID, and the two aren't always the same).

Since it appears that we're calling this out as a Resource ID (The ID of the Subscription to be associated with the Management Group and The ID of the Management Group to associate the Subscription with.) - and the Example Usage references the Resource ID rather than the UUID, whilst I'd like to thank you for opening this issue, I'm going to close this as working as intended for the moment.

We're working on improving the error message returned from the Resource ID parsers so that this is clearer, however this since isn't specific to a single Resource ID Parser, I'm going to close this issue in favour of hashicorp/go-azure-helpers#155 where this work is being scoped out.

Thanks!

[adi-garg]

Hello @tombuildsstuff ,
Thanks for the response.
Still,the referenced article mentions this:

data "azurerm_subscription" "example" {
  subscription_id = "12345678-1234-1234-1234-123456789012"
}

Which should ideally be this in context of Azure to work:

 data "azurerm_subscription" "example" {
  subscription_id = "subscriptions/12345678-1234-1234-1234-123456789012"
}

Similarly,the article here should ideally have an explicit 2nd example clarifying things for the way management group id and subscription id are used:

resource "azurerm_management_group" "example_child" {
  display_name               = "ChildGroup"
  parent_management_group_id = "/providers/Microsoft.Management/managementGroups/123456789"

  subscription_ids = [
    "subscriptions/123-456","subscriptions/789-456"
  ]
  # other subscription IDs can go here
}

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.