Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_role_assignment - Support scope to be /providers/Subscription #17456

Merged
merged 4 commits into from
Aug 31, 2022

Conversation

magodo
Copy link
Collaborator

@magodo magodo commented Jun 30, 2022

Fix #17397.

The prerequisite to assign role to the subscription scope is described at https://docs.microsoft.com/en-us/answers/questions/604740/user-does-not-have-access-microsoftsubscriptionali.html. I've elevated my running account and manage the role assignment to anther sp using this scope locally successfully, via terraform apply/plan/destroy.

I've also tested for the management group scope, i.e. /providers/Microsoft.Management, where the API failed saying that this is an invalid scope.

@github-actions github-actions bot added size/M and removed size/S labels Jun 30, 2022
Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add a test for this?

@magodo
Copy link
Collaborator Author

magodo commented Aug 23, 2022

@katbyte Unfortunately, I was only able to manage to run it via my user account. When I use a SP, the API failed with:

│ Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'f4ed124d-*-*-*-*' with object id 'f4ed124d-*-*-*-*' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/providers/Microsoft.Subscription/providers/Microsoft.Authorization/roleAssignments/85b074a6-*-*-*-*' or the scope is invalid. If access was recently granted, please refresh your credentials."

@katbyte
Copy link
Collaborator

katbyte commented Aug 26, 2022

we should still have a test for it? and if that is a limitation we should be documenting it?

@magodo
Copy link
Collaborator Author

magodo commented Aug 26, 2022

@katbyte I believe currently we don't have a way to test via CLI auth? I've put down a comment to mention the prerequisite when setting the scope to /providers/Subscription.

Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@magodo - you can still write the test and run them locally, we just don't have a way to run them in TC yet so if you can detect UA/no SP and skip that would be good

@magodo
Copy link
Collaborator Author

magodo commented Aug 30, 2022

@katbyte I've added the test which will always be skipped. As I failed to figure out a way to run acctest via CLI auth (as the PreCheck will always ensure the ARM_CLIENT_ID and ARM_CLIENT_SECRET is specified). The only way to fallback to CLI auth is to inlining the data.ResourceTest? But I think this would expose the SDK details to the test package, which should be avoided?

Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as long as the test is there for future use all good - LGTM provided the config passes for you locally

@magodo magodo added this to the v3.21.0 milestone Aug 31, 2022
@magodo magodo merged commit 298e2ed into hashicorp:main Aug 31, 2022
magodo added a commit that referenced this pull request Aug 31, 2022
@github-actions
Copy link

github-actions bot commented Sep 2, 2022

This functionality has been released in v3.21.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

github-actions bot commented Oct 5, 2022

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 5, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Unable to create role assignment at resource provider scope
2 participants