Implementing-Terraform-on-Microsoft-Azure icon indicating copy to clipboard operation
Implementing-Terraform-on-Microsoft-Azure copied to clipboard

Published 20 hours ago verified publisher icon ned1313

Unable to create the azurerm_role_definition resource when running from Azure DevOps

Open MarkKharitonov opened this issue 5 years ago • 3 comments

Hi, I have followed the course so far without any issues. However, the Azure DevOps automation fails with the following error:

2020-01-19T03:23:20.5420275Z Error: authorization.RoleDefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '0e648d2d-a49f-407e-99de-9d6343876a8c' with object id '0e648d2d-a49f-407e-99de-9d6343876a8c' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/write' over scope '/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3' or the scope is invalid. If access was recently granted, please refresh your credentials."
2020-01-19T03:23:20.5420512Z 
2020-01-19T03:23:20.5420989Z   on vnet-peering.tf line 52, in resource "azurerm_role_definition" "vnet-peering":
2020-01-19T03:23:20.5421339Z   52: resource "azurerm_role_definition" "vnet-peering" {

The client '0e648d2d-a49f-407e-99de-9d6343876a8c' apparently correspond to the service principal created by the Azure DevOps when I was adding the Terraform tasks:

PS /home/mark> az ad sp show --id '0e648d2d-a49f-407e-99de-9d6343876a8c'
{
  "accountEnabled": "True",
  "addIns": [],
  "alternativeNames": [],
  "appDisplayName": "MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3",
  "appId": "0ae4ffc7-149d-45ac-ab15-c9f61e4591f8",
  "appOwnerTenantId": "717e5a4d-529c-4ab2-a1c5-6a5f6345d8e4",
  "appRoleAssignmentRequired": false,
  "appRoles": [],
  "applicationTemplateId": null,
  "deletionTimestamp": null,
  "displayName": "MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3",
  "errorUrl": null,
  "homepage": "https://VisualStudio/SPN",
  "informationalUrls": {
    "marketing": null,
    "privacy": null,
    "support": null,
    "termsOfService": null
  },
  "keyCredentials": [],
  "logoutUrl": null,
  "notificationEmailAddresses": [],
  "oauth2Permissions": [
    {
      "adminConsentDescription": "Allow the application to access MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3 on behalf of the signed-in user.",
      "adminConsentDisplayName": "Access MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3",
      "id": "d0f141b9-fc6b-4f3c-9217-018d74712ee1",
      "isEnabled": true,
      "type": "User",
      "userConsentDescription": "Allow the application to access MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3 on your behalf.",
      "userConsentDisplayName": "Access MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3",
      "value": "user_impersonation"
    }
  ],
  "objectId": "0e648d2d-a49f-407e-99de-9d6343876a8c",
  "objectType": "ServicePrincipal",
  "odata.metadata": "https://graph.windows.net/717e5a4d-529c-4ab2-a1c5-6a5f6345d8e4/$metadata#directoryObjects/@Element",
  "odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
  "passwordCredentials": [],
  "preferredSingleSignOnMode": null,
  "preferredTokenSigningKeyEndDateTime": null,
  "preferredTokenSigningKeyThumbprint": null,
  "publisherName": "Default Directory",
  "replyUrls": [
    "https://VisualStudio/SPN"
  ],
  "samlMetadataUrl": null,
  "samlSingleSignOnSettings": null,
  "servicePrincipalNames": [
    "https://VisualStudio/SPN136d4f76-7262-4ab0-8fbb-7be74dfc803b",
    "0ae4ffc7-149d-45ac-ab15-c9f61e4591f8"
  ],
  "servicePrincipalType": "Application",
  "signInAudience": "AzureADMyOrg",
  "tags": [],
  "tokenEncryptionKeyId": null
}
PS /home/mark>

This service principal seems to be the contributor in the relevant subscription:

PS /home/mark> az role assignment list --assignee '0e648d2d-a49f-407e-99de-9d6343876a8c'
[
  {
    "canDelegate": null,
    "id": "/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/providers/Microsoft.Authorization/roleAssignments/346f1b92-0621-44c0-b88a-343c52637a0f",
    "name": "346f1b92-0621-44c0-b88a-343c52637a0f",
    "principalId": "0e648d2d-a49f-407e-99de-9d6343876a8c",
    "principalName": "https://VisualStudio/SPN136d4f76-7262-4ab0-8fbb-7be74dfc803b",
    "principalType": "ServicePrincipal",
    "roleDefinitionId": "/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "roleDefinitionName": "Contributor",
    "scope": "/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3",
    "type": "Microsoft.Authorization/roleAssignments"
  }
]
PS /home/mark>

So it has the Contributor role in the subscription and yet it cannot create a role definition? I am lost here.

I provided more information on this SO question - https://stackoverflow.com/questions/59807108/azure-devops-server-is-unable-to-create-an-azure-resource-using-a-service-princi

Please, let me know what other information I need to add to facilitate troubleshooting.

MarkKharitonov avatar Jan 19 '20 03:01 MarkKharitonov

@MarkKharitonov thanks for logging the issue. I will look into this.

ned1313 avatar Feb 26 '20 02:02 ned1313

Hey Guys - I also came across this issue and it looks like it could be down to a bug in the Terraform azurerm provider:

https://github.com/terraform-providers/terraform-provider-azurerm/issues/5122

I've tried a number of combinations of azurerm provider and terraform version - but can't seem to find a working combination! It looks like the 'skip_credentials_validation' functionality doesn't seem to work correctly - even in 2.0.0 :(

For me it raises the wider question of how to do things like cross-subscription (multiple provider) config using the principle of least privilege (e.g. vNet peering using custom role assignments).

dtrac avatar Mar 10 '20 19:03 dtrac

Hey Guys,

Came across with below error on during terraform plan.

Looks to be issue with the new version of terraform 0.12.24.

Warning: Quoted references are deprecated

  on .terraform/modules/vnet/terraform-azurerm-vnet-2.0.0/main.tf line 29, in data "azurerm_subnet" "import":
  29:   depends_on = ["azurerm_subnet.subnet"]

In this context, references are expected literally rather than in quotes.
Terraform 0.11 and earlier required quotes, but quoted references are now
deprecated and will be removed in a future version of Terraform. Remove the
quotes surrounding this reference to silence this warning.

(and one more similar warning elsewhere)


Error: Unsupported argument

  on main.tf line 45, in module "vnet":
  45:   location            = var.location

An argument named "location" is not expected here.

sajan11 avatar May 16 '20 18:05 sajan11