pulumi-azure-native icon indicating copy to clipboard operation
pulumi-azure-native copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Removing a Custom azure role with pulumi azure native provider is failing

Open Kmougari opened this issue 2 years ago • 13 comments

What happened?

When trying to delete an azure custom role using azure native provider the role is not delete and we have the following error.

pulumi:pulumi:Stack foundations-sandbox failed 1 error; 1 message

  • └─ azure-native:authorization:RoleDefinition rd-temp-role-for-testing-contributor deleting failed 1 error

Diagnostics: azure-native:authorization:RoleDefinition (rd-temp-role-for-testing-contributor): error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'XXXXXXXX with object id 'XXXXXXXXX does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/delete' over scope '/providers/Microsoft.Authorization/roleDefinitions/XXXXX' or the scope is invalid. If access was recently granted, please refresh your credentials."

We have tested with azure classic provider and it is working.

Please note that the role custom is set a management group level scope= and the provider is configured to authentify to a one of the subscription. We have tested authentification directly on the tenant level and it is failing

Expected Behavior

Should be able to remove role with azure native

Steps to reproduce

Create a custom role at management group level and try to delete with pulumi azure native provider

Output of pulumi about

image

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Kmougari avatar Jul 26 '23 10:07 Kmougari

Please note that this has been tested with Azure native provider V2.X.X and we still have the same problem

Kmougari avatar Jul 26 '23 10:07 Kmougari

Hi @Kmougari! Can you share more about how authentication is configured in both providers? Note that Azure Native will not re-use the configuration of Azure Classic, except certain environment variables. You have to set any azure:... configuration again as azure-native:....

thomas11 avatar Jul 27 '23 08:07 thomas11

Find below configuration $ pulumi config KEY VALUE

azure:location FranceCentral azure:subscriptionId XXXX azure:tenantId XXX azure-native:location FranceCentral azure-native:subscriptionId XXXXX azure-native:tenantId XXXXX

I cannot shared ids but the subscriptionId are the same with azure classic as azure native

Kmougari avatar Jul 27 '23 10:07 Kmougari

for your information @thomas11

Kmougari avatar Jul 27 '23 10:07 Kmougari

Any feedback on this @thomas11 ?

Kmougari avatar Aug 07 '23 08:08 Kmougari

Can we have an update on this please ? @thomas11

Kmougari avatar Sep 22 '23 07:09 Kmougari

No update on this ?

Kmougari avatar Nov 06 '23 21:11 Kmougari

Hi @Kmougari, apologies that we dropped this issue. Is it still relevant to you? If so, I'd need to know more about how you authenticate. The tenantId configuration you shared is part of it but not sufficient. Which of the methods described here are you trying to use?

thomas11 avatar Jan 10 '24 22:01 thomas11

Hi @thomas11 Yes it is still relevant. We are authenticating using an SP

Kmougari avatar Feb 19 '24 16:02 Kmougari

Thanks @Kmougari. Some more questions:

  1. Did you create this role using the azure native provider?
  2. Can you share the Scope of the role?

It would be much easier to diagnose the problem if you could share a complete Pulumi program that shows the issue.

thomas11 avatar Feb 20 '24 12:02 thomas11