Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create the azurerm_role_definition resource when running from Azure DevOps #1

Open
MarkKharitonov opened this issue Jan 19, 2020 · 3 comments
Open

Unable to create the azurerm_role_definition resource when running from Azure DevOps #1

MarkKharitonov opened this issue Jan 19, 2020 · 3 comments
Assignees
@ned1313

Comments

@MarkKharitonov
Copy link

MarkKharitonov commented Jan 19, 2020
edited
Loading

Hi,
I have followed the course so far without any issues.
However, the Azure DevOps automation fails with the following error:

2020-01-19T03:23:20.5420275Z Error: authorization.RoleDefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '0e648d2d-a49f-407e-99de-9d6343876a8c' with object id '0e648d2d-a49f-407e-99de-9d6343876a8c' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/write' over scope '/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3' or the scope is invalid. If access was recently granted, please refresh your credentials."
2020-01-19T03:23:20.5420512Z 
2020-01-19T03:23:20.5420989Z   on vnet-peering.tf line 52, in resource "azurerm_role_definition" "vnet-peering":
2020-01-19T03:23:20.5421339Z   52: resource "azurerm_role_definition" "vnet-peering" {

The client '0e648d2d-a49f-407e-99de-9d6343876a8c' apparently correspond to the service principal created by the Azure DevOps when I was adding the Terraform tasks:

PS /home/mark> az ad sp show --id '0e648d2d-a49f-407e-99de-9d6343876a8c'
{
  "accountEnabled": "True",
  "addIns": [],
  "alternativeNames": [],
  "appDisplayName": "MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3",
  "appId": "0ae4ffc7-149d-45ac-ab15-c9f61e4591f8",
  "appOwnerTenantId": "717e5a4d-529c-4ab2-a1c5-6a5f6345d8e4",
  "appRoleAssignmentRequired": false,
  "appRoles": [],
  "applicationTemplateId": null,
  "deletionTimestamp": null,
  "displayName": "MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3",
  "errorUrl": null,
  "homepage": "https://VisualStudio/SPN",
  "informationalUrls": {
    "marketing": null,
    "privacy": null,
    "support": null,
    "termsOfService": null
  },
  "keyCredentials": [],
  "logoutUrl": null,
  "notificationEmailAddresses": [],
  "oauth2Permissions": [
    {
      "adminConsentDescription": "Allow the application to access MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3 on behalf of the signed-in user.",
      "adminConsentDisplayName": "Access MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3",
      "id": "d0f141b9-fc6b-4f3c-9217-018d74712ee1",
      "isEnabled": true,
      "type": "User",
      "userConsentDescription": "Allow the application to access MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3 on your behalf.",
      "userConsentDisplayName": "Access MarkKharitonov0271-Globomantics-testing-2b38509c-a310-4c8f-bd78-9e400cc874e3",
      "value": "user_impersonation"
    }
  ],
  "objectId": "0e648d2d-a49f-407e-99de-9d6343876a8c",
  "objectType": "ServicePrincipal",
  "odata.metadata": "https://graph.windows.net/717e5a4d-529c-4ab2-a1c5-6a5f6345d8e4/$metadata#directoryObjects/@Element",
  "odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
  "passwordCredentials": [],
  "preferredSingleSignOnMode": null,
  "preferredTokenSigningKeyEndDateTime": null,
  "preferredTokenSigningKeyThumbprint": null,
  "publisherName": "Default Directory",
  "replyUrls": [
    "https://VisualStudio/SPN"
  ],
  "samlMetadataUrl": null,
  "samlSingleSignOnSettings": null,
  "servicePrincipalNames": [
    "https://VisualStudio/SPN136d4f76-7262-4ab0-8fbb-7be74dfc803b",
    "0ae4ffc7-149d-45ac-ab15-c9f61e4591f8"
  ],
  "servicePrincipalType": "Application",
  "signInAudience": "AzureADMyOrg",
  "tags": [],
  "tokenEncryptionKeyId": null
}
PS /home/mark>

This service principal seems to be the contributor in the relevant subscription:

PS /home/mark> az role assignment list --assignee '0e648d2d-a49f-407e-99de-9d6343876a8c'
[
  {
    "canDelegate": null,
    "id": "/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/providers/Microsoft.Authorization/roleAssignments/346f1b92-0621-44c0-b88a-343c52637a0f",
    "name": "346f1b92-0621-44c0-b88a-343c52637a0f",
    "principalId": "0e648d2d-a49f-407e-99de-9d6343876a8c",
    "principalName": "https://VisualStudio/SPN136d4f76-7262-4ab0-8fbb-7be74dfc803b",
    "principalType": "ServicePrincipal",
    "roleDefinitionId": "/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "roleDefinitionName": "Contributor",
    "scope": "/subscriptions/2b38509c-a310-4c8f-bd78-9e400cc874e3",
    "type": "Microsoft.Authorization/roleAssignments"
  }
]
PS /home/mark>

So it has the Contributor role in the subscription and yet it cannot create a role definition? I am lost here.

I provided more information on this SO question - https://stackoverflow.com/questions/59807108/azure-devops-server-is-unable-to-create-an-azure-resource-using-a-service-princi

Please, let me know what other information I need to add to facilitate troubleshooting.
@ned1313 ned1313 self-assigned this Feb 26, 2020
@ned1313
Copy link
Owner

ned1313 commented Feb 26, 2020

@MarkKharitonov thanks for logging the issue. I will look into this.

@dtrac
Copy link

dtrac commented Mar 10, 2020

Hey Guys - I also came across this issue and it looks like it could be down to a bug in the Terraform azurerm provider:

hashicorp/terraform-provider-azurerm#5122

I've tried a number of combinations of azurerm provider and terraform version - but can't seem to find a working combination! It looks like the 'skip_credentials_validation' functionality doesn't seem to work correctly - even in 2.0.0 :(

For me it raises the wider question of how to do things like cross-subscription (multiple provider) config using the principle of least privilege (e.g. vNet peering using custom role assignments).

@sajan11
Copy link

sajan11 commented May 16, 2020

Hey Guys,

Came across with below error on during terraform plan.

Looks to be issue with the new version of terraform 0.12.24.

Warning: Quoted references are deprecated

  on .terraform/modules/vnet/terraform-azurerm-vnet-2.0.0/main.tf line 29, in data "azurerm_subnet" "import":
  29:   depends_on = ["azurerm_subnet.subnet"]

In this context, references are expected literally rather than in quotes.
Terraform 0.11 and earlier required quotes, but quoted references are now
deprecated and will be removed in a future version of Terraform. Remove the
quotes surrounding this reference to silence this warning.

(and one more similar warning elsewhere)


Error: Unsupported argument

  on main.tf line 45, in module "vnet":
  45:   location            = var.location

An argument named "location" is not expected here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ned1313 ned1313

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MarkKharitonov @ned1313 @sajan11 @dtrac