Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_static_web_app_custom_domain CreateOrUpdateStaticSiteCustomDomain 'Microsoft.Web/locations/operationResults/read' 403 #28451

Open
1 task done
jcamu opened this issue Jan 8, 2025 · 2 comments
Open
1 task done

azurerm_static_web_app_custom_domain CreateOrUpdateStaticSiteCustomDomain 'Microsoft.Web/locations/operationResults/read' 403 #28451

jcamu opened this issue Jan 8, 2025 · 2 comments
Labels
question service/app-service v/4.x

Comments

@jcamu
Copy link

jcamu commented Jan 8, 2025
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.0

AzureRM Provider Version

4.5.0

Affected Resource(s)/Data Source(s)

azurerm_static_web_app_custom_domain

Terraform Configuration Files

variable "swa_name" { }
variable "swa_resource_group_name" { }
variable "swa_custom_domain" { }

resource "azurerm_static_web_app" "main" {
  name                          = var.swa_name
  resource_group_name           = var.swa_resource_group_name
  public_network_access_enabled = false

  identity {
    type = "SystemAssigned"
  }

}

resource "azurerm_static_web_app_custom_domain" "main" {
  static_web_app_id = azurerm_static_web_app.main.id
  domain_name       = var.swa_custom_domain
  validation_type   = "cname-delegation"
}

Debug Output/Panic Output

Error: creating Custom Domain (Subscription: "***"
│ Resource Group Name: "***"
│ Static Site Name: "***"
│ Custom Domain Name: "***"): polling after CreateOrUpdateStaticSiteCustomDomain: unexpected status 403 (403 Forbidden) with error: AuthorizationFailed: The client '***' with object id '***' does not have authorization to perform action 'Microsoft.Web/locations/operationResults/read' over scope '/subscriptions/***/providers/Microsoft.Web/locations/***/operationResults/***' or the scope is invalid. If access was recently granted, please refresh your credentials.
│ 
│   with module.static_web_app.azurerm_static_web_app_custom_domain.main[0],
│   on .terraform/modules/static_web_app/mymodules/SWA/main.tf line XX, in resource "azurerm_static_web_app_custom_domain" "main":
│   XX: resource "azurerm_static_web_app_custom_domain" "main" {
│ 
│ creating Custom Domain (Subscription:
│ "***"
│ Resource Group Name: "***"
│ Static Site Name: "***"
│ Custom Domain Name: "***"): polling after
│ CreateOrUpdateStaticSiteCustomDomain: unexpected status 403 (403 Forbidden)
│ with error: AuthorizationFailed: The client
│ '***' with object id
│ '***' does not have authorization to
│ perform action 'Microsoft.Web/locations/operationResults/read' over scope
│ '/subscriptions/***/providers/Microsoft.Web/locations/***/operationResults/***'
│ or the scope is invalid. If access was recently granted, please refresh
│ your credentials.
╵
##[error]Error: The process '/opt/agent

Expected Behaviour

Add a custom domain on an existing Static Web App (managed by Terraform) behind a private endpoint.
The user executing it is owner on the RG.

Actual Behaviour

The Terraform apply failed with this error but the Custom Domain is correctly created.

So by running the plan again we see the error :

│ Error: A resource with the ID "/subscriptions/***/resourceGroups/***/providers/Microsoft.Web/staticSites/***/customDomains/***" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_static_web_app_custom_domain" for more information.

Steps to Reproduce

No response

Important Factoids

No response

References

No response
@magodo
Copy link
Collaborator

magodo commented Jan 9, 2025

@jcamu The first error you saw indicates your SP running the terraform lack of the role Microsoft.Web/locations/operationResults/read. While as you've mentioned you are running as the subscription owner, then I'd suggest you to retry and see if it is a systematic issue. If yes, please reach out to Azure support team to see why.

For the second error, that happens since your first apply has successfully sent the create request for the custom domain resource, it just failed during polling. As the error message indicated, please import the resource and run terraform plan to see if everything is working. Alternatively, you can re-create it by tainting this resource via terraform taint, and run terraform apply again.

@magodo magodo added the question label Jan 9, 2025
@jcamu
Copy link
Author

jcamu commented Jan 9, 2025

Thanks for the reply. I have indeed retried with same error.
The error is necessarily from Azure ? It can't be from the Terraform module ?
Manually i can create from the portal this custom domain with a user having owner right on the RG. (The SP run as RG owner)

The second error was just to illustrate that the creation was a success.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question service/app-service v/4.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@magodo @jcamu