Error creating new azuredevops_serviceendpoint_azurecr #782
Open
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and Azure DevOps Provider) Version
`terraform -v
Terraform v1.4.6
on linux_amd64
- provider registry.terraform.io/hashicorp/azurerm v3.56.0
- provider registry.terraform.io/microsoft/azuredevops v0.5.0`
Affected Resource(s)
azuredevops_serviceendpoint_azurecr
Terraform Configuration Files
locals {
subscription_name = "production"
subscription_id = "9b42a783-f69a-4efd-82a7-5295b051d708"
production_tenant_id = "6e2a7c01-aad8-4e29-b0bb-50eaeb05bb63"
azdops_organization_name = "test-azdops-org"
azdops_project_name = "test-azdops-project"
registry_name = "prod-container-registry"
}
data "azuredevops_project" "test_azdops" {
name = local.azdops_project_name
}
data "azurerm_resource_group" "prod_containerRegistry" {
name = local.registry_name
}
provider "azuredevops" {
org_service_url = "https://dev.azure.com/${local.azdops_organization_name}/"
}
provider "azurerm" {
features {}
subscription_id = local.subscription_id
}
resource "azuredevops_serviceendpoint_azurecr" "container_registry" {
project_id = data.azuredevops_project.test_azdops.id
service_endpoint_name = local.registry_name
resource_group = data.azurerm_resource_group.prod_containerRegistry.name
azurecr_name = local.registry_name
azurecr_subscription_id = local.subscription_id
azurecr_subscription_name = local.subscription_name
azurecr_spn_tenantid = local.production_tenant_id
description = ""
timeouts {}
}
Expected Behavior
Service connection should be created
Actual Behavior
Error: waiting for service endpoint ready. Error looking up service endpoint given ID (dced8f68-cab0-44c4-9d34-ab43d71579c1) and project ID (5b728f7f-9544-4b38-9ff4-449656ced75d): map[state:Failed statusMessage: Failed to set Azure permission 'RoleAssignmentId: 80b84d38-346b-4370-97b8-6874962018af' for the service principal 'b2429ef0-4303-4d94-a883-d4a2f2d4a6a6' on subscription ID '9b42a783-f69a-4efd-82a7-5295b051d708': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client 'tfc@example.com' with object id '971cfec9-5598-446a-952f-dfaa8f84a569' does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/99b42a783-f69a-4efd-82a7-5295b051d708/resourceGroups/PaasProd_ContainerRegistry/providers/Microsoft.ContainerRegistry/registries/prod-container-registry/providers/Microsoft.Authorization/roleAssignments/80b84d38-346b-4370-97b8-6874962018af' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription.]
Steps to Reproduce
terraform apply
Important Factoids
- The account does have the role User Access Administrator on the subscription, and has had this role for a few months.
- If we create this service connection manually, then import it, the account is able to delete the registry with no error.
References
- #0000
Activity