Terraform - Azure as a provider and limited access account

3
votes

I want to deploy some resources on Azure with Terraform. On Azure, I have an account with "Owner rights" on one Resource Group only(RGName). Not at the subscription level.

From my linux server, I installed "az cli" and I did "az login". At this step, everything is OK.

The problem appears when I want to execute terraform to create one resource.

Content of provider.tf (the only one .tf file for now) :

provider "azurerm" {
}

If I do a "terraform plan", it works.

If I add the following line, it fails. Please see the error at the end :

resource "azurerm_virtual_network" "myterraformnetwork" {
    name                = "myVnet"
    address_space       = ["10.0.0.0/16"]
    location            = "eastus"
    resource_group_name = "RGName"

    tags = {
        environment = "Terraform Demo"
    }
}

I do not have right on subscription level but I do not need to. With the Azure WebUI I can create resource on this Resource Group without problem.

The error :

Error: Error ensuring Resource Providers are registered: Cannot register provider Microsoft.DevSpaces with Azure Resource Manager: resources.ProvidersClient#Register: Failure responding to request: StatusCode=403 -- Original Error: autor est/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'accountName' with object id 'IDaccountName' does not have authorization to perform action 'Microsoft.DevSpaces/r egister/action' over scope '/subscriptions/subscriptionID' or the scope is invalid. If access was recently granted, please refresh your credentials.".

on provider.tf line 1, in provider "azurerm": 1: provider "azurerm" {

Thank you all !

3
azureterraformsubscriptionproviderterraform-provider-azure

3 Answers

5
votes

If anyone else has this issue in a corporate (restricted) Azure environment, and doesn't have the patience to register the provider (which may not be necessary if you don't use the specified terraform resource) - have a look at https://github.com/terraform-providers/terraform-provider-azurerm/issues/4440

Specifically, this may help:

provider "azurerm" {
  skip_provider_registration = "true"

It obviously won't help if you actually need the resource that fails to get registered (in our case it was Cannot register provider Microsoft.DevSpaces with Azure Resource Manager, but the resource will be variable depending on your environment and what Terraform decides to support)

1
votes

For your issue, when you have the Owner role of the resource group, you can create new resources or manage the existing resources as you want. So permission is no problem. With the test on my side, it works well using a user has the Owner role of the resource group.

As the error shows, I think the possible reason is that you have multiple subscriptions in the tenant and the current subscription is not the right one which the user has the right permission. You can try to take a check and set the right subscription via the command:

az account set --subscription subscription_id
0
votes

Thank you for your answer.

I got this when I execute "az account list" :

    "cloudName": "AzureCloud",
    "id": "***********0d43",
    "isDefault": true,
    "name": "BU*******",
    "state": "Enabled",
    "tenantId": "TENANTID",
    "user": {
      "name": "LOGINNAME",
      "type": "user"

I do not have rights on this subscription but it is the only one that I know. On Azure WebUI I can see that the RGName is on the same subscription.

This is a capture from Azure WebUI on the RGName : Azure WebUI

Thank you