I have a Terraform Enterprise service principal that has the following roles assigned to it over my Resource Group:
- Contributor
- Data Factory Contributor
- ConfigureFactoryRepoAction
- Network Joiner
- Network Interface to Subnet Joiner
- Reader (assigned over the Subscription)
However, when I try to spin up an instance of the Azure Datafactory, I get the following error
"Error: configuring Repository for Data Factory: (Factory Name "test-vc-1" / ResourceGroup "$NAME_OF_RESOURCE_GROUP"): datafactory.FactoriesClient#ConfigureFactoryRepo: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.DataFactory/locations/configureFactoryRepo/action' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.
I guess the key line here is
perform action 'Microsoft.DataFactory/locations/configureFactoryRepo/action' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' or the scope is invalid
The role ConfigureFactoryActionRepo is being required at the subscription level instead of the resource group level. Is there anyway to provision the Data Factory without having to assign this role across the subscription? Why is such a wide scope needed?
P.S. I am using Terraform v0.14.7
