terraform-provider-azurerm: 1.32 tf refresh fails with AuthorizationFailed errors

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.11.10 AzureRM v1.32.0

Affected Resource(s)

The errors occur when running the terraform refresh CLI command. They don’t seem to be resource-specific.

  • azurerm_XXXXX

Terraform Configuration Files

# not applicable

Debug Output

Panic Output

Expected Behavior

Upgrading from AzureRM v1.31.0 to v1.32.0 (with no other changes to HCL, Azure accounts, etc.) should have been a no-op, and all terraform CLI commands should have behaved the same with either AzureRM provider version.

Actual Behavior

The terraform refresh command fails (every time) with errors like the following:

provider.azurerm.customer: Error ensuring Resource Providers are registered: Cannot register provider Microsoft.Maps with Azure Resource Manager: resources.ProvidersClient#Register: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code=“AuthorizationFailed” Message=“The client ‘REDACTED’ with object id ‘REDACTED’ does not have authorization to perform action ‘Microsoft.Maps/register/action’ over scope ‘/subscriptions/REDACTED’ or the scope is invalid. If access was recently granted, please refresh your credentials.“.

Steps to Reproduce

  1. terraform refresh

Important Factoids

References

  • #3358 seems very similar.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 17
  • Comments: 16 (3 by maintainers)

Most upvoted comments

Hi Guys,

I too have same issue, I believe it should have made optional, skip provider registration is not the right thing to do also I’m not using Microsoft.Maps Resource providers explicitly so why my SP need to have permission to register it.

+9
lambodar on Jul 25, 2019

Hi @Justin-W,

We added a new client this release (azure maps) so the SP/authorization methold you are using to access Azure needs permission to register new clients.

Well, that qualifies as a potentially-breaking change to existing configurations, doesn’t it? Shouldn’t such a backwards-incompatible change have been at least documented somewhere? E.g. In the release notes or change log?

it looks like for some reason you do not have such permissions? How are you authenticating to azure and what roles/permission does that grant?

Correct. The authentication credentials I am using were specifically created with limited permissions, so that they are only able to do what they “should” be able to do for the purposes they are used for.

The newly-required permissions are not something that they are “supposed” to be able do, and it feels somewhat like a hack if we would need to update our service account permissions just because the AzureRM provider added a new capability, even though we aren’t using it at all.

Is the set of “minimum required” permissions documented somewhere? And is it kept up to date whenever changes like this one in v1.32.0 occur?

Outside of changing permissions there you could potentially register the client in the portal.

This also feels lack a hack solution.

If your authentication method does not grant such permission you can skip provider registration by using the skip_provider_registration flag

I’m aware of that option, but the docs for that feature toggle don’t seem to be detailed enough for me to understand the full implications of disabling auto-registration, and whether that would be a good and/or feasible solution. What else might break if we do that? In what circumstances “should” that option be true, and in which should it be false?

IMO, the whole point of using permissions-limited credentials was to ensure that if anything changed the behavior of the terraform CLI operations, then regardless of the source and cause of such a change, the limited credentials would limit the scope of the effects of such changes (especially unintended and/or otherwise-invisible changes).

So basically, the limited-permissions account worked exactly as we intended. It prevented the AzureRM provider from doing something “new”, when the “change” that failed was something that: 1. we didn’t previously need; 2. we still don’t need (AFAIK); and 3. we don’t really want.

However, I’d like to better understand your views on the “correct” way for us to handle this whole issue. Thanks.

+5
Justin-W on Jul 25, 2019

Just a workaround we made it to point below which is working fine

version = "= 1.31" insted of version = "~> 1.31"

More here: https://www.terraform.io/docs/configuration/providers.html

+4
lambodar on Jul 25, 2019

Hi,

Our setup is broken because of this and we are not using the map resources. The provider respects access restrictions on all other resources, why is the maps resource an exception to this?

We are going to hardcode our provider version to resolve this for now, but this is def breaking a bug

+3
watsonlu on Jul 25, 2019
Read more comments on GitHub
← terraform-provider-azurerm: Error: ID was missing the `securityContacts` element, since v2.88.0
terraform-provider-azurerm: AKS error when trying to upgrade cluster →