terraform-provider-azurerm: Azure Management Group creation with Service Principal returns 403

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform version: 0.12.20 Azurerm version: 2.0.0

Affected Resource(s)

  • azurerm_management_group

We use a Service Principal to connect to out Azure environment. This SP has Owner role at Root Management Group. If we login to Azure CLI with this SP, we can manage Management Groups without a problem. When we try to run from terraform, we get a 403 error:

Error: Error checking for presence of existing Management Group "d45bbbf8-72bd-486b-ac78-73e07c2e4043": managementgroups.Client#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'f0e7a3ad-21cb-4968-aea2-b3ef5ec930d4' with object id 'f0e7a3ad-21cb-4968-aea2-b3ef5ec930d4' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management/managementGroups/d45bbbf8-72bd-486b-ac78-73e07c2e4043' or the scope is invalid. If access was recently granted, please refresh your credentials."

Terraform Configuration Files

provider "azurerm" {
  version = "=2.0.0"
  features {}
}
resource "azurerm_management_group" "ccoe" {
  display_name = "azure-ccoe"
}

Debug Output

Provided in Gist

Expected Behavior

Management Group is created

Actual Behavior

Terraform apply fails with error 403 forbidden

Steps to Reproduce

  1. Assign service principal as owner of Root Management Group
  2. Set proper local env variables to connect with SP: export ARM_SUBSCRIPTION_ID=“xxxxxx” export ARM_CLIENT_ID=“xxxxxx” export ARM_CLIENT_SECRET=“xxxxx” export ARM_TENANT_ID=“xxxxx”
  3. terraform init
  4. terraform apply

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 19
  • Comments: 16 (5 by maintainers)

Most upvoted comments

The problem also appears if you use a user principal, not only with a service principal. The same code runs with provider version 1.44.0. It seems like a bug introduced with the new terraform provider in version 2.

+5
dhoeld on Mar 16, 2020

Actually in my PR #6276 , I introduced a new bug here. This bug actually blocks you from assigning name (you will always get a mgmt group with UUID), but I suppose this should be independent from the 403 issue here.

I am planning fix the bug I introduced along with #6757 , but as for this 403 issue, I actually have no clue…

I have fixed the bug introduced in PR #6276 in my PR mentioned above. As well as the 403 issue

+3
wsf11 on May 10, 2020

same experience here with v2.4.0.

+2
dkooll on Apr 8, 2020

well done @wsf11! Works for me

+1
petr-stupka on May 26, 2020

I’m experiencing the same issue with v2.3.0. Is there any update on this? thx

+1
pborgo on Mar 31, 2020
Read more comments on GitHub
← terraform-provider-azurerm: Azure Linux Web App doesn't have callback route?
terraform-provider-azurerm: Azure RM 2.0 extension approach incompatible with ServiceFabricNode extension requirements of being added at VMSS creation time. →