Description
Is there an existing issue for this?
- I have searched the existing issues
Infrastructure as Code Type? (Required)
terraform
PowerShell Module Version (Optional)
No response
Bootstrap Module Version (Optional)
4.3.5
Starter Module? (Required)
terraform - platform_landing_zone
Starter Module Version (Optional)
5.5.2
Input arguments of the ALZ-PowerShell-Module (Optional)
No response
Debug Output/Panic Output (Optional)
Expected Behaviour (Required)
The apply user managed identity created by bootstrap should be able to deploy policies to the root management group via DevOps pipelines with the custom role also created by the bootstrap
Actual Behaviour (Required)
The deployment pipeline just hangs providing no feedback to DevOps of a failure (simply times out). Running apply locally with an account/identity with owner rights to root management group completes deployment.
Policies are unable to be created by the apply UMI due to missing the policy write authorisation actions. Providing the additional permissions to the custom role solves the problem.
The BICEP custom role does seem to have the required policy write actions assigned to it for some reason.
Steps to Reproduce (Optional)
Run pipeline created by bootstrap to deploy accelerator. Pipeline seems to hang when performing the create/assign policies step and eventually times out.
Important Factoids (Optional)
We are targeting a management group a couple of layers below the tenant root for this deployment, however the account/service principal provided by the customer has full owner rights to the target root group when running the bootstrap process.
References (Optional)
No response