Is there an existing issue for this?
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.
Description
Is your feature request related to an issue?
When we added a identity for doing "terraform plan" in PR workflow, we got authentication error. The permission we gave it was read on Billing enrollment account:
az role assignment create --role Reader --assignee-principal-type ServicePrincipal --assignee-object-id $AZ_VENDING_PLAN_UMI --scope '/providers/Microsoft.Billing/enrollmentAccounts/$AZ_ENROLLMENT_ACCOUNT'
In addition we gave it "Reader" om the CAF management root structure.
And gave it "Reader" on tenant level during troubleshooting to cover our grounds.
And it throws a error in plan either way:
│ Error: reading Subscription Alias <SUBSCRIPTION NAME>: subscriptions.SubscriptionsClient#AliasGet: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="UserNotAuthorized" Message="User does not have access Microsoft.Subscription/aliases/write over scope providers/Microsoft.Subscription/aliases/<SUBSCRIPTION NAME>"
│
│ with module.lz_vending[<SUBSCRIPTION MANIFEST>].module.subscription[<TF_ID>].azurerm_subscription.this[<TF_ID>],
│ on .terraform/modules/lz_vending/modules/subscription/main.tf line 2, in resource "azurerm_subscription" "this":
│ 2: resource "azurerm_subscription" "this" {
Describe the solution you'd like
We want to be able to allow our developer teams to have write permission on our vending machine repository. So that they can contribute and order new subscriptions through PR, and then see the terraform plan in the PR step, without using a identity with permission to perform write on subscription alias as the error message above is referring to.
Also without ant write permission whatsoever, just the way terraform plan seperation is meant to work.
Additional context
We cant say for sure that this is not supported, but we are unable to find any documentation on what minimum level permissions are required for terraform plan.
New or Affected Resource(s)/Data Source(s)
azurerm_subscription
Potential Terraform Configuration
The same, just allow read access instead of write for performing plan.
References
No response
Is there an existing issue for this?
Community Note
Description
Is your feature request related to an issue?
When we added a identity for doing "terraform plan" in PR workflow, we got authentication error. The permission we gave it was read on Billing enrollment account:
In addition we gave it "Reader" om the CAF management root structure.
And gave it "Reader" on tenant level during troubleshooting to cover our grounds.
And it throws a error in plan either way:
Describe the solution you'd like
We want to be able to allow our developer teams to have write permission on our vending machine repository. So that they can contribute and order new subscriptions through PR, and then see the terraform plan in the PR step, without using a identity with permission to perform write on subscription alias as the error message above is referring to.
Also without ant write permission whatsoever, just the way terraform plan seperation is meant to work.
Additional context
We cant say for sure that this is not supported, but we are unable to find any documentation on what minimum level permissions are required for terraform plan.
New or Affected Resource(s)/Data Source(s)
azurerm_subscription
Potential Terraform Configuration
The same, just allow read access instead of write for performing plan.References
No response