terraform plan identity is missing permission for subsequent runs

[kewalaka]

With telemetry enabled, when running the pipeline after the first time, the plan identity is missing the permission "Microsoft.Resources/deployments/exportTemplate/action":

Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client <REDACTED> does not have authorization to perform action 'Microsoft.Resources/deployments/exportTemplate/action' over scope '/subscriptions/<REDACTED>' or the scope is invalid. If access was recently granted, please refresh your credentials."
│ 
│   with module.management_es[0].module.management_groups.azurerm_subscription_template_deployment.telemetry_core[0],
│   on .terraform/modules/management_es.management_groups/resources.telemetry.tf line 9, in resource "azurerm_subscription_template_deployment" "telemetry_core":
│    9: resource "azurerm_subscription_template_deployment" "telemetry_core" {

(for my ref) The Azure Devops version is here - also need to update the GH & local instances

https://github.com/Azure/accelerator-bootstrap-modules/blob/612930a217eb4a4e719ad387fe484812c0d509d0/alz/azuredevops/variables.hidden.tf#L229-L241

[jaredfholgate]

This issue is related to the existing issue here: https://github.com/Azure/ALZ-PowerShell-Module/issues/223

Also you have somehow raised this issue against the wrong repo. Will move it when am back in the office.

[kewalaka]

Ah I think I used "raise an issue" directly from the source code which bypassed the redirection in the templates. Interesting.

I only had one sub for testing purposes, which gets linked under the platform management MG, a bit different to the scenario in the linked issue?

For me the initial deployment was fine - it was subsequent runs that ran into the above permission issue.

[jaredfholgate]

Released in v4.1.1 (hopefully fixes the issue).