search

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.73k stars 979 forks source link

API don't return needed information to grant SPN permissions in Wiki Create Landingzones #1147

Open thed1n opened 1 year ago

thed1n commented 1 year ago

Describe the bug

# Request billing accounts that the identity has access to
$listOperations = @{
    Uri     = "https://management.azure.com/providers/Microsoft.Billing/billingaccounts?api-version=2020-05-01"
    Headers = @{
        Authorization  = "Bearer $($token.Token)"
        'Content-Type' = 'application/json'
    }
    Method  = 'GET'
}
$listBillingAccount = Invoke-RestMethod @listOperations

# List billing accounts
$listBillingAccount | ConvertTo-Json -Depth 100

# Select first billing account and the corresponding enrollment account
$billingAccount = $listBillingAccount.value[0].id
$enrollmentAccountId = $listBillingAccount.value[0].properties.enrollmentAccounts[0].id

Since enrollmentAccount isn't returned in the api call $enrollmentAccountId throw a null exception when trying to assign to a null array.

Hence the following steps in the guide don't work.

I've tried to fix it with bringing more by using the api documentation but it won't return more information 'https://management.azure.com/providers/Microsoft.Billing/billingAccounts?api-version=2020-05-01&$expand=enrollmentDetails,departments,enrollmentAccounts'

If you use the 2019-10-01-preview endpoint all works as expected.

Steps to reproduce

  1. Follow the guide
jtracey93 commented 1 year ago

Hey @thed1n,

Please checkout this doc and see if it helps resolve your issue: https://learn.microsoft.com/en-gb/azure/cost-management-billing/manage/assign-roles-azure-service-principals

I assume you are trying to use an Enterprise Enrolment Account here?

thed1n commented 1 year ago

Yes it will produce the same outcome and we are using Enterprise Enrollment account.

And its the same api endpoint as the powershell is using as it PUT

$assignRbac = @{
    Uri = "https://management.azure.com/$($enrollmentAccountId)/billingRoleAssignments/$($rbacGuid)?api-version=2019-10-01-preview"

And form the documentation you linked you need to construct this parameter yourself instead of utilizing the scripts.

properties.roleDefinitionId: "/providers/Microsoft.Billing/billingAccounts/{BillingAccountID}/enrollmentAccounts/196987/billingRoleDefinitions/a0bcee42-bf30-4d1b-926a-48d21664ef71"

just that either the new api version doesn't work as intended even with the expands. So is the api version faulty since the documentation says it should be included Link to api documentation

But the change in that flow if you want to use powershell should work, since it build the strings for you that will be included in the query for invoke-restmethod. So if others like me and my team that tried to do it the powershell way, the wiki should be updated to make it work again?