search

Azure / arm-template-whatif

A repository to track issues related to what-if noise suppression
MIT License
91 stars 14 forks source link

`Microsoft.Subscription/aliases` results in `Unauthorized` error even if user has admin privileges #377

Open KoblerS opened 2 months ago

KoblerS commented 2 months ago

Describe the bug A clear and concise description of what the bug is.

When defining a subscription + alias in a Bicep file and running a what-if it results in the following error message:

{
  "code": "MultipleErrorsOccurred",
  "message": "Multiple error occurred: DeploymentWhatIfResourceError,DeploymentWhatIfResourceError,DeploymentWhatIfResourceError,DeploymentWhatIfResourceError,DeploymentWhatIfResourceError,DeploymentWhatIfResourceError,DeploymentWhatIfResourceError. Please see details.",
  "details": [
    {
      "code": "DeploymentWhatIfResourceError",
      "message": "The request to predict template deployment changes to scope \u0027/providers/Microsoft.Management/managementGroups/TEST-Root\u0027 has failed due to a resource error. See details for more information.",
      "details": [
        {
          "code": "DeploymentWhatIfResourceInvalidResponse",
          "target": "/providers/Microsoft.Subscription/aliases/TEST-Development?api-version=2021-10-01",
          "message": "The request \u0027/providers/Microsoft.Subscription/aliases/TEST-Development?api-version=2021-10-01\u0027 resulted in an unexpected HTTP status code \u0027Unauthorized\u0027. Diagnostic information: timestamp \u002720240911T071634Z\u0027, tracking id \u00276a42e754-39b7-4d77-[89](..)62-89611656a783\u0027, request correlation id \u*******\u0027, location \u0027centralus\u0027."
        }
      ]
    },
    {
      "code": "DeploymentWhatIfResourceError",
      "message": "The request to predict template deployment changes to scope \u0027/providers/Microsoft.Management/managementGroups/TEST-Root\u0027 has failed due to a resource error. See details for more information.",
      "details": [
        {
          "code": "DeploymentWhatIfResourceInvalidResponse",
          "target": "/providers/Microsoft.Subscription/aliases/TEST-Management?api-version=2021-10-01",
          "message": "The request \u0027/providers/Microsoft.Subscription/aliases/TEST-Management?api-version=2021-10-01\u0027 resulted in an unexpected HTTP status code \u0027Unauthorized\u0027. Diagnostic information: timestamp \u002720240[91]*****, location \u0027centralus\u0027."
        }
      ]
    },
    {
      "code": "DeploymentWhatIfResourceError",
      "message": "The request to predict template deployment changes to scope \u0027/providers/Microsoft.Management/managementGroups/TEST-Root\u0027 has failed due to a resource error. See details for more information.",
      "details": [
        {
          "code": "DeploymentWhatIfResourceInvalidResponse",
          "target": "/providers/Microsoft.Subscription/aliases/TEST-Production?api-version=2021-10-01",
          "message": "The request \u0027/providers/Microsoft.Subscription/aliases/TEST-Production?api-version=2021-10-01\u0027 resulted in an unexpected HTTP status code \u0027Unauthorized\u0027. Diagnostic information: timestamp \u002720240911T071633Z\u0027, tracking id \u00276a42e754-39b7-4d77-8[96](*****, location \u0027centralus\u0027."
        }
      ]
    },
    {
      "code": "DeploymentWhatIfResourceError",
      "message": "The request to predict template deployment changes to scope \u0027/providers/Microsoft.Management/managementGroups/TEST-Root\u0027 has failed due to a resource error. See details for more information.",
      "details": [
        {
          "code": "DeploymentWhatIfResourceInvalidResponse",
          "target": "/providers/Microsoft.Subscription/aliases/TEST-Sandbox?api-version=2021-10-01",
          "message": "The request \u0027/providers/Microsoft.Subscription/aliases/TEST-Sandbox?api-version=2021-10-01\u0027 resulted in an unexpected HTTP status code \u0027Unauthorized\u0027. Diagnostic information: timestamp \u002720240911T071634Z\u0027, tracking id \****, location \u0027centralus\u0027."
        }
      ]
    },
    {
      "code": "DeploymentWhatIfResourceError",
      "message": "The request to predict template deployment changes to scope \u0027/providers/Microsoft.Management/managementGroups/TEST-Root\u0027 has failed due to a resource error. See details for more information.",
      "details": [
        {
          "code": "DeploymentWhatIfResourceInvalidResponse",
          "target": "/providers/Microsoft.Subscription/aliases/TEST-Security?api-version=2021-10-01",
          "message": "The request \u0027/providers/Microsoft.Subscription/aliases/TEST-Security?api-version=2021-10-01\u0027 resulted in an unexpected HTTP status code \u0027Unauthorized\u0027. Diagnostic information: timestamp \u002720240911T071634Z\u0027, tracking id \u00276a42e754-39b7-4d77-8962-896[116](****\u0027, location \u0027centralus\u0027."
        }
      ]
    },
    {
      "code": "DeploymentWhatIfResourceError",
      "message": "The request to predict template deployment changes to scope \u0027/providers/Microsoft.Management/managementGroups/TEST-Root\u0027 has failed due to a resource error. See details for more information.",
      "details": [
        {
          "code": "DeploymentWhatIfResourceInvalidResponse",
          "target": "/providers/Microsoft.Subscription/aliases/TEST-Shared-Services?api-version=2021-10-01",
          "message": "The request \u0027/providers/Microsoft.Subscription/aliases/TEST-Shared-Services?api-version=2021-10-01\u0027 resulted in an unexpected HTTP status code \u0027Unauthorized\u0027. Diagnostic information: timestamp \u002720240911T071634Z\u0027, tracking id ****, location \u0027centralus\u0027."
        }
      ]
    },
    {
      "code": "DeploymentWhatIfResourceError",
      "message": "The request to predict template deployment changes to scope \u0027/providers/Microsoft.Management/managementGroups/TEST-Root\u0027 has failed due to a resource error. See details for more information.",
      "details": [
        {
          "code": "DeploymentWhatIfResourceInvalidResponse",
          "target": "/providers/Microsoft.Subscription/aliases/TEST-Validation?api-version=2021-10-01",
          "message": "The request \u0027/providers/Microsoft.Subscription/aliases/TEST-Validation?api-version=2021-10-01\u0027 resulted in an unexpected HTTP status code \u0027Unauthorized\u0027. Diagnostic information: timestamp \u002720240911T071634Z\u0027, tracking id ****, location \u0027centralus\u0027."
        }
      ]
    }
  ]
}

To Reproduce Steps to reproduce the behavior:

  1. Create bicep with management groups and child subscriptions + alias
  2. Deploy them initially
  3. Run what-if on that file
  4. Unauthorized error occurs

Expected behavior A clear and concise description of what you expected to happen.

Identity has enough access to create subscriptions + alias but they seem to be read-only and therefore not able to be updated, either skip them with what-if or don't try to diff changes

Screenshots If applicable, add screenshots to help explain your problem.

Client [e.g. PowerShell, CLI, API)

azure bicep cli

Additional context Add any other context about the problem here.

alex-frankel commented 2 months ago

While this happened when calling what-if, this does not look to be a what-if specific issue. Does the deployment itself succeed or does only what-if fail? In either case, the recommended next step would be to open a support case so this can be routed to the Subscription Alias team.

KoblerS commented 2 months ago

While this happened when calling what-if, this does not look to be a what-if specific issue. Does the deployment itself succeed or does only what-if fail? In either case, the recommended next step would be to open a support case so this can be routed to the Subscription Alias team.

Yes the deployment itself succeed perfectly, only what-if fails.