[AVM Module Issue]: Do not have authorization to perform action "Microsoft.Management/managementGroups/read"

[Menghua1]

Describe the issue:

When trying to apply the default examples module, get the following error:

Repro Steps:

1. Run command az login.
2. Run command azd auth login.
3. Run command azd init -t todo-nodejs-mongo-terraform.
4. Replace the content of infra/main.tf with the following code:

   module "avm-res-authorization-roleassignment_example_default" {
   source  = "Azure/avm-res-authorization-roleassignment/azurerm//examples/default"
   version = "0.0.1"
   }

5. Annotate the contents of the infra/output.tf file.
6. Run command azd provision.

Expected behavior:

It can deploy without any errors.

@matt-FFFFFF, @jaredfholgate and @jongio for notification.

[jaredfholgate]

Hi. Thanks for reporting this. The example is quite comprehensive and includes applying role assignments at levels that require elevated permissions. The error you are seeing here is because your account does not have management group contributor rights on the tenant root group management group.

I intend to add some simpler examples as soon as I get some time.

I suggest taking one of the examples from the read me as a starting point instead for now.

[jaredfholgate]

Also to be clear, we currently test this in a separate tenant where we can have these permissions. We do not use the 1ES tenant for testing this due to the elevated permission requirements.

[Menghua1]

@jongio We are unable to fully test every example in this module due to account permissions.

[Menghua1]

@jaredfholgate It would be better if you could add some lower scope examples (not include management group) in the template. Also, there are two errors in the Readme.md:

1. In each example, the source is wrong, it should be changed to Azure/avm-res-authorization-roleassignment/azurerm.

2. In examples4, assignnents is misspelled, change to assignments.