feat: Add support for strictly "Plan" identity

[Brakistad]

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Is your feature request related to an issue?

When we added a identity for doing "terraform plan" in PR workflow, we got authentication error. The permission we gave it was read on Billing enrollment account:

az role assignment create --role Reader --assignee-principal-type ServicePrincipal --assignee-object-id $AZ_VENDING_PLAN_UMI --scope '/providers/Microsoft.Billing/enrollmentAccounts/$AZ_ENROLLMENT_ACCOUNT'

In addition we gave it "Reader" om the CAF management root structure.

And gave it "Reader" on tenant level during troubleshooting to cover our grounds.

And it throws a error in plan either way:

│ Error: reading Subscription Alias <SUBSCRIPTION NAME>: subscriptions.SubscriptionsClient#AliasGet: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="UserNotAuthorized" Message="User does not have access Microsoft.Subscription/aliases/write over scope providers/Microsoft.Subscription/aliases/<SUBSCRIPTION NAME>"
│ 
│   with module.lz_vending[<SUBSCRIPTION MANIFEST>].module.subscription[<TF_ID>].azurerm_subscription.this[<TF_ID>],
│   on .terraform/modules/lz_vending/modules/subscription/main.tf line 2, in resource "azurerm_subscription" "this":
│    2: resource "azurerm_subscription" "this" {

Describe the solution you'd like

We want to be able to allow our developer teams to have write permission on our vending machine repository. So that they can contribute and order new subscriptions through PR, and then see the terraform plan in the PR step, without using a identity with permission to perform write on subscription alias as the error message above is referring to. Also without ant write permission whatsoever, just the way terraform plan seperation is meant to work.

Additional context

We cant say for sure that this is not supported, but we are unable to find any documentation on what minimum level permissions are required for terraform plan.

[matt-FFFFFF]

Hi,

This is an issue with the subscription aliases resource provider.

It is only possible to read subscription aliases resources with the identity that created the alias. Therefore it is not practical to have different plan and apply identities.

Please raise a support issue with on that resource if you would like it changed. Unfortunately there is nothing we can do as the module owners

[Brakistad]

added the issue on the azurerm provider redource for subscription creation: https://github.com/hashicorp/terraform-provider-azurerm/issues/27265