Closed Brakistad closed 5 days ago
Hi,
This is an issue with the subscription aliases resource provider.
It is only possible to read subscription aliases resources with the identity that created the alias. Therefore it is not practical to have different plan and apply identities.
Please raise a support issue with on that resource if you would like it changed. Unfortunately there is nothing we can do as the module owners
added the issue on the azurerm provider redource for subscription creation: https://github.com/hashicorp/terraform-provider-azurerm/issues/27265
Description
Is your feature request related to an issue?
When we added a identity for doing "terraform plan" in PR workflow, we got authentication error. The permission we gave it was read on Billing enrollment account:
In addition we gave it "Reader" om the CAF management root structure.
And gave it "Reader" on tenant level during troubleshooting to cover our grounds.
And it throws a error in plan either way:
Describe the solution you'd like
We want to be able to allow our developer teams to have write permission on our vending machine repository. So that they can contribute and order new subscriptions through PR, and then see the terraform plan in the PR step, without using a identity with permission to perform write on subscription alias as the error message above is referring to. Also without ant write permission whatsoever, just the way terraform plan seperation is meant to work.
Additional context
We cant say for sure that this is not supported, but we are unable to find any documentation on what minimum level permissions are required for terraform plan.