search

hashicorp / terraform-provider-azuread

Terraform provider for Azure Active Directory
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
Mozilla Public License 2.0
415 stars 280 forks source link

azuread_application: Authorization_RequestDenied: Insufficient privileges to complete the operation #1408

Open awaisahmedawan opened 3 weeks ago

awaisahmedawan commented 3 weeks ago

Community Note

Terraform (and AzureAD Provider) Version

terraform_1.8.1_linux_amd64

Affected Resource(s)

Terraform Configuration Files

resource "azuread_application" "sso_app" {
  display_name            = var.sso_app_display_name
  sign_in_audience        = "AzureADMyOrg"
  group_membership_claims = ["ApplicationGroup"]

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read
      type = "Scope"
    }
  }

  web {
    redirect_uris = ["https://${var.argocd_config.hostname}/auth/callback"]
  }

  public_client {
    redirect_uris = ["http://localhost:8085/auth/callback"]
  }

  optional_claims {
    access_token {
      name = "groups"
    }

    id_token {
      name = "groups"
    }

    saml2_token {
      name = "groups"
    }
  }
}

Debug Output

Planning failed. Terraform encountered an error while generating this plan. ╷ │ Error: Retrieving Application with object ID "0efb6050-3049-415e-83e7-4d3f3c4d6f92" │ │ with azuread_application.sso_app, │ on ad.tf line 1, in resource "azuread_application" "sso_app": │ 1: resource "azuread_application" "sso_app" { │ │ ApplicationsClient.BaseClient.Get(): unexpected status 403 with OData │ error: Authorization_RequestDenied: Insufficient privileges to complete the │ operation. ╵ ╷ │ Error: Unauthorized │ │ with kubernetes_namespace.argocd, │ on main.tf line 1, in resource "kubernetes_namespace" "argocd": │ 1: resource "kubernetes_namespace" "argocd" { │ ╵ time=2024-06-11T14:30:55Z level=error msg=terraform invocation failed in /builds/infra/environment_definitions/nonprod/projects/platform/poc/uksouth/cluster/argocd/.terragrunt-cache/WtvgRNsKGK4kxhkbvUCP4kWR5Is/YKKYT5K-8aPuzHHttAxD0K0sA20/azure/argocd prefix=[/builds/infra/environment_definitions/nonprod/projects/platform/poc/uksouth/cluster/argocd] time=2024-06-11T14:30:55Z level=error msg=Module /builds/infra/environment_definitions/nonprod/projects/platform/poc/uksouth/cluster/argocd has finished with an error: 1 error occurred:

Panic Output

Expected Behavior

terraform plan should have passed

Actual Behavior

terraform plan fails complaining insufficient privileges to complete the operation. The service principal used to run the terraform is member of Application Administrator role under EntraID and have also been given additional graphAPI permissions for Directory

Steps to Reproduce

  1. terraform plan

Important Factoids

References

nbaju1 commented 2 weeks ago

Specifically which Graph API permissions has been added to the service principal used to run Terraform?

Is this kubernetes_namespace resource related to this? Don't see that in the pasted configuration.