Access package and catalog gets removed without issues
Actual Behavior
Access package removal gets blocked because the policy gets removed and later terraform is not able to find it, reporting that is not authorised to see the resource (which terraform just removed).
When looking at the access package from the portal, I can see the policy was successfully removed but terraform did not remove it form the state.
If I remove the policy from the state (terraform state rm 'azuread_access_package_assignment_policy.example') the pipeline continues as expected.
If I try to rerun, plan fails as it cannot find the access_package policy.
Error message on 1st apply:
╷
│ Error: Waiting for deletion of access package assignment policy with object ID "c5671f08-4c53-4ab0-9756-09d16f5a41cd"
│
│ retrieving resource: AccessPackageAssignmentPolicyClient.BaseClient.Get():
│ unexpected status 403 with OData error: UnAuthorized: User is not
│ authorized to perform the operation. Reason: Unauthorized
Steps to Reproduce
Configure the terraform with the above configuration file
Apply the terraform which will create the objects
Comment all the code and run again. Terraform will plan the removal of all the objects
Upon apply terraform will remove the policy and complain it cannot find the policy.
Important Factoids
Due to a bug on the azcli (#1407), the terraform apply must be executed with a service principal.
The service principal is configured with Identity Governance Administrator which allows terraform to create and remove all objects.
Community Note
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_access_package_assignment_policy
upon destroy operationTerraform Configuration Files
Debug Output
Gist
Panic Output
Expected Behavior
Access package and catalog gets removed without issues
Actual Behavior
Access package removal gets blocked because the policy gets removed and later terraform is not able to find it, reporting that is not authorised to see the resource (which terraform just removed). When looking at the access package from the portal, I can see the policy was successfully removed but terraform did not remove it form the state. If I remove the policy from the state (
terraform state rm 'azuread_access_package_assignment_policy.example'
) the pipeline continues as expected. If I try to rerun,plan
fails as it cannot find the access_package policy.Error message on 1st apply:
Steps to Reproduce
Important Factoids
Due to a bug on the azcli (#1407), the terraform apply must be executed with a service principal. The service principal is configured with
Identity Governance Administrator
which allows terraform to create and remove all objects.References