Support for billing account ID in the scope argument of azurerm_role_assignment

bhavith commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

It is currently not possible to define billing accounts as scope in azure role assignments. It expects a management group id, subscription id or enrolment account.

New or Affected Resource(s)

azurerm_role_assignment - scope

Potential Terraform Configuration

resource "azurerm_role_assignment" "billing-reader" {
  scope = "/providers/Microsoft.Billing/billingAccounts/<UUID>"
  role_definition_name = "Billing account reader"
  principal_id = data.azuread_group.billing-reader.object_id
}

Current Behaviour

Error: ID was missing the `enrollmentAccounts` element

  on main.tf line 7, in resource "azurerm_role_assignment" "billing-reader":
   7:   scope                = "/providers/Microsoft.Billing/billingAccounts/<UUID>"

Error: Can not parse "scope" as a management group id: Unable to parse Management Group ID "/providers/Microsoft.Billing/billingAccounts/<UUID>"

  on main.tf line 7, in resource "azurerm_role_assignment" "billing-reader":
   7:   scope                = "/providers/Microsoft.Billing/billingAccounts/<UUID>"

Error: "scope" expected to be valid subscription ID, got "/providers/Microsoft.Billing/billingAccounts/<UUID>"

  on main.tf line 7, in resource "azurerm_role_assignment" "billing-reader":
   7:   scope                = "/providers/Microsoft.Billing/billingAccounts/<UUID>"

Error: No subscription ID found in: "providers/Microsoft.Billing/billingAccounts/<UUID>"

  on main.tf line 7, in resource "azurerm_role_assignment" "billing-reader":
   7:   scope                = "/providers/Microsoft.Billing/billingAccounts/<UUID>"

Error: Can not parse "scope" as a resource id: No subscription ID found in: "providers/Microsoft.Billing/billingAccounts/<UUID>"

  on main.tf line 7, in resource "azurerm_role_assignment" "billing-reader":
   7:   scope                = "/providers/Microsoft.Billing/billingAccounts/<UUID>"

Schillman commented 2 years ago

Following, Having a similar issue, check #15535

pckls commented 1 year ago

You can't actually do this in the Azure Resource Manager though can you? We have given some service principals access but you had to actually provide a payload for a direct API call. I agree this would be awesome but I'm not sure it's even something that can be implemented in Terraform until Azure actually supports it.

https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/assign-roles-azure-service-principals

EDIT: Just saw that comment above, went to the linked issue and turns out I had commented there as well 😃

pckls commented 1 year ago

Also just a second similar comment, the users and RBAC within an EA Billing Account, while exposed in the Azure Portal, is actually totally removed from a tenant as far as I know, and based on this just being a view of the same thing that was in the old EA Portal. The roles available there are "Enterprise Administrator" and "Enrolment Reader" iirc and I don't think it's an "azurerm" role assignment.

hashicorp / terraform-provider-azurerm