Open Masahigo opened 1 year ago
Hi there, we are now also facing this issue. When running the terraform locally as user, we don't have any issue.
But when the code runs on a VMSS in Azure trough a Azure Devops Pipeline, the pipeline is failing because the privilege issue.
Using Azure CLI as workaround with az login --identity
in the pipeline is also not possible as this leads to
│ Error: Error building ARM Config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal). │ │ To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal' │ auth method - instructions for which can be found here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret │ │ Alternatively you can authenticate using the Azure CLI by using a User Account.
Does any one has a good workaround beside of "remove that code and do it with powershell or so as one timer"?
Thanks Joerg
Hello - This link may be helpful in your situation: https://github.com/Azure/azure-rest-api-specs/issues/11085#issuecomment-1363008480.
the link added by pnwhitmore would work but now the retention_policy block is not supported anymore so the resource is broken until this block is mandatory
Is there an existing issue for this?
Community Note
Terraform Version
1.1.9
AzureRM Provider Version
3.4.0
Affected Resource(s)/Data Source(s)
azurerm_monitor_aad_diagnostic_setting
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
The IaC had already been executed previously using User account so there should have not been any changes to the resources.
Actual Behaviour
HTTP 403 when authenticated with Service Principal and trying to update the IaC.
Steps to Reproduce
az logout
Important Factoids
No response
References
Following is stated in Terraform documentation: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_aad_diagnostic_setting
Thus I tried also logging in separately from Azure CLI with the Service Principal's credentials and there was no difference in behaviour. Could this message be more detailed to explain what is the issue / why? A limitation on the API side?
More references
Is it still not possible to manage Azure AD diagnostics settings for Azure Monitor through Service Principal from Terraform?