Running kusto script on ADX Database gives command not allowed

aasthabhalla commented 7 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.5

AzureRM Provider Version

3.84

Affected Resource(s)/Data Source(s)

na

Terraform Configuration Files

I am trying to add external tables allowed usage to an existing cluster on ADX. The principal has the access to cluster as admin but when I run this terraform resource it give error 

resource "azurerm_kusto_script" "adx_setup_script_subset_index_one" {
  name                               = "script-index-one"
  database_id                        = data.azurerm_kusto_database.streaming.id
  continue_on_errors_enabled         = false
  force_an_update_when_value_changed = "first"

  script_content = <<SCRIPT
    .alter-merge cluster policy managed_identity '''[
      {
        "ObjectId": "${var.kusto_cluster_principal_id}",
        "AllowedUsages": "ExternalTable"
      }
    ]'''
SCRIPT
}

Debug Output/Panic Output

Failed to run script 'dap-script-index-zero. Reason: Command is not allowed.

Expected Behaviour

No response

Actual Behaviour

No response

Steps to Reproduce

No response

Important Factoids

No response

References

No response

liuwuliuyun commented 7 months ago

Hi @aasthabhalla thanks for raising this issue. Have you tried running this command on data explorer online in portal? If you run this in portal but get the same result. It is probably a priviledge issue. The principal must have Database Admin permissions on the Azure Data Explorer database. Checkout this doc

mikiberd commented 3 months ago

@liuwuliuyun I ran into a similar issue with a principal that has AllDatabasesAdmin permission, however the error was: Cluster-scoped command is not allowed. Any chance the TF module doesn't support cluster-scoped commands? similar to what's described here

hashicorp / terraform-provider-azurerm