Open maniSbindra opened 1 week ago
Hi @maniSbindra ,The issue has been resolved in this pull request, which is included in version 4.2.0 of the provider. Please update to use the 4.2.0 or later version of AzureRM provider. Thank you!
Hi @teowa thanks for this. I tried with provider version 4.9.0 and as you mentioned it did return an authorization error with a missing permission. However after I added the missing permission, and tried again I got the error message A resource with the ID "/subscriptions/sub_id/resourceGroups/rg-adfsstdg-189/providers/Microsoft.Insights/components/appinsightadfsstdg" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_application_insights" for more information
. The reason for this was that even though authorisation error was returned the resource was created in Azure and this was not updated in state file. This was the case even when plugin was panicking with provider version 3.117.0
Hi @maniSbindra , this is the current design of the AzureRM provider. It will only add the resource to the Terraform state if all creation steps complete successfully. In the case described above, the AzureRM resource creation failed due to a crash or possibly insufficient permissions. Although the resource was created in Azure, it was not added to the Terraform state because Terraform cannot determine whether the resource is usable. You may need to manually import it using the following command:
terraform import module.application_insights.azurerm_application_insights.this /subscriptions/sub_id/resourceGroups/rg-adfsstdg-189/providers/Microsoft.Insights/components/appinsightadfsstdg
If use provider 4.2.0 or later version and the required permissions are correctly assigned before creating a new resource, the resource should be created and imported successfully.
@teowa I tried with provider 4.9.0 (which is latest version), I did get the correct error that permission "Microsoft.Insights/components/currentbillingfeatures/write" is missing:
Component Name: "appinsightadfsstdg"): unexpected status 403 (403 Forbidden) with error: AuthorizationFailed: The client AAA with object id 'BBB' does not have authorization to perform action 'Microsoft.Insights/components/currentbillingfeatures/write' over scope '/subscriptions/SUBID/resourceGroups/rg-adfsstdg-189/providers/Microsoft.Insights/components/appinsightadfsstdg' or the scope is invalid. If access was recently granted, please refresh your credentials.
However the App Insights resource still got created.
Hi @maniSbindra , the permissions are required for the daily_data_cap_in_gb and daily_data_cap_notifications_disabled properties of the azurerm_application_insights resource. Based on the source code, the Application Insights instance is created at line 245. After creation, the provider attempts to update billing-related settings at line 288, followed by other operations. Finally, the resource ID is saved at line 330.
To resolve this issue, could we add Microsoft.Insights/components/currentbillingfeatures/write to the required permissions
? Additionally, since the provider also performs write operations on smart detection rules at line 313, the Microsoft.AlertsManagement/smartDetectorAlertRules/read
and Microsoft.AlertsManagement/smartDetectorAlertRules/write
permissions may also be needed.
@teowa looking at the code I do understand the behaviour, thanks for this.
From a usability perspective I am not sure this is an ideal behaviour though. In case some one wants to use minimum permissions and is not sure of the exact minimum permissions, they would initially perhaps not think of adding "Microsoft.Insights/components/currentbillingfeatures/write", "Microsoft.AlertsManagement/smartDetectorAlertRules/read" or "Microsoft.AlertsManagement/smartDetectorAlertRules/write" when creating an app insights resource. In this case the new version of the provider does provide the missing permissions, however after adding missing permissions, user would later require to import the Azure App Insights instance into terraform state as it was created despite of the authorization errors.
Another minor issue is that currently the App Insights AVM module is bound to >3.71 <4, so I cannot use provider version 4.2 or 4.9 directly. To test I modified version directly in .terraform folder
Thanks for your help, Mani
Is there an existing issue for this?
Community Note
Terraform Version
1.9.7
AzureRM Provider Version
3.115.0, 3.117.0
Affected Resource(s)/Data Source(s)
azurerm_application_insights
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
When using service principle with minimal permission (permissions provided in the terraform code block in the issue) to do the terraform apply this error is received. When logging in to az-cli with owner permissions this works fine.Either the application insights resource should get created or terraform error should report what permissions are missing.
Actual Behaviour
When using service principle with minimal permission (permissions provided in the terraform code block in the issue) to do the terraform apply this error is received.
Steps to Reproduce
Important Factoids
No
References
No response