Open Bibz87 opened 3 weeks ago
Hi @Bibz87 ,
Thanks for creating the issue.
For ARM and Bicep this utility uses the what-if endpoint/analysis so IaC resources are not created. In case of terraform since there is no equivalent of what-if endpoint, the resource creation is attempted to figure out the permissions required.
Regarding the issue, I tried creating azurerm_storage_account ,azurerm_private_endpoint, azurerm_storage_container using bicep and terraform, both executions were successful, and I did not get the error mentioned. I think I am missing some configurations used by you, Will it be possible for you to share your terraform file, so that I can replicate the issue, and then figure out potential solutions?
I'll try to whip up a test Terraform configuration. Might take a while, though, as I'm using a Corporate Azure subscription and there's a lot of things attached regarding infrastructure management. 😅
That might be the problem's cause, though... 🤔
Summary
Attempting to list permissions required to manage a blob storage and its associated resources via Terraform fails to handle a permission error.
Steps to reproduce
azurerm_storage_account
azurerm_private_endpoint
azurerm_storage_container
./az-mpf terraform --workingDir . --varFilePath "terraform.tfvars" --debug
Expected result
az-mpf
is able to list all required permissionsWhat actually happens
Running the tool gives this error (sensitive information has been obfuscated):
Notes
Azure seems to usually return the missing permission in its error message (I've seen that's how this tool works) but in that specific case, I'm not sure if it will be even possible to fix it or find the proper missing permission. I also suspect this problem will occur regardless of the infrastructure tool used (Terraform, ARM or Bicep), as this issue seems to be rooted in Azure's error handling but I haven't tested with any tool other than Terraform.