search

maniSbindra / az-mpf

Azure Deployments Minimum Permissions Finder (ARM, Terraform, Bicep)
Other
28 stars 1 forks source link

Problem detecting permissions for storage container #44

Open Bibz87 opened 3 weeks ago

Bibz87 commented 3 weeks ago

Summary

Attempting to list permissions required to manage a blob storage and its associated resources via Terraform fails to handle a permission error.

Steps to reproduce

  1. Have a Terraform configuration with the following resources:
    • azurerm_storage_account
    • azurerm_private_endpoint
    • azurerm_storage_container
  2. Run the tool: ./az-mpf terraform --workingDir . --varFilePath "terraform.tfvars" --debug
  3. Notice Azure returns an error that isn't handled by the tool

Expected result

az-mpf is able to list all required permissions

What actually happens

Running the tool gives this error (sensitive information has been obfuscated): 

Non Authorization Error when creating deployment: exit status 1

Error: waiting for the Data Plane for Storage Account (Subscription: "<subscription ID>"
Resource Group Name: "<resource group name>"
Storage Account Name: "<storage account name>") to become available:
waiting for the Blob Service to become available: polling failed: executing request:
unexpected status 403 (403 This request is not authorized to perform this operation using this permission.) with AuthorizationPermissionMismatch:
This request is not authorized to perform this operation using this permission.
RequestId:<request ID>
Time:2024-08-16T14:04:05.5664353Z

  with module.blob.module.storage_account.azurerm_storage_account.this,
  on .terraform\modules\blob\src\terraform\sub_modules\azure\storage\terraform-azurerm-storage-account\main.tf line 16, in resource "azurerm_storage_account" "this":
  16: resource "azurerm_storage_account" "this" {

Notes

Azure seems to usually return the missing permission in its error message (I've seen that's how this tool works) but in that specific case, I'm not sure if it will be even possible to fix it or find the proper missing permission. I also suspect this problem will occur regardless of the infrastructure tool used (Terraform, ARM or Bicep), as this issue seems to be rooted in Azure's error handling but I haven't tested with any tool other than Terraform.

maniSbindra commented 3 weeks ago

Hi @Bibz87 ,

Thanks for creating the issue.

For ARM and Bicep this utility uses the what-if endpoint/analysis so IaC resources are not created. In case of terraform since there is no equivalent of what-if endpoint, the resource creation is attempted to figure out the permissions required.

Regarding the issue, I tried creating azurerm_storage_account ,azurerm_private_endpoint, azurerm_storage_container using bicep and terraform, both executions were successful, and I did not get the error mentioned. I think I am missing some configurations used by you, Will it be possible for you to share your terraform file, so that I can replicate the issue, and then figure out potential solutions?

Bibz87 commented 3 weeks ago

I'll try to whip up a test Terraform configuration. Might take a while, though, as I'm using a Corporate Azure subscription and there's a lot of things attached regarding infrastructure management. 😅

That might be the problem's cause, though... 🤔