xuzhang3
commented
1 month ago @sorin-united PAT is created under a user account, and this account in AAD should have sufficient permissions. For example, the user in AAD has the Contributor role
Open sorin-united opened 1 month ago
xuzhang3
commented
1 month ago @sorin-united PAT is created under a user account, and this account in AAD should have sufficient permissions. For example, the user in AAD has the Contributor role
Terraform (and Azure DevOps Provider) Version
terraform 1.9.0 azuredevops 1.3.0
Affected Resource(s)
azuredevops_serviceendpoint_azurerm
Terraform Configuration Files
------------------------MODULE---------------------------- resource "azuredevops_serviceendpoint_azurerm" "this" { for_each = var.service_connection_params project_id = each.value.project_id service_endpoint_name = each.value.service_endpoint_name azurerm_spn_tenantid = each.value.tenant_id azurerm_subscription_id = each.value.subscription_id azurerm_subscription_name = each.value.subscription_name resource_group = each.value.resource_group }
resource "azuredevops_resource_authorization" "this" { for_each = var.service_connection_params project_id = each.value.project_id resource_id = azuredevops_serviceendpoint_azurerm.this[each.key].id authorized = true }
------------------------VARIABLES FILE-------------------- variable "service_connection_params" { type = map(object({ project_id = string service_endpoint_name = string tenant_id = string subscription_id = string subscription_name = string resource_group = string })) }
------------------------MODULE CALL----------------------- module "service_connection" { source = "../"
service_connection_params = { ado_service_connnection = { project_id = data.azuredevops_project.teamproject.project_id service_endpoint_name = "TEST_SC" #data.azurerm_resource_group.rg-devops-arm-poc.name tenant_id = "88155c28-f750-4013-91d3" subscription_id = "d4549b4e-03a6-4b02-a194" subscription_name = "APPS_EU_POC" resource_group = data.azurerm_resource_group.rg-devops-arm-poc.name } } }
Debug Output
file attached trace_logs.txt
Panic Output
n/a
Expected Behavior
Successfully create service connection
Actual Behavior
Error:
│ Error: waiting for service endpoint ready. Looking up service endpoint given ID (bffcc32d-d0a8-4915-abed-e146a7d81124) and project ID (4ff74780-9ca2-4de5-8711-086114d194bb): map[errorCode:1 severity: state:Failed statusMessage:Failed to create an app in Microsoft Entra. Error: Insufficient privileges to complete the operation in Microsoft Graph Ensure that the user has permissions to create a Microsoft Entra Application.]
Steps to Reproduce
terraform apply the above code provided
terraform applyImportant Factoids
n/a
References
n/a
0000
Mentions:
The error is saying "Insufficient privileges to complete the operation in Microsoft Graph" - but the service principal used HAS the privileges to create service connections - this was separately tested in powershell for Microsoft Graph API.
Looking forward for any feedback, thanks!