Error creating new azuredevops_serviceendpoint_azurecr

[glasko-dp]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

`terraform -v Terraform v1.4.6 on linux_amd64

• provider registry.terraform.io/hashicorp/azurerm v3.56.0
• provider registry.terraform.io/microsoft/azuredevops v0.5.0`

Affected Resource(s)

• azuredevops_serviceendpoint_azurecr

Terraform Configuration Files

locals {
  subscription_name = "production"
  subscription_id = "9b42a783-f69a-4efd-82a7-5295b051d708"
  production_tenant_id   = "6e2a7c01-aad8-4e29-b0bb-50eaeb05bb63"
  azdops_organization_name = "test-azdops-org"
  azdops_project_name = "test-azdops-project"
  registry_name = "prod-container-registry"
}

data "azuredevops_project" "test_azdops" {
  name = local.azdops_project_name
}

data "azurerm_resource_group" "prod_containerRegistry" {
  name = local.registry_name
}

provider "azuredevops" {
  org_service_url = "https://dev.azure.com/${local.azdops_organization_name}/"
}

provider "azurerm" {
  features {}
  subscription_id = local.subscription_id
}

resource "azuredevops_serviceendpoint_azurecr" "container_registry" {
  project_id                = data.azuredevops_project.test_azdops.id
  service_endpoint_name     = local.registry_name
  resource_group            = data.azurerm_resource_group.prod_containerRegistry.name
  azurecr_name              = local.registry_name
  azurecr_subscription_id   = local.subscription_id
  azurecr_subscription_name = local.subscription_name
  azurecr_spn_tenantid      = local.production_tenant_id
  description               = ""
  timeouts {}
}

Expected Behavior

Service connection should be created

Actual Behavior

Error: waiting for service endpoint ready. Error looking up service endpoint given ID (dced8f68-cab0-44c4-9d34-ab43d71579c1) and project ID (5b728f7f-9544-4b38-9ff4-449656ced75d): map[state:Failed statusMessage: Failed to set Azure permission 'RoleAssignmentId: 80b84d38-346b-4370-97b8-6874962018af' for the service principal 'b2429ef0-4303-4d94-a883-d4a2f2d4a6a6' on subscription ID '9b42a783-f69a-4efd-82a7-5295b051d708': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client 'tfc@example.com' with object id '971cfec9-5598-446a-952f-dfaa8f84a569' does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/99b42a783-f69a-4efd-82a7-5295b051d708/resourceGroups/PaasProd_ContainerRegistry/providers/Microsoft.ContainerRegistry/registries/prod-container-registry/providers/Microsoft.Authorization/roleAssignments/80b84d38-346b-4370-97b8-6874962018af' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription.]

Steps to Reproduce

1. terraform apply

Important Factoids

1. The account does have the role User Access Administrator on the subscription, and has had this role for a few months.
2. If we create this service connection manually, then import it, the account is able to delete the registry with no error.

References

• 0000

[xuzhang3]

@glasko-dp This not as ADO provider error. Can you grant the Owner role to the user? This resource consists of two parts. The service connection managed by Azure DevOps, and the SPN created with this service connection managed by Azure. You can delete the service connection but the SPN will may not be deleted.