Error: Location validation failed for powerplatform__environment

[Cronk77]

Describe the bug

I am using the OICD Method of Auth associated with a Service Principal to get my Github Action Workflows to provision Environments in power platform. I have run is via the "use cli=true" on the provider. This allowed me to provision with no issues. When I switch over to using the documentation for using Service principal utilizing OICD, it it gets to Creating the Environments and spits back this error:

│ Error: Location validation failed for powerplatform__environment │ │ with module.model_environment.powerplatform_environment.environment, │ on modules/environments/main.tf line 18, in resource "powerplatform_environment" "environment": │ 18: resource "powerplatform_environment" "environment" { │ │ status: 403, message: {"error":{"code":"Forbidden","message":"The service │ principal with id '](https://github.com//actions/runs/job/#step:11:231)' for application │ * does not have permission to access the │ path │ 'https://****/providers/Microsoft.BusinessAppPlatform/locations?api-version=2023-06-01' │ in tenant │ *.","detailUrlType":"NotSpecified"}}

I went through creating the service principal shown in the documentation for this, and gave it all the API permissions listed, exposed the API, I even gave it Power Platform Admin permissions plus more, but it is still giving me this error. I also double checked the Service Principal and Tenant GUID and they are correct. I'm wondering if this is something I am doing wrong or maybe it deals with the Provider being "Experimental".

To Reproduce

provider.tf: terraform { required_providers { powerplatform = { source = "microsoft/power-platform" version = "2.7.0-preview" // Version is in a pre-release status } } }

provider "powerplatform" {

client_id = var.client_id

client_secret = var.client_secret

tenant_id = var.tenant_id

use_cli = true

use_oidc = true }

module/environments/main.tf: terraform { required_providers { powerplatform = { source = "microsoft/power-platform" version = "2.7.0-preview" // Version is in a pre-release status } } }

provider "powerplatform" {

client_id = var.client_id

client_secret = var.client_secret

tenant_id = var.tenant_id

use_cli = true

use_oidc = true }

resource "powerplatform_environment" "environment" { display_name = var.env_name location = var.location

azure_region = var.azure_region // Optional, but capacity issue if to many are made in the same region

environment_type = var.environment_type dataverse = { language_code = "1033" currency_code = "USD" security_group_id = "00000000-0000-0000-0000-000000000000" } }

resource "powerplatform_managed_environment" "managed_development" { count = var.isManaged ? 1 : 0 environment_id = powerplatform_environment.environment.id is_usage_insights_disabled = true is_group_sharing_disabled = true limit_sharing_mode = "NoLimit" max_limit_user_sharing = 10 solution_checker_mode = "Warn" suppress_validation_emails = true maker_onboarding_markdown = "" maker_onboarding_url = ""

depends_on = [powerplatform_environment.environment] }

resource "powerplatform_environment_settings" "settings" { environment_id = powerplatform_environment.environment.id

audit_and_logs = { plugin_trace_log_setting = "Exception" audit_settings = { is_audit_enabled = true is_user_access_audit_enabled = true is_read_audit_enabled = true } } email = { email_settings = { max_upload_file_size_in_bytes = 123456 } } product = { behavior_settings = { show_dashboard_cards_in_expanded_state = true } features = { power_apps_component_framework_for_canvas_apps = false } } }

.github/workflows/ProvisionEnvironment.yml:

name: Terraform Provision

on: workflow_dispatch:

permissions: id-token: write contents: read

env:

These Three are used for when the Auth with Secret Client Value

TF_VAR_client_id: ${{ vars.CLIENT_ID }}

TF_VAR_client_secret: ${{ secrets.CLIENT_SECRET }}

TF_VAR_tenant_id: ${{ vars.TENANT_ID }}

TF_VAR_project_name: ${{ vars.PROJECT_NAME }} TF_VAR_location: ${{ vars.LOCATION }} TF_VAR_azure_region: ${{ vars.AZURE_REGION }} POWER_PLATFORM_TENANT_ID: ${{ vars.TENANT_ID}} POWER_PLATFORM_CLIENT_ID: ${{ vars.CLIENT_ID }}

jobs: Terraform: runs-on: ubuntu-latest steps:

- name: Checkout Repository
  uses: actions/checkout@v2

- name: 'Azure Login'
  uses: azure/login@v1
  with:
      client-id: ${{ vars.CLIENT_ID }}
      tenant-id: ${{ vars.TENANT_ID }}
      subscription-id: ${{ vars.SUBSCRIPTION_ID }}

- name: 'Azure CLI script'
  uses: azure/cli@v2
  with:
      azcliversion: latest
      inlineScript: |
        az account show
        az group list

- name: Set up Terraform
  uses: hashicorp/setup-terraform@v2
  with:
    terraform_version: 1.9.3  

- name: Initialize Terraform
  working-directory: ./TerraformProvision
  run: terraform init

- name: Terraform Format
  working-directory: ./TerraformProvision
  run: terraform fmt -check

- name: Terraform Validate
  id: validate
  # Run even if formatting fails
  if: success() || failure()
  run: terraform validate -no-color

- name: Plan Terraform
  working-directory: ./TerraformProvision
  run: terraform plan -no-color -input=false

- name: Apply Terraform
  working-directory: ./TerraformProvision
  run: terraform apply -auto-approve

Steps to reproduce the behavior:

Use code from above. Go through Steps in documentations for OICD auth.

Expected behavior

Allow Service principal to Provision Environments with terraform through github action workflows.

[mawasile]

Hi

Are you sure that you executed the following call as a part of your service principal setup: https://learn.microsoft.com/en-us/power-platform/admin/powerplatform-api-create-service-principal#make-requests-as-the-service-principal

this step is a part of your bootstrap process

This permission error that you are getting would indicate that your service principal has not been elevated to make call against power platform api's. Confirm that you've run bootstrap.sh without error and try again (even running locally, outside a pipeline)

[Cronk77]

Thank you. That worked.