search

pulumi / pulumi-azure-native

Azure Native Provider
Apache License 2.0
123 stars 32 forks source link

Removing a Custom azure role with pulumi azure native provider is failing #2610

Open Kmougari opened 11 months ago

Kmougari commented 11 months ago

What happened?

When trying to delete an azure custom role using azure native provider the role is not delete and we have the following error.

pulumi:pulumi:Stack foundations-sandbox failed 1 error; 1 message

Diagnostics: azure-native:authorization:RoleDefinition (rd-temp-role-for-testing-contributor): error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'XXXXXXXX with object id 'XXXXXXXXX does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/delete' over scope '/providers/Microsoft.Authorization/roleDefinitions/XXXXX' or the scope is invalid. If access was recently granted, please refresh your credentials."

We have tested with azure classic provider and it is working.

Please note that the role custom is set a management group level scope= and the provider is configured to authentify to a one of the subscription. We have tested authentification directly on the tenant level and it is failing

Expected Behavior

Should be able to remove role with azure native

Steps to reproduce

Create a custom role at management group level and try to delete with pulumi azure native provider

Output of pulumi about

image

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Kmougari commented 11 months ago

Please note that this has been tested with Azure native provider V2.X.X and we still have the same problem

thomas11 commented 11 months ago

Hi @Kmougari! Can you share more about how authentication is configured in both providers? Note that Azure Native will not re-use the configuration of Azure Classic, except certain environment variables. You have to set any azure:... configuration again as azure-native:....

Kmougari commented 11 months ago

Find below configuration $ pulumi config KEY VALUE

azure:location FranceCentral azure:subscriptionId XXXX azure:tenantId XXX azure-native:location FranceCentral azure-native:subscriptionId XXXXX azure-native:tenantId XXXXX

I cannot shared ids but the subscriptionId are the same with azure classic as azure native

Kmougari commented 11 months ago

for your information @thomas11

Kmougari commented 11 months ago

Any feedback on this @thomas11 ?

Kmougari commented 9 months ago

Can we have an update on this please ? @thomas11

Kmougari commented 8 months ago

No update on this ?

thomas11 commented 5 months ago

Hi @Kmougari, apologies that we dropped this issue. Is it still relevant to you? If so, I'd need to know more about how you authenticate. The tenantId configuration you shared is part of it but not sufficient. Which of the methods described here are you trying to use?

Kmougari commented 4 months ago

Hi @thomas11 Yes it is still relevant. We are authenticating using an SP

thomas11 commented 4 months ago

Thanks @Kmougari. Some more questions:

  1. Did you create this role using the azure native provider?
  2. Can you share the Scope of the role?

It would be much easier to diagnose the problem if you could share a complete Pulumi program that shows the issue.