Develop Reference

Error The parameter LinuxFxVersion has an invalid value when deploying my azure function resource

I am attempting to deploy .NET Framework application with Azure function, i am working off an existing ARM json template which i converted to .bicep file. One of the resources is the below
resource resourceName_resource 'Microsoft.Web/sites#2021-02-01' = {
name: resourceName
location: resourceLocation
identity: {
type: 'SystemAssigned'
}
tags: {
'hidden-related:${appServicePlan_ResourceId}': 'empty'
}
kind: 'functionapp'
properties: {
httpsOnly: true
reserved: false
serverFarmId: appServicePlan_ResourceId
siteConfig: {
alwaysOn: true
linuxFxVersion: 'DOTNETCORE|6.0'
}
}
dependsOn: [
appServicePlan_name
storage_name
]
}
However when i run the deployment i get the below error, now i am assuming the error is caused by the above configuration as thats the only resource with LinuxFxVersion. How do i correct this error ?
{
"status":"Failed",
"error":{
"code":"DeploymentFailed",
"message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details":[
{
"code":"BadRequest",
"message":"{\r\n \"Code\": \"BadRequest\",\r\n \"Message\": \"The parameter LinuxFxVersion has an invalid value.\",\r\n \"Target\": null,\r\n \"Details\": [\r\n {\r\n \"Message\": \"The parameter LinuxFxVersion has an invalid value.\"\r\n },\r\n {\r\n \"Code\": \"BadRequest\"\r\n },\r\n {\r\n \"ErrorEntity\": {\r\n \"ExtendedCode\": \"01007\",\r\n \"MessageTemplate\": \"The parameter {0} has an invalid value.\",\r\n \"Parameters\": [\r\n \"LinuxFxVersion\"\r\n ],\r\n \"Code\": \"BadRequest\",\r\n \"Message\": \"The parameter LinuxFxVersion has an invalid value.\"\r\n }\r\n }\r\n ],\r\n \"Innererror\": null\r\n}"
}
]
}
}

Double check the bicep for deploying the Microsoft.Web/serverfarms resource. I recall a similar error because I had left out the property setting reserved: true. Once I added that setting, then the deployment succeeded. If you already created the app service plan, you'll need to remove it and redeploy in order for the change to be accepted.
I ran the following and it worked.
param location string = 'East US'
resource hostingPlan 'Microsoft.Web/serverfarms#2021-01-15' = {
name: 'apphostingplanname'
location: location
properties: {
reserved: true
}
sku: {
tier: 'Standard'
name: 'S1'
}
kind: 'linux'
}
resource resourceName_resource 'Microsoft.Web/sites#2021-02-01' = {
name: 'somewebapp72478340'
location: location
identity: {
type: 'SystemAssigned'
}
tags: {
'hidden-related:${hostingPlan.id}': 'empty'
}
kind: 'functionapp'
properties: {
httpsOnly: true
reserved: false
serverFarmId: hostingPlan.id
siteConfig: {
alwaysOn: true
linuxFxVersion: 'DOTNETCORE|6.0'
}
}
}
Result:

Azure bicep Pass Storage Account Connection String to Secret Keyvault loop issue

I have a the following bicep script to perform the following steps:
Create storage accounts based on code
create a key
encrypt storage account with the correct key
generate a secret connection string (storage account) into a key vault
The infra is splitted into 2 resource groups:
rg-shared => where the 2 key vault are (1 keyvault for key and GUID, and 1 keyvault for secrets (connection string)
rg-storage-account => where all the storage account get created
In azure bicep I have the following scripts:
Storage.bicep
param ManagedIdentityid string
param uri string
param kvname string
param keyvaultrg string = 'XXXX' //<== SHARED Resource Group
var keyVaultKeyPrefix = 'Key-Data-'
var storagePrefix = 'sthritesteur'
param tenantCodes array = [
'aabb'
'bbcc'
'ccdd'
]
// Create storage accounts
resource storageAccount 'Microsoft.Storage/storageAccounts#2021-04-01' = [for tenantCode in tenantCodes: {
name: '${storagePrefix}${tenantCode}'
location: resourceGroup().location
kind: 'StorageV2'
sku: {
name: 'Standard_RAGRS'
}
// Assign the identity
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${ManagedIdentityid}':{}
}
}
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
identity: {
// specify which identity to use
userAssignedIdentity: ManagedIdentityid
}
keySource: 'Microsoft.Keyvault'
keyvaultproperties: {
keyname: '${kvname}-${keyVaultKeyPrefix}${toUpper(tenantCode)}'
keyvaulturi:uri
}
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
}
accessTier: 'Hot'
}
}]
resource storage_Accounts_name_default 'Microsoft.Storage/storageAccounts/blobServices#2021-04-01' = [ for (storageName, i) in tenantCodes :{
parent: storageAccount[i]
name: 'default'
properties: {
changeFeed: {
enabled: false
}
restorePolicy: {
enabled: false
}
containerDeleteRetentionPolicy: {
enabled: true
days: 7
}
cors: {
corsRules: []
}
deleteRetentionPolicy: {
enabled: true
days: 30
}
isVersioningEnabled: true
}
}]
module connectionString 'shared.bicep' = [for (storageName, i) in tenantCodes :{
scope: resourceGroup(keyvaultrg)
name: storageName
params: {
storageAccountString: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount[i].name};AccountKey=${listKeys(storageAccount[i].id, storageAccount[i].apiVersion).keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}]
keyvaultclient.bicep
param deploymentIdOne string = newGuid()
param deploymentIdTwo string = newGuid()
output deploymentIdOne string = '${deploymentIdOne}-${deploymentIdTwo}'
output deploymentIdTwo string = deploymentIdTwo
param storagerg string = 'XXXX' //<=== Storage Accounts Resource Groups
param sharedManagedIdentity string = 'mgn-identity-shared'
param keyvaultmain string = 'XXXX' //<=== KeyVault Name where to create GUID AND Keys
param tenantCodes array = [
'aabb'
'bbcc'
'ccdd'
]
var clientDataKeyPrefix = 'Key-Data-'
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities#2018-11-30' = {
name: sharedManagedIdentity
location: resourceGroup().location
}
resource keyVaultClients 'Microsoft.KeyVault/vaults#2021-06-01-preview' existing = {
name: keyvaultmain
}
resource kvClientsKey 'Microsoft.KeyVault/vaults/keys#2021-06-01-preview' = [for code in tenantCodes: {
parent:keyVaultClients
name: '${keyVaultClients.name}-${clientDataKeyPrefix}${toUpper(code)}'
properties: {
keySize: 2048
kty: 'RSA'
// Assign the least permission
keyOps: [
'unwrapKey'
'wrapKey'
]
}
}]
resource accessPolicy 'Microsoft.KeyVault/vaults/accessPolicies#2021-06-01-preview' = {
parent:keyVaultClients
name: 'add'
properties: {
accessPolicies: [
{
tenantId: subscription().tenantId
objectId: managedIdentity.properties.principalId
permissions: {
// minimum required permission
keys: [
'get'
'unwrapKey'
'wrapKey'
]
}
}
]
}
}
resource clientLearnersGuid 'Microsoft.KeyVault/vaults/secrets#2021-06-01-preview' = [for tenant in tenantCodes: {
parent:keyVaultClients
name: '${keyVaultClients.name}${tenant}'
properties: {
contentType: 'GUID Key'
value: '${deploymentIdOne}-${deploymentIdTwo}'
}
dependsOn:kvClientsKey
}]
module StorageAccount 'storage.bicep' = [for (storageName, i) in tenantCodes :{
scope: resourceGroup(storagerg)
name: storageName
params: {
ManagedIdentityid:managedIdentity.id
kvname:keyVaultClients.name
uri:keyVaultClients.properties.vaultUri
}
dependsOn:clientLearnersGuid
}]
shared.bicep
param keyvaultshared string = 'XXXX' //<=== Key Vault Where to Store the Storage Connection String Secret
param storageAccountString string
param tenantCodes array = [
'aabb'
'bbcc'
'ccdd'
]
resource keyVaultShared 'Microsoft.KeyVault/vaults#2021-06-01-preview' existing = {
name: keyvaultshared
}
resource storageAccountConnectionString 'Microsoft.KeyVault/vaults/secrets#2021-06-01-preview' = [for tenant in tenantCodes: {
parent:keyVaultShared
name: '${keyVaultShared.name}-test${tenant}'
properties:{
contentType: '${tenant} Storage Account Connection String'
value: storageAccountString
}
}]
Those script performs all the steps I needed based on the tenantCode. Which is just perfect. If I have only 1 tenantCode declared, everything goes smooth and perfect, but the issue I am facing raises when I try to declare more than 1. And this is the problem in details.
When I declare more than 1 code, the script still created all the resources I needed: Storage accounts,Keys,Encryptions, GUID and ConnectionStrings Secrets. But it fails anyway on the ConnectionStrings Secret.
The reason why it fails it because in those files at this block of code:
Shared.bicep
resource storageAccountConnectionString 'Microsoft.KeyVault/vaults/secrets#2021-06-01-preview' = [for tenant in tenantCodes: {
parent:keyVaultShared
name: '${keyVaultShared.name}-test${tenant}'
properties:{
contentType: '${tenant} Storage Account Connection String'
value: storageAccountString
}
}]
and
keuvaultsclient.bicep*
module StorageAccount 'storage.bicep' = [for (storageName, i) in tenantCodes :{
scope: resourceGroup(storagerg)
name: storageName
params: {
ManagedIdentityid:managedIdentity.id
kvname:keyVaultClients.name
uri:keyVaultClients.properties.vaultUri
}
dependsOn:clientLearnersGuid
}]
I have a multiple loop, on which I realised that in my shared keyvault under secrets, I have the correct amount of secrets (with 3 tenant codes I have 3 secrets) and under each secret I have 3 versions (for each tenant code it generate a new version for each secret). This looping error causes bicep script to fail with the following message:
{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"Conflict","message":"{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"DeploymentFailed\",\r\n \"message\": \"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.\",\r\n \"details\": [\r\n {\r\n \"code\": \"Conflict\",\r\n \"message\": \"{\\r\\n \\\"error\\\": {\\r\\n \\\"code\\\": \\\"StorageAccountOperationInProgress\\\",\\r\\n \\\"message\\\": \\\"An operation is currently performing on this storage account that requires exclusive access.\\\"\\r\\n }\\r\\n}\"\r\n },\r\n {\r\n \"code\": \"Conflict\",\r\n \"message\": \"{\\r\\n \\\"error\\\": {\\r\\n \\\"code\\\": \\\"StorageAccountOperationInProgress\\\",\\r\\n \\\"message\\\": \\\"An operation is currently performing on this storage account that requires exclusive access.\\\"\\r\\n }\\r\\n}\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}"}]}}
I am totally blocked at this stage and as I am a bicep beginner, I run out of all options and test to try to solve this issue.
How to reproduce
Create 2 resource groups(one for the key vaults and one for the storage accounts)
Update parameters with the correct kv names
In all files add atleast 2 tenantCode on each file
execute the command az deployment group create -f ./keyvaultsclient.bicep -g <rg-where-keyvaults-are>
I hope I explained clearly enough the issue I am facing and please if you need more details just let me know.
Thank you so much for your time and help

I tested the same code by doing some changes, Please try doing the same changes in the .bicep files :
keyvaultclient.bicep:
Removed the loop for module as its creating 2 modules for the same thing.
module StorageAccount './storage.bicep' = {
scope: resourceGroup(storagerg)
name: 'NestedStorage'
params: {
ManagedIdentityid:managedIdentity.id
kvname:keyVaultClients.name
uri:keyVaultClients.properties.vaultUri
}
dependsOn:clientLearnersGuid
}
storage.bicep:
Removed the loop for module and added the loop for only storage connection string which will store the outputs in array and pass it to the next module.
module connectionString './shared.bicep'={
scope: resourceGroup(keyvaultrg)
name: 'KeyvaultNested'
params: {
storageAccountString: [for (tenant,i) in tenantCodes :{
id:'DefaultEndpointsProtocol=https;AccountName=${storageAccount[i].name};AccountKey=${listKeys(storageAccount[i].id, storageAccount[i].apiVersion).keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}]
}
}
shared.bicep:
Changed the parameter type of StorageAccountString from string to array and added [for (tenant,i) in tenantCodes in the secret part so that I can give the value as storageAccountString[i].id .
param storageAccountString array
resource storageAccountConnectionString 'Microsoft.KeyVault/vaults/secrets#2021-06-01-preview' = [for (tenant,i) in tenantCodes: {
parent:keyVaultShared
name: '${keyVaultShared.name}-test${tenant}'
properties:{
contentType: '${tenant} Storage Account Connection String'
value: storageAccountString[i].id
}
}]
Outputs:

Creating AKS cluster with Managed Identity to give it access to a subnet - Error: authorization.RoleAssignmentsClient

I configured an AKS cluster to use a system-assigned managed identity to access to other Azure resources
resource "azurerm_subnet" "aks" {
name = var.aks_subnet_name
resource_group_name = azurerm_resource_group.main.name
virtual_network_name = module.network.vnet_name
address_prefix = var.aks_subnet
service_endpoints = ["Microsoft.KeyVault"]
}
resource "azurerm_kubernetes_cluster" "aks_main" {
name = module.aks_name.result
depends_on = [azurerm_subnet.aks]
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
dns_prefix = "aks-${local.name}"
kubernetes_version = var.k8s_version
addon_profile {
oms_agent {
# For monitoring containers
enabled = var.addons.oms_agent
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
}
kube_dashboard {
enabled = true
}
azure_policy {
# If we want to enfore policy definitions in the future
# Check requirements https://learn.microsoft.com/en-ie/azure/governance/policy/concepts/policy-for-kubernetes
enabled = var.addons.azure_policy
}
}
default_node_pool {
name = "default"
orchestrator_version = var.k8s_version
node_count = var.default_node_pool.node_count
vm_size = var.default_node_pool.vm_size
type = "VirtualMachineScaleSets"
availability_zones = var.default_node_pool.zones
# availability_zones = ["1", "2", "3"]
max_pods = 250
os_disk_size_gb = 128
vnet_subnet_id = azurerm_subnet.aks.id
node_labels = var.default_node_pool.labels
enable_auto_scaling = var.default_node_pool.cluster_auto_scaling
min_count = var.default_node_pool.cluster_auto_scaling_min_count
max_count = var.default_node_pool.cluster_auto_scaling_max_count
enable_node_public_ip = false
}
# Configuring AKS to use a system-assigned managed identity to access
identity {
type = "SystemAssigned"
}
network_profile {
load_balancer_sku = "standard"
outbound_type = "loadBalancer"
network_plugin = "azure"
# if non-azure network policies
# https://azure.microsoft.com/nl-nl/blog/integrating-azure-cni-and-calico-a-technical-deep-dive/
network_policy = "calico"
dns_service_ip = "10.0.0.10"
docker_bridge_cidr = "172.17.0.1/16"
service_cidr = "10.0.0.0/16"
}
lifecycle {
ignore_changes = [
default_node_pool,
windows_profile,
]
}
}
I want to use that managed identity (the service principal created inside AKS cluster section code) to give it roles like this Network Contributor over a subnet:
resource "azurerm_role_assignment" "aks_subnet" {
# Giving access to AKS SP identity created to akssubnet by assigning it
# a Network Contributor role
scope = azurerm_subnet.aks.id
role_definition_name = "Network Contributor"
principal_id = azurerm_kubernetes_cluster.aks_main.identity[0].principal_id
# principal_id = azurerm_kubernetes_cluster.aks_main.kubelet_identity[0].object_id
# principal_id = data.azurerm_user_assigned_identity.test.principal_id
# skip_service_principal_aad_check = true
}
But the output I got after terraform apply is:
Error: authorization.RoleAssignmentsClient#Create: Failure responding
to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error.
Status=403 Code="AuthorizationFailed"
Message="The client 'afd5bd09-c294-4597-9c90-e1ee293e5f3a' with object id
'afd5bd09-c294-4597-9c90-e1ee293e5f3a' does not have authorization
to perform action 'Microsoft.Authorization/roleAssignments/write'
over scope '/subscriptions/77dfff95-fbd3-4a15-b97a-b7182939e61a/resourceGroups/rhd-spec-prod-main-6loe4lpkr0hd8/providers/Microsoft.Network/virtualNetworks/rhd-spec-prod-main-wdaht6cn7s3s8/subnets/aks-subnet/providers/Microsoft.Authorization/roleAssignments/8733864c-a5f7-a6a9-a61d-6393989f0ad1'
or the scope is invalid. If access was recently granted, please refresh your credentials."
on aks.tf line 23, in resource "azurerm_role_assignment" "aks_subnet":
23: resource "azurerm_role_assignment" "aks_subnet" {
It seems the service principal is being created does not have enough privileges to perform a role assignment over the subnet, or maybe I have wrong the scope attribute. I am passing there, the aks subnet id.
What am I doing wrong?
UPDATE
Checking the way Managed Identities has role assigneds, looks like we can only assign it roles related with Subscriptions, Resource Groups, Storage services, SQL services, and KeyVault.
Reading here
Before you can use the managed identity, it has to be configured. There are two steps:
Assign a role for the identity, associating it with the subscription that will be used to run Terraform. This step gives the identity permission to access Azure Resource Manager (ARM) resources.
Configure access control for one or more Azure resources. For example, if you use a key vault and a storage account, you will need to configure the vault and container separately.
Before you can create a resource with a managed identity and then assign an RBAC role, your account needs sufficient permissions. You need to be a member of the account Owner role, or have Contributor plus User Access Administrator roles.
Trying to proceed accordingly, I defined this section code:
resource "null_resource" "wait_for_resource_to_be_ready" {
provisioner "local-exec" {
command = "sleep 60"
}
depends_on = [
azurerm_kubernetes_cluster.aks_main
]
}
data "azurerm_subscription" "current" {}
# FETCHING THE IDENTITY CREATED ON AKS CLUSTER
data "azurerm_user_assigned_identity" "test" {
name = "${azurerm_kubernetes_cluster.aks_main.name}-agentpool"
resource_group_name = azurerm_kubernetes_cluster.aks_main.node_resource_group
}
data "azurerm_role_definition" "contributor" {
name = "Network Contributor"
}
resource "azurerm_role_assignment" "aks_subnet" {
# Giving access to AKS SP identity created to akssubnet by assigning it
# a Network Contributor role
# name = azurerm_kubernetes_cluster.aks_main.name
# scope = var.aks_subnet_name # azurerm_subnet.aks.id var.aks_subnet
scope = data.azurerm_subscription.current.id
#role_definition_name = "Network Contributor"
role_definition_id = "${data.azurerm_subscription.current.id}${data.azurerm_role_definition.contributor.id}"
# principal_id = azurerm_kubernetes_cluster.aks_main.identity[0].principal_id
# principal_id = azu rerm_kubernetes_cluster.aks_main.kubelet_identity[0].object_id
principal_id = data.azurerm_user_assigned_identity.test.principal_id
skip_service_principal_aad_check = true
depends_on = [
null_resource.wait_for_resource_to_be_ready
]
}
The terraform workflow try to create the role ...
> terraform_0.12.29 apply "prod_Infrastructure.plan"
null_resource.wait_for_resource_to_be_ready: Creating...
null_resource.wait_for_resource_to_be_ready: Provisioning with 'local-exec'...
null_resource.wait_for_resource_to_be_ready (local-exec): Executing: ["/bin/sh" "-c" "sleep 60"]
null_resource.wait_for_resource_to_be_ready: Still creating... [10s elapsed]
null_resource.wait_for_resource_to_be_ready: Still creating... [20s elapsed]
null_resource.wait_for_resource_to_be_ready: Still creating... [30s elapsed]
null_resource.wait_for_resource_to_be_ready: Still creating... [40s elapsed]
null_resource.wait_for_resource_to_be_ready: Still creating... [50s elapsed]
null_resource.wait_for_resource_to_be_ready: Still creating... [1m0s elapsed]
null_resource.wait_for_resource_to_be_ready: Creation complete after 1m0s [id=8505830187297683728]
azurerm_role_assignment.aks_subnet: Creating...
but finally got the same AuthorizationFailed error this time over the subscription passed.
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'afd5bd09-c294-4597-9c90-e1ee293e5f3a' with object id 'afd5bd09-c294-4597-9c90-e1ee293e5f3a' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/77dfff95-fbd3-4a15-b97a-b7182939e61a' or the scope is invalid. If access was recently granted, please refresh your credentials."
on aks.tf line 145, in resource "azurerm_role_assignment" "aks_subnet":
145: resource "azurerm_role_assignment" "aks_subnet" {
Not sure at all how to verify this statement
Before you can create a resource with a managed identity and then assign an RBAC role, your account needs sufficient permissions. You need to be a member of the account Owner role, or have Contributor plus User Access Administrator roles.
By the way, I have the owner role in the subscription I am working with.
UPDATE 2
The object id referenced on both error messages above, belong to a service principal within my tenant.
It is
az ad sp show --id afd5bd09-c294-4597-9c90-e1ee293e5f3a
{
"accountEnabled": "True",
"addIns": [],
"alternativeNames": [],
"appDisplayName": "Product-xxxx-ServicePrincipal-Production",
"appId": "ff9c642c-06b9-47e2-9565-e3f6e782e14f",
"appOwnerTenantId": "xxxxxxxx",
"appRoleAssignmentRequired": false,
"appRoles": [],
"applicationTemplateId": null,
"deletionTimestamp": null,
"displayName": "Product-xxxx-ServicePrincipal-Production",
"errorUrl": null,
"homepage": null,
"informationalUrls": {
"marketing": null,
"privacy": null,
"support": null,
"termsOfService": null
},
"keyCredentials": [],
"logoutUrl": null,
"notificationEmailAddresses": [],
"oauth2Permissions": [],
# THIS IS THE OBJECT ID
"objectId": "afd5bd09-c294-4597-9c90-e1ee293e5f3a",
"objectType": "ServicePrincipal",
"odata.metadata": "https://graph.windows.net/15f996bf-aad1-451c-8d17-9b95d025eafc/$metadata#directoryObjects/#Element",
"odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
"passwordCredentials": [],
"preferredSingleSignOnMode": null,
"preferredTokenSigningKeyEndDateTime": null,
"preferredTokenSigningKeyThumbprint": null,
"publisherName": "xxxxxxx",
"replyUrls": [],
"samlMetadataUrl": null,
"samlSingleSignOnSettings": null,
"servicePrincipalNames": [
"ff9c642c-06b9-47e2-9565-e3f6e782e14f"
],
"servicePrincipalType": "Application",
"signInAudience": "AzureADMyOrg",
"tags": [
"WindowsAzureActiveDirectoryIntegratedApp"
],
"tokenEncryptionKeyId": null
}
Regarding permissions, not sure if it has sufficient, I would say yes, since it is used for multiple stuff in the subscription
What about Users Consent permissions? I don't have anything there
But on the other hand, why the process is trying to assign the role by using this service principal?
I mean, the use of a managed identity, is intended to move away the use of service principals, but perhaps, the workflow procees use this SP just to assign the role to the managed identity and from that in forward the access will be granted by the managed identity (?)

From docs: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-rest#add-a-role-assignment
To call this API, you must have access to the Microsoft.Authorization/roleAssignments/write operation. Of the built-in roles, only Owner and User Access Administrator are granted access to this operation.
So your service principal must have the role owner or user access administrator. Or you have to create a custom role with sufficient permissions.
Regarding the workflow, I agree. It is quiet counter intuitive.
old answer
There is this bug (?) where azure states that the resource has been created but not all services have access it.
You can have it wait for a minute with something like this:
resource "null_resource" "wait_for_resource_to_be_ready" {
provisioner "local-exec" {
command = "sleep 60"
}
depends_on = [
azurerm_kubernetes_cluster.aks_main
]
}
Add a depends_on statment to your "azurerm_role_assignment" "aks_subnet" resource:
depends_on = [
null_resource.wait_for_resource_to_be_ready
]
Now first your cluster will be created, then terrform will wait for 60 seconds. Then your role_assignment will take place and will hopefully be able to grant the role.

DSC error for post deployment SQL configuration

I am deploying SQL server 2016 with ARM to Azure. Trying to implement post deployment configuration with DSC module.
DSC config:
xSQLServerSetup 'InstallDefaultInstance'
{
InstanceName = 'MSSQLSERVER'
SQLCollation = 'SQL_Latin1_General_CP1_CI_AS'
SQLSysAdminAccounts = $SqlInstallCredential
SourcePath = 'C:\SQLServerFull\'
DependsOn = '[WindowsFeature]NetFramework35','[WindowsFeature]NetFramework45', '[xDisk]TVolume'
}
And get the following:
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.",
"details": [
{
"code": "Conflict",
"message": "{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"VMExtensionProvisioningError\",\r\n \"message\": \"VM has reported a failure when processing extension 'Microsoft.Powershell.DSC'. Error message: \\\"DSC Configuration 'Main' completed with error(s). Following are the first few: The network name cannot be found. Cannot bind argument to parameter 'Path' because it is an empty string. Cannot bind argument to parameter 'Path' because it is an empty string.\\\".\"\r\n }\r\n ]\r\n }\r\n}"
Any suggestions?

Moving resources failed because resource group has active deployments

When I try to change a website's resource group in Azure Powershell, I get the following error:
"Error": {
"Code": "MultipleErrorsOccurred",
"Message": "Multiple error occurred: Conflict,Conflict. Please see details.",
"Target": null,
"Details": [
{
"Code": "DeploymentActive",
"Message": "Moving resources failed because resource group 'rg1' has active deployments.",
"Target": null,
"Details": null
},
{
"Code": "DeploymentActive",
"Message": "Moving resources failed because resource group 'rg1' has active deployments.",
"Target": null,
"Details": null
}
}
I use the following commands:
$webapp = Get-AzureResource -ResourceGroupName "rg1" -ResourceName resourceName -ResourceType Microsoft.Web/sites
Move-AzureResource -DestinationResourceGroupName "rg2" -ResourceId $webapp.ResourceId
One solution is to delete and recreate the website but is there any other way that we can sort this problem out without deleting anything?

Move-AzureResource is obsolete now. Try using Move-AzureRmResource.
For the error, you will have to wait till an ongoing deployment in rg1 is complete.
You could retry once the deployment is complete.
Cheers!