I have two resources azurerm_storage_account and azurerm_cosmosdb_account created in a resource group my-rg.
I also have a azurerm_management_lock set to ReadOnly at my-rg level.
resource "azurerm_storage_account" "main" {
name = "my-storage"
resource_group_name = azurerm_resource_group.main.name
...
}
resource "azurerm_cosmosdb_account" "main" {
name = "my-cosmosdb"
resource_group_name = azurerm_resource_group.main.name
...
}
resource "azurerm_resource_group" "main" {
name = "my-rg"
...
}
resource "azurerm_management_lock" "resource-group-level" {
name = "terraform-managed-resources"
scope = azurerm_resource_group.main.id
lock_level = "ReadOnly"
}
When I run terraform apply I run into that errors :
Error: [ERROR] Unable to List Write keys for CosmosDB Account
"my-cosmosdb":
documentdb.DatabaseAccountsClient#ListKeys: Failure sending request:
StatusCode=409 -- Original Error: autorest/azure: Service returned an
error. Status= Code="ScopeLocked" Message="The scope
'/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-rg/providers/Microsoft.DocumentDB/databaseAccounts/my-cosmosdb'
cannot perform write operation because following scope(s) are locked:
'/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-rg'.
Please remove the lock and try again."
Error: building Queues Client: retrieving Account Key: Listing Keys
for Storage Account "my-storage" (Resource Group
"my-rg"): storage.AccountsClient#ListKeys: Failure
sending request: StatusCode=409 -- Original Error: autorest/azure:
Service returned an error. Status= Code="ScopeLocked"
Message="The scope
'/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/my-storage'
cannot perform write operation because following scope(s) are locked:
'/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-rg'.
Please remove the lock and try again."
What should I do in order to allow terraform apply to be run without removing the lock manually?
Note that this is a simplified example and I have many more resources that aren't impacted by this lock. I only have listed the resources involved in the Error log.
Please check the Considerations before applying your locks.
As ,when a ReadOnly lock applied to resource group which is parent
to a storage account ,it applies to storage account too.
For storage account locked with read only access, List Keys operation is blocked for that account.
The operation : List Keys is an HTTPS POST operation, and all POST operations are prevented when a ReadOnly lock is configured for the
account.i.e .; Locks prevent the POST method from sending data to the (ARM) API.
When a read-only lock is configured for a storage account, users/client who already have access keys ready can continue to access data but users who don't have the account keys need to use Azure AD credentials to access blob or queue data.
Please check : authorizing-data-operations-when-a-readonly-lock-is-in-effect- Azure Storage | Microsoft Docs for the minimum roles required.
Same may apply to cosmosDB but to ensure try to check list keys in cosmos db by checking if you need to assign Cosmos DB Account Reader role which has Microsoft.DocumentDB/databaseAccounts/readonlykeys/action permissions in it. Manage locks
"permissions": [
{
"actions": [
…
"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
…..
],
also you can customize actions custom-roles to have Microsoft.DocumentDB/databaseAccounts/listKeys/* action
References:
Azure Cosmos DB read data using role based access control - Stack
Overflow
Read-only access to Cosmos DB · Issue · GitHub
Related
I am trying to create a service account using terraform and I also want to apply multiple permissions to that account using terraform.
# create artifact register
resource "google_artifact_registry_repository" "yacht-away" {
provider = google-beta
location = "asia-south1"
repository_id = "yacht-away"
description = "yacht-away docker repository with iam"
format = "DOCKER"
}
# create service account
resource "google_service_account" "yacht-away-service-acc" {
provider = google-beta
account_id = "yacht-away-service-ac"
display_name = "Yacht Away Service Account"
}
However, I constantly see this error. I have verified the value of location everywhere it is the same as mentioned above. So probably that is not the issue. The service account being used by the terraform has project editor access and I have also tried after providing it owner access.
Error: Error when reading or editing Resource "artifactregistry repository \"projects/dhb-222614/locations/asia-south1/repositories/yacht-away\"" with IAM Member: Role "roles/artifactregistry.reader" Member "serviceAccount:yacht-away-service-ac#dhb-222614.iam.gserviceaccount.com": Error retrieving IAM policy for artifactregistry repository "projects/dhb-222614/locations/asia-south1/repositories/yacht-away": googleapi: Error 403: The caller does not have permission
So I don't understand where am I going wrong.
I am running terraform via Azure devOps pipeline, in order to create azure MSSQL along with Blob Auditing Policies. However, when I run the pipeline, I am getting the following error after the pipeline runs for a while. Can some please help me identifying the root cause of this issue?
Error: failure in issuing create/update request for SQL Database "Identity" Blob Auditing Policies(SQL Server ""/ Resource Group ""): sql.ExtendedDatabaseBlobAuditingPoliciesClient#CreateOrUpdate: Failure responding to request: StatusCode=504 -- Original Error: autorest/azure: Service returned an error. Status=504 Code="GatewayTimeout" Message="The gateway did not receive a response from 'Microsoft.Sql' within the specified time period."
on azure-sql-server.tf line 92, in resource "azurerm_mssql_database" "sqlserver":
92: resource "azurerm_mssql_database" "sqlserver" {
failure in issuing create/update request for SQL Database "Identity" Blob Auditing Policies(SQL Server ""/ Resource Group ""): sql.ExtendedDatabaseBlobAuditingPoliciesClient#CreateOrUpdate: Failure responding to request: StatusCode=504 -- Original Error:
autorest/azure: Service returned an error. Status=504
Code="GatewayTimeout" Message="The gateway did not receive a response from 'Microsoft.Sql' within the specified time period.
To resolve the above error, please try the following:
Try removing the azurerm_mssql_database_extended_auditing_policy try replacing with the old extended_auditing_policy block within azurerm_mssql_database .
Using storage requires to enable 'Allow trusted Microsoft services to access this storage account' on the storage account.
Make sure you have Storage Blob Data Contributor for the storage created from terraform.
Enable System Managed Identity on the existing SQL Server.
For the workaround, try editing the state file to remove the "status": "tainted", line from the "azurerm_mssql_server" resource.
For more in detail, please refer below links:
azure - Creating SQL Server vulnerability assessment resource using a private Storage Account fails - Stack Overflow.
mssql_server: breaking change in the azure api · Issue #8915 · hashicorp/terraform-provider-azurerm · GitHub.
Export database fails with "The gateway did not receive a response from 'Microsoft.Sql'" - Microsoft Q&A.
I have moved a number of Azure resources from one subscription to another. To do so, I needed to create a new "incoming" resources group in the target subscription. After successfully moving the resources to "incoming" I could move them to the right resource groups (Azure is a bit weird in this way, but acceptable). Now I want to delete the "incoming" resource group. When looking at the resources, I see a single hidden resource of type microsoft.web/certificates. When trying to move these to the other resource group, I get the following error:
{
"code":"ResourceMoveValidationFailed",
"message":"The resource batch move request has '1' validation errors. Diagnostic information: timestamp '20200511T100227Z', tracking Id 'e0d6ac02-69a2-46d2-a61d-beb4303a6ce9', request correlation Id '532eb53d-6ad3-43f3-8a31-3e0319b70702'.",
"details":[
{
"code":"ResourceMoveNotSupported",
"message":"Resource move is not supported for resource types 'Microsoft.Web/certificates'."
}
]
}
Is it safe to delete this resource and then delete the resource group? I don't see any resources in the target resource group of this type.
Since there are no answers to this and I received an answer from Azure support, I'll post it here for future reference:
Microsoft.Web resources have a weird nuance to them when it comes to moving them cross-subscriptions...
They must be in their original resource group they were initially deployed to
You must move all related Microsoft.Web resources that were deployed to that RG
The destination RG in the destination sub cannot already have Microsoft.Web resources in it.
Azure resource type Microsoft.web/certificates do not support move operation between resource groups. However, it supports move operations across subscriptions.
Support Link: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources#microsoftweb
You can move a certificate bound to a web without deleting the TLS bindings, as long as the certificate is moved with all other resources in the resource group.
If your web app includes an SSL certificate that you purchased externally and uploaded to the app, you must delete the certificate before moving the web app. For example, you can perform the following steps:
Delete the uploaded certificate from the web app
Move the web app
Upload the certificate to the web app
Team,
Using Azure Pass - Sponsorship subscription i have created storage account.
Now after creating it when i go to Access keys tab i am getting below error.
Resource details:
Performance/Access tier:Standard/Hot
Replication:Read-access geo-redundant storage (RA-GRS) Account
kind:StorageV2 (general purpose v2)
Error message:
Access blocked
The resource is locked
Cannot access the data plane because of a read lock on the resource or its parent.
There is no locks applied for this resource.
Is storage account not available for my subscription?
How to resolve this error?
Please let me know if you need any other information.
You may check if you have reached spend limit in your Azure Pass - Sponsorship subscription. Here is a similar issue.
When your usage results in charges that exhaust your spending limit,
the services that you deployed are disabled for the rest of that
billing period.
I would assume this means the lock is on the parent, so on the resource group. remove the lock there and try again.
If Azure Databricks will be deleted by someone and which contains Notebooks as well. So, if we want to recover that databricks along with notebooks , is it possible?
If so please explain how we can achieve this type of condition.
If you are looking to prevent deletion, you can set Azure Resource locks. Specifically you can set the CanNotDelete lock. This lock means authorized users can still read and modify a resource, but they can't delete the resource.
Some Azure services, such as Azure Databricks, use managed applications to implement the service. In that case, the service creates two resource groups. One resource group contains an overview of the service and isn't locked. The other resource group contains the infrastructure for the service and is locked. You should lock the resource containing the service to prevent accidental deletion.
If you try to delete the infrastructure resource group, you get an error stating that the resource group is locked. If you try to delete the lock for the infrastructure resource group, you get an error stating that the lock can't be deleted because it's owned by a system application.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources