I’m trying to create the Azure AD Group using the following terraform code through the Azure DevOps.
# Create Azure AD Group in Active Directory for AKS Admins
resource "azuread_group" "aks_administrators" {
#name = "${azurerm_resource_group.aks_rg.name}-administrators"
display_name = "${azurerm_resource_group.aks_rg.name}-${var.environment}-administrators"
description = "Azure AKS Kubernetes administrators for the ${azurerm_resource_group.aks_rg.name}-${var.environment} cluster."
security_enabled = true
}
I have followed these steps to provide the permission to create Azure AD Groups through the Azure DevOps ARM service connection (Service Principle).
• Provide permission for Service connection created in previous step to create Azure AD Groups
• Go to -> Azure DevOps -> Select Organization -> Select project terraform-azure-aks
• Go to Project Settings -> Pipelines -> Service Connections
• Open terraform-aks-azurerm-svc-con
• Click on Manage Service Principal, new tab will be opened
• Click on View API Permissions
• Click on Add Permission
• Select an API: Microsoft APIs
• Commonly used Microsoft APIs: Supported legacy APIs: Azure Active Directory Graph-DEPRECATING Use Microsoft Graph
• Click on Application Permissions
• Check Directory.ReadWrite.All and click on Add Permission
• Click on Grant Admin consent for Default Directory
But I’m getting the following error:
Error: Creating group "xxxxxxxxxx-administrators"
│
│ with azuread_group.aks_administrators,
│ on 06-aks-administrators-azure-ad.tf line 2, in resource "azuread_group" "aks_administrators":
│ 2: resource "azuread_group" "aks_administrators" {
│
│ graphrbac.GroupsClient#Create: Failure responding to request:
│ StatusCode=403 -- Original Error: autorest/azure: Service returned an
│ error. Status=403 Code="Unknown" Message="Unknown service error"
│ Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2022-01-25T04:06:31","message":{"lang":"en","value":"Insufficient
│ privileges to complete the
│ operation."}}}]
Please check the Microsoft Graph permission Directory.ReadWrite.All has been provided to the service connection and it has been granted the admin consent.
I tested the same in my environment where I gave the permission to my service principal but didn't grant admin consent like below :
When deploying the below code, it gave me error :
provider "azuread" {}
# Create Azure AD Group in Active Directory for AKS Admins
resource "azuread_group" "aks_administrators" {
#name = "ans-aks-administrators"
display_name = "ans-aks-test-administrators"
description = "Azure AKS Kubernetes administrators for the ans-aks-test cluster."
security_enabled = true
}
After granting the permission admin consent it gets resolved :
If the issue still occurs then please add a new secret for the service connection service principal and use the below code :
provider "azuread" {
client_id = "ClientID of the service principal"
client_secret = "ClientSecret"
tenant_id = "<TenantID>"
}
# Create Azure AD Group in Active Directory for AKS Admins
resource "azuread_group" "aks_administrators" {
#name = "ans-aks-administrators"
display_name = "ans-aks-test-administrators"
description = "Azure AKS Kubernetes administrators for the ans-aks-test cluster."
security_enabled = true
}
Related
I'm implementing a Terraform template, that deploys an Azure VM, based on a custom image that resides on another tenant. I've provided permissions to an AppRegistration, and validated that using Az CLI I can deploy a VMSS referring to that same shared image.
However, if I use Terraform to deploy the VM, I get this error:
Error: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions//resourceGroups/RG-Images/providers/Microsoft.Compute/virtualMachines/VM1', however the current tenant '' is not authorized to access linked subscription '***'."
Terraform is using the AppRegistration that was created. however, it fails with that error
I've followed this how-to, successfully, that usees Az cli.
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/share-images-across-tenants
I understand by the error message, that the user has the permissions, but the issue is between the 2 tenants, is that it? What else can I do to fix this?
Initially please check with the RBAC permissions on the two tenants like Virtual machine contributor or Network Contributor role .
This issue with cross tenant may be even fixed in terraform azurerm
provider version 1.34.0 or later
provider "azurerm" {
version = "~> 1.34.0"
}
And you can make use of auxiliary_tenant_ids = ["<tenant2 Id>"] to mention both the tenants while using shared image gallery .See shared image gallery /terraform/github.com by #rajaie-algorithmia
provider "azurerm" {
subscription_id = "${var.subscription_id}"
client_id = "${var.client_id}"
client_secret = "${var.client_secret}"
tenant_id = "${var.tenant_id}"
auxiliary_tenant_ids = ["${var.sig_tenant_id}"] #give the other tenant Id here
}
References:
share-images-across-tenants | microsoft docs
azure portal : how-to-share-gallery-vm-images-across-azure-tenants |Ajay varma| axiom
I want to create a resource group in the azure cloud using terraform, for which I have to configure azurerm provider.
I created SPN using cli.
# az ad sp create-for-rbac --name spn_devops_terraform --role="Contributor" --scopes="/subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX"
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
{
"appId": "YYYYYY-YYYY-YYYY-YYYY-YYYYYYYYY",
"displayName": "spn_devops_terraform",
"password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"tenant": "XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX"
}
To test my SPN spn_devops_terraform, I logged in via cli
az login --service-principal -u YYYYYY-YYYY-YYYY-YYYY-YYYYYYYYY -p XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --tenant XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX
then executed
az vm list --output table
And i can see the list of all the VMS.
Now here is my main.tf file
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.0.2"
}
}
}
provider "azurerm" {
features {}
subscription_id = "XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX" # copy pasted this from portal.
client_id = "YYYYYY-YYYY-YYYY-YYYY-YYYYYYYYY" # this is app_id
client_secret = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # password
tenant_id = "XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX" # tenant
}
I initialized the terraform with "terraform init" command which goes fine.
But when i execute terraform plan it just hung for 10 mins and i have to press CTRL + C to stop it.
Please wait for Terraform to exit or data loss may occur.
Gracefully shutting down...
Stopping operation...
╷
│ Error: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: resources.ProvidersClient#List: Failure sending request: StatusCode=0 -- Original Error: context canceled
│
│ with provider["registry.terraform.io/hashicorp/azurerm"],
│ on main.tf line 10, in provider "azurerm":
│ 10: provider "azurerm" {
│
╵
What i am going wrong? what is fix and if there is any command in CLI or GUI in portal where i can see what is happening?
Tested in my enviromemt getting the same kind of error.It looks like the Service Principal doesn't have the Contributor role assigned to it/Doesn't have access to the subscription.
You can define the scope of service principle while creating it.
$ az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/SUBSCRIPTION_ID"
OR
Just go to the Subscription in the portal, select Access Control (IAM) and Add the Role assignment, Contributor to your Service Principal
You can refer this Terraform Document to Authenticating using a Service Principal with a Client Secret
Reference : Terraform unable to list provider registration status
I want to create service principal with terraform and have written terraform script for that. I have Azure DevOps pipelone in which I ma running this pipeline. Service principal which I am using to run the terraform script has owner access on subscription. I am getting below error while creating azure ad application
│
│ with module.appregister.azuread_application.auth,
│ on modules/appregister/main.tf line 6, in resource "azuread_application" "auth":
│ 6: resource "azuread_application" "auth" {
│
│ ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData
│ error: Authorization_RequestDenied: Insufficient privileges to complete the
│ operation.
╵
##[error]Error: The process '/agent/_work/_tool/terraform/1.0.3/x64/terraform' failed with exit code
What sort of Permissions are required to run this?
Considering Service Principals are created in Azure AD, the Service Principal used to run your Terraform script needs to have proper permission in Azure AD and not in Azure Subscription.
At the very least, I believe your Service Principal should be either in Application Administrator or Application Developer. For a list of complete Azure AD built-in roles, please see this link: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference.
we deploy resources in our Azure tenant through Jenkins which uses terraform to provision infra resources.
and we use service principal for authentication and infra provisioning which are in same tenant. in our infra deployment we also create VNET peering with the new Vnet which get deployed and our central VNET which has all the infra resources like monitoring and logging platform.
now we have a use case where by using the same Jenkins and terraform scripts we want to provision resources on different tenant. this can be done by using the service principal of remote tenant.
but now issue is service principal of TenantB do not have rights to create network resources in TenantA. to make this happen service principal of TenantB should have access on Vnet in TenantA.
i am looking for documentation or guidance how we can give access to service principal of TenantB in our TenantA?
Hoping that you have created a service principal a service principal
using multi-tenant authentication (if single-tenant please change the
authentication method to multi-tenant) , add a redirect uri
https://www.microsoft.com.
After you have created the service principal you can open the below url in a private browser for adding it on another tenant:
https://login.microsoftonline.com/<Tenant B ID>/oauth2/authorize?client_id=<Application (client in tenant A)
ID>&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F
It will ask for authorization on behalf of organization , you can
accept it.
After the above is done , then you can login to portal of that tenant
and go to enterprise application you will see that , provide role
assignment for that subscription (owner/contributor).
After this is done you can use something like the below terraform
script:
provider "azurerm" {
alias = "tenantA"
subscription_id = "b83c1ed3-xxxxx-xxxxxx-xxxxxx-xxxxxx" #subid for tenant A
tenant_id = "72f988bf-xxxxxx-xxxxx-xxxxxxx-xxxxxx"#tenantid of tenant A
client_id = "f6a2f33d-xxxx-xxxx-xxxxx-xxxxxxxx"#client id of service principal in tenant A
client_secret = "y5L7Q~oiMOoGCxm7fK~xxxxxxxxxxxxxxx"#client secret of service principal in tenant A
auxiliary_tenant_ids = ["ab078f81-xxxxxx-xxxxxxxx-xxxxxx"]# tenant id of tenant B
features {}
}
provider "azurerm"{
alias = "tenantB"
subscription_id = "88073b30-xxx-xxxxx-xxxxx-xxxxxxx"#sub id of tenant B
tenant_id = "ab078f81-xxxxx-xxxxxxx-xxxxxxxxx" # tenant id of tenant B
client_id = "f6a2f33d-xxxx-xxxxxx-xxxxxx-xxxxxx" #client id of service principal in tenant A
client_secret = "y5L7Q~oiMOoGCxm7fK~xxxxxxxxxxxxxxxx" #client secret of service principal in tenant A
auxiliary_tenant_ids = ["72f988bf-xxxx-xxxxx-xxxxxxxxxx-xx"] # tenant id of tenant A
features {}
}
data "azurerm_resource_group" "tenantARG"{
provider = azurerm.tenantA
name = "reswourcegroup"
}
data "azurerm_resource_group" "tenantBRG"{
provider = azurerm.tenantB
name = "ansuman-resourcegroup"
}
data "azurerm_virtual_network" "GlobalVnet"{
provider = azurerm.tenantA
name = "ansuman-vnet"
resource_group_name= data.azurerm_resource_group.tenantARG.name
}
data "azurerm_virtual_network" "tenantBVnet"{
provider = azurerm.tenantB
name = "test-vnet"
resource_group_name= data.azurerm_resource_group.tenantBRG.name
}
resource "azurerm_virtual_network_peering" "example-1" {
provider= azurerm.tenantA
name = "peer1to2"
resource_group_name = data.azurerm_resource_group.tenantARG.name
virtual_network_name = data.azurerm_virtual_network.GlobalVnet.name
remote_virtual_network_id = data.azurerm_virtual_network.tenantBVnet.id
}
resource "azurerm_virtual_network_peering" "example-2" {
provider = azurerm.tenantB
name = "peer2to1"
resource_group_name = data.azurerm_resource_group.tenantBRG.name
virtual_network_name = data.azurerm_virtual_network.tenantBVnet.name
remote_virtual_network_id = data.azurerm_virtual_network.GlobalVnet.id
}
Output:
Note: In my test case , I have used 2 vnets present in different tenants. I created a service principal in tenant A and provided contributor permissions to it in tenant B using the above methods and then used terraform to perform the vnet peering.
When the release is being triggered on AzureDevops, it fails on 'App Service Deployment' stage with this Error: ExpiredServicePrincipal
The error may be caused by your service principal secret was expired, the service principal is used in your service connection in DevOps org.
Navigate to the Azure Active Directory in the Azure portal, make sure you select the correct AAD tenant which the service principal belongs to, in the App registrations -> search for the client id of the service principal(you can find it in the service connection) -> find the AD App related to the service principal -> Certificates & secrets -> New client secret, then copy it and update the Service Principal Key in your service connection -> verify connection.