Terraform azure automation fails after the first deployment - azure

I have a silly question.
I am trying to deploy an azure web app using terraform. I have a task to build the code and drop it as a artefact, this works just fine. So I moved to the release process as follow
My code has a backend configuration in which I am saving my terraform.tfstate to be able to access this I create a azure resource manager service principle
Now this works just perfectly for all my stages. I am able to create the resource group and the web app, and the terraform.tfstate get saved in the container which is under the azure resource manager
But here is my problem. If I update my code local and push it to GitHub the pipeline builds the artefact and the release triggers, but at the plan stage it fails with the following error.
reading resource group: resources.GroupsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'XXXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/XXXX/resourcegroups/rg-hri-stg-eur-configurations' or the scope is invalid. If access was recently granted, please refresh your credentials."[0m
I do understand that once the resource group exists, I don't have permission to perform any action on it, such as plan, apply or Destroy.
I was wondering how can I set a azure resource manager for those pipeline to access this specific resource group once it has been created?
Thank you very much for any advice or help you can provide me with.

I found the issue. A silly one to be honest. My ARM resource was target a specific resource group(the one in which I keep my terraform states), so it was not working when trying to update a resource. I change the scope of the ARM resource to subscription level and everything works fine now. Thank you so much for your help guys

Related

Only update Terraform resource after previously-depended-on resources are deleted

One of the ways of creating an API Gateway on AWS with Terraform requires creating a resource for each method/route and each integration (resource that handles the request), along with an API Deployment.
When we remove the resources for a route from our configuration, Terraform detects the change and deletes the integration, lambda etc. But this also needs a deployment. Since the dependent resources are deleted they are not part of any depends_on clause. This results in the following behavior:
The deployment is created prior to deleting the resources from the API Gateway. So the old resources are still part of the API Gateway at the time the deployment is done. Since a deployment is a snapshot of the resources configured at this time, the old resource is still part of the snapshot.
How can we tell Terraform that the API deployment resource should only be updated after all other resources (no longer in the template at this point) are destroyed?

Azure terraform storage account permission

I want to learn more about azure open vpn configurations and how it work. So looking around I found a open source project on GitHub, at the following link:
https://github.com/terraform-azurerm-examples/example-hub.git (Thank you for your code)
I set all the variable I wanted, and removed the version from azure provider.
but when I run terraform apply, I got an error on azure Storage account.
the error is this one:
Error: reading queue properties for AzureRM Storage Account "examplehubw6sr1wyncn": queues.Client#GetServiceProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.\nRequestId:cce5a313-b003-005c-2bb2-9d8a2f000000\nTime:2021-08-30T15:19:07.9036073Z"
As far as I understand, the error is due to setting secret permissions, which I did updated giving Get, List and Set but the error keeps showing up.
I am using terraform version 0.14.5
and my azurerm version is 2.74.0
I never had this type of error, on my subscription I have administrator role.
Did anyone get this error and know how to solve it, I would really appreciate you help
The error is probably because your user does not have data plane permissions on your storage account - which is where Terraform wants to put the statefile. Give your user Storage Blob Data Contributor role: https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal

Terraform Azure Application Insights failing with 401 on random resources after Azure AD issues

I have a terraform library of different azure resources that were working fine the other day. Since the Azure AD failure I can't run a terraform plan anymore without random application insight resources failing due to 401 Unauthorized
Tried re-running az login but unfortunately still receiving issues.
Every plan is resulting in a different application insight resource throwing a 401.
Error: Error making Read request on AzureRM Application Insights
'{resource-name}': insights.ComponentsClient#Get: Failure responding
to request: StatusCode=401 -- Original Error: autorest/azure: Service
returned an error. Status=401 Code="Unauthorized"
Message="Unauthorized"
InnerError={"diagnosticcontext":"1b8e2cf0-5fd5-4a0d-9b75-1093e63ecd18","time":"2020-09-29T16:32:34.3731943Z"}
Have you tried re-initializing your Terraform backend? Doing this sequence just resolved the issue for me.
az login
terraform init
terraform plan

Arm template validation fails through Azure Devops release, works from powershell and test-AzResourceGroupDeployment

I have a release setup that I'm trying get out through Azure Devops release pipelines. This is based on another release that I've cloned and works fine.
The issue is that the template is failing a validation check and not going any further. Strange thing is i'm able to check the syntax successfully with new-AzResourceGroupDeployment and test-AzResourceGroupDeployment. It reports no errors and has been deploying fine.
Using Azure Devops release the error coming back is:
2020-02-26T12:26:16.2632844Z ==============================================================================
2020-02-26T12:26:16.2633634Z Task : ARM template deployment
2020-02-26T12:26:16.2634204Z Description : Deploy an Azure Resource Manager (ARM) template to all the deployment scopes
2020-02-26T12:26:16.2634534Z Version : 3.1.19
2020-02-26T12:26:16.2634945Z Author : Microsoft Corporation
2020-02-26T12:26:16.2635504Z Help : https://learn.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment
2020-02-26T12:26:16.2635948Z ==============================================================================
2020-02-26T12:26:16.8677026Z ARM Service Conection deployment scope - Subscription
2020-02-26T12:26:16.8760315Z Checking if the following resource group exists: myResourceGroup.
2020-02-26T12:26:17.2234188Z Resource group exists: true.
2020-02-26T12:26:17.2259290Z Creating deployment parameters.
2020-02-26T12:26:17.2558066Z The detected encoding for file 'd:\a\r1\a\_Azure-Infrastructure\myResourceGroup\deployment\azuredeploy.json' is 'utf-8'
2020-02-26T12:26:17.2561303Z The detected encoding for file 'd:\a\r1\a\_Azure-Infrastructure\myResourceGroup\deployment\param.dev.json' is 'utf-8'
2020-02-26T12:26:17.5304032Z Starting template validation.
2020-02-26T12:26:17.5304834Z Deployment name is Release-vstfs:///ReleaseManagement/Release/95
2020-02-26T12:26:17.5877973Z ##[warning]Validation errors were found in the Azure Resource Manager template. This can potentially cause template deployment to fail. Template validation failed. Error: {"message":"No HTTP resource was found that matches the request URI 'https://management.azure.com/subscriptions/mySubscription/resourcegroups/myResourceGroup/providers/Microsoft.Resources/deployments/Release-vstfs:/ReleaseManagement/Release/95/validate?api-version=2017-05-10'."}.. Please follow https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax
2020-02-26T12:26:17.5890527Z Starting Deployment.
2020-02-26T12:26:17.5891348Z Deployment name is Release-vstfs:///ReleaseManagement/Release/95
2020-02-26T12:26:17.6289831Z There were errors in your deployment. Error code: undefined.
2020-02-26T12:26:17.6291819Z ##[error][object Object]
2020-02-26T12:26:17.6295387Z ##[error]Task failed while creating or updating the template deployment.
2020-02-26T12:26:17.6399260Z ##[section]Finishing: ARM Template deployment: Resource Group scope
​Looking the log above, I'm not sure if it's failing on the validation errors or on the error near the end with a undefined error code.
The task is from another subscription and it's listed in the Azure Resource Manager connection on the task and also lists the subscription and the resource groups in the subscription.
Anyone any ideas on how I can get this working or where to start troubleshooting?
your deployment name is:
Release-vstfs:/ReleaseManagement/Release/95
fairly certain that's not allowed (/). so you need to set your deployment name to something reasonable.
ps. : might not be allowed as well
Did you look at the Activity Log in Azure portal?
All deployment attempts are logged here. Look in particular at the JSON pane, often the real issue is only displayed here.
Otherwise, if it doesn't reach Azure, can you double check the service connection in Azure DevOps? (in particular the related user permission in Azure)

Unable to provision Application Insight resource using Terraform

I am facing an issue while trying to provision an Application Insight resource in our subscription using Terraform.
Terraform spits the following error
azurerm_application_insights.global_app_function_insight: Error
creating Application Insights "hub-deployer-insight-globalsg"
(Resource Group "hub-globalsg-rg"):
insights.ComponentsClient#CreateOrUpdate: Failure sending request:
StatusCode=409 -- Original Error: autorest/azure: Service returned an
error. Status= Code="MissingRegistrationForLocation" Message="The
subscription is not registered for the resource type 'components' in
the location 'northcentralus'. Please re-register for this provider in
order to have access to this location."
I have tried unregistering then re-registering the provider in the subscription in question, but the issue remains. Have anyone experienced similar issue so far?
I've research the issue a bit, but none were related to Terraform. Some were releted to the .NET SDK version people were using, so maybe an issue with the Azure SDK for Go... or maybe an issue with our subscription...
terraform_version: 0.11.8
provider-azurerm_version: 1.19.0
This issue is not terraform related. I've seen this happen sometimes. Try deploying application insights to the northcentralus region from the portal and then try using terraform.

Resources