I have a terraform library of different azure resources that were working fine the other day. Since the Azure AD failure I can't run a terraform plan anymore without random application insight resources failing due to 401 Unauthorized
Tried re-running az login but unfortunately still receiving issues.
Every plan is resulting in a different application insight resource throwing a 401.
Error: Error making Read request on AzureRM Application Insights
'{resource-name}': insights.ComponentsClient#Get: Failure responding
to request: StatusCode=401 -- Original Error: autorest/azure: Service
returned an error. Status=401 Code="Unauthorized"
Message="Unauthorized"
InnerError={"diagnosticcontext":"1b8e2cf0-5fd5-4a0d-9b75-1093e63ecd18","time":"2020-09-29T16:32:34.3731943Z"}
Have you tried re-initializing your Terraform backend? Doing this sequence just resolved the issue for me.
az login
terraform init
terraform plan
Related
I'm working on a Terraform project in which I setup several Azure resources.
One of these Azure resources is a service principal (linked to an app registration) which I use to deploy my Terraform code in a CI/CD pipeline via Github actions.
When developing locally, I use az login to authenticate, but occasionally I'm receiving an error for the Terraform app service principal. Most of the times, when I re-run terraform apply the error is not raised. Sometimes the error persists for several terraform apply calls.
Error: Retrieving Application with object ID "fe2b93b7-e26c-402c-ab4f-87e3695c1f45" with module.app_registrations.azuread_application.terraform_app on ../modules/app_registrations/terraform.tf line 56, in resource "azuread_application" "terraform_app": 56: resource "azuread_application" "terraform_app" { ApplicationsClient.BaseClient.Get(): Get "https://graph.microsoft.com/beta/b859b851-97d8-4dc2-bf56-f2a5bc5c494b/applications/fe2b93b7-e26c-402c-ab4f-87e3695c1f45": http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a nil *Response with a nil error
I'm having a hard time to understand why I'm able to generate this service principal using my user credentials via Terraform, but am receiving this retrieval error when refreshing the state of the same service principal. When I'm deploying the Terraform code via Github Actions, which uses the service principal to authenticate, this retrieval error is never raised.
Anyone can point me in the right direction?
I've already added the Application administrator role to my user credentials and added the Application.ReadWrite.All role to the Terraform service principal. Above error when refreshing the state using user credentials via az login persists.
I have a silly question.
I am trying to deploy an azure web app using terraform. I have a task to build the code and drop it as a artefact, this works just fine. So I moved to the release process as follow
My code has a backend configuration in which I am saving my terraform.tfstate to be able to access this I create a azure resource manager service principle
Now this works just perfectly for all my stages. I am able to create the resource group and the web app, and the terraform.tfstate get saved in the container which is under the azure resource manager
But here is my problem. If I update my code local and push it to GitHub the pipeline builds the artefact and the release triggers, but at the plan stage it fails with the following error.
reading resource group: resources.GroupsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'XXXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/XXXX/resourcegroups/rg-hri-stg-eur-configurations' or the scope is invalid. If access was recently granted, please refresh your credentials."[0m
I do understand that once the resource group exists, I don't have permission to perform any action on it, such as plan, apply or Destroy.
I was wondering how can I set a azure resource manager for those pipeline to access this specific resource group once it has been created?
Thank you very much for any advice or help you can provide me with.
I found the issue. A silly one to be honest. My ARM resource was target a specific resource group(the one in which I keep my terraform states), so it was not working when trying to update a resource. I change the scope of the ARM resource to subscription level and everything works fine now. Thank you so much for your help guys
I want to learn more about azure open vpn configurations and how it work. So looking around I found a open source project on GitHub, at the following link:
https://github.com/terraform-azurerm-examples/example-hub.git (Thank you for your code)
I set all the variable I wanted, and removed the version from azure provider.
but when I run terraform apply, I got an error on azure Storage account.
the error is this one:
Error: reading queue properties for AzureRM Storage Account "examplehubw6sr1wyncn": queues.Client#GetServiceProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.\nRequestId:cce5a313-b003-005c-2bb2-9d8a2f000000\nTime:2021-08-30T15:19:07.9036073Z"
As far as I understand, the error is due to setting secret permissions, which I did updated giving Get, List and Set but the error keeps showing up.
I am using terraform version 0.14.5
and my azurerm version is 2.74.0
I never had this type of error, on my subscription I have administrator role.
Did anyone get this error and know how to solve it, I would really appreciate you help
The error is probably because your user does not have data plane permissions on your storage account - which is where Terraform wants to put the statefile. Give your user Storage Blob Data Contributor role: https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal
I am facing an issue while trying to provision an Application Insight resource in our subscription using Terraform.
Terraform spits the following error
azurerm_application_insights.global_app_function_insight: Error
creating Application Insights "hub-deployer-insight-globalsg"
(Resource Group "hub-globalsg-rg"):
insights.ComponentsClient#CreateOrUpdate: Failure sending request:
StatusCode=409 -- Original Error: autorest/azure: Service returned an
error. Status= Code="MissingRegistrationForLocation" Message="The
subscription is not registered for the resource type 'components' in
the location 'northcentralus'. Please re-register for this provider in
order to have access to this location."
I have tried unregistering then re-registering the provider in the subscription in question, but the issue remains. Have anyone experienced similar issue so far?
I've research the issue a bit, but none were related to Terraform. Some were releted to the .NET SDK version people were using, so maybe an issue with the Azure SDK for Go... or maybe an issue with our subscription...
terraform_version: 0.11.8
provider-azurerm_version: 1.19.0
This issue is not terraform related. I've seen this happen sometimes. Try deploying application insights to the northcentralus region from the portal and then try using terraform.
Didn't provision properly. In a provisioning state of failed. I get the followoing when trying to delete from portal/Azure CLI:
Failed to delete container service 'GTK8s'. Error: 'autorest/azure: Service returned an error. Status=401 Code="InvalidAuthenticationToken" Message="The received access token is not valid: at least one of the claims 'puid' or 'altsecid' or 'oid' should be present. If you are accessing as application please make sure service principal is properly created in the tenant."'
I can't see a service principal relating to this application in Azure AD.
Deleting the resource group worked for me. Thx for the suggestion #4c74356b41