From vsts release definition terraform task, create rg, vnet, subnet with:
service_endpoints = ["Microsoft.Storage"]
Then public ip, nsg, vnic
Then create az storage account, with:
network_rules {
virtual_network_subnet_ids = ["${azurerm_subnet.main.id}"]
}
when try to create a storage share:
resource "azurerm_storage_share" "someshare" { ...
this gives a 403. Even giving the service principal owner permissions makes no difference. Resorted to using a powershell follow on script as another task to add the file shares. Can terraform do this?
Related
Error: Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.\nRequestId:XXX"
I am using azure storage as Terraform backend. It was working fine. I removed a private endpoint for the storage from configuration and did terraform apply. It starts giving me this error. Is there need of Private endpoint for storing Terraform state in Azure storage? Also not sure why got above error. I am unable to do terraform init with this error.
I tried in my environment and got below results:
Main
provider "azurerm" {
features{
resource_group {
prevent_deletion_if_contains_resources = false
}
}
}
provider "azuread" {
}
data "azurerm_resource_group" "example" {
name = "< Resource group name >"
}
data "azurerm_storage_account" "example" {
name = "venkat123"
resource_group_name = data.azurerm_resource_group.example.name
}
terraform {
backend "azurerm" {
resource_group_name = "< Resource group name >"
storage_account_name = "venkat123"
container_name = "test"
key = "terraform.tfstate"
}
}
Before running the code make sure you have make sure you were logged in with your credentials:
az login --tenant <tenant ID>
az account set --subscription <subscription ID>
Console:
Yes, you can access the storage account without private endpoints.
Portal:
containers.Client#ListBlobs: Failure responding to request:
StatusCode=403 -- Original Error: autorest/azure: Service returned an
error. Status=403 Code="AuthorizationFailure" Message="This request is
not authorized to perform this operation.\nRequestId:XXX"
The above error shows that doesn't has proper permission to authorize the azure blob storage.
Check the firewall settings whether, In networking
If you are access in public enable the select all network
If you enabled selected networks add the virtual networks. and add your add your client iP address and also enable "Allow trusted Microsoft services to access this storage account" allows you to access storage account.
Make sure that you have the necessary permission, such as the Contributor and User Access Administrator roles and the Storage Blob Data Owner role.
Reference:
Creating Azure Storage Containers in a storage account with network rules, with Terraform by Ansuman Bal
Is there a way in Azurerm to provision a subnet with an NSG attachment and also provision service endpoints as well . This is considering we have a policy to enforce NSG on subnet . So - - if subnet is a separate resource (as a separate resource nsg_id is not a parameter anymore) - it would fail the policy.
As a sub resrouce under vnet , can attach a nsg_id - but does not have parameters to provision a service endpoint or service delegation.
You could deploy a service endpoint or service delegation with Terraform Language local-exec Provisioner or remote-exec provisioner to invoke PowerShell or CLI scripts after a resource is created.
For example, you can use az network vnet subnet update to enable a service endpoint for the subnet.
resource "null_resource" "example" {
provisioner "local-exec" {
command = "az network vnet subnet update -g ${azurerm_resource_group.example.name} -n 'subnet1' --vnet-name ${azurerm_virtual_network.example.name} --service-endpoints 'Microsoft.Sql'"
interpreter = ["PowerShell", "-Command"]
}
}
For more references, you could read this blog- Multi-line PowerShell in Terraform.
I am having one resource group in my azure subscription name "demoterraform"
Now I would like to create one windows VM in this resource group, So I don't deploy new VM in existing resource group.
Use the azurerm_resource_group data source.
data "azurerm_resource_group" "demo" {
name = "demoterraform"
}
in the rest of the code you can refer to it with a similar expression data.azurerm_resource_group.demo.id.
I want to deploy some resources on Azure with Terraform.
On Azure, I have an account with "Owner rights" on one Resource Group only(RGName). Not at the subscription level.
From my linux server, I installed "az cli" and I did "az login". At this step, everything is OK.
The problem appears when I want to execute terraform to create one resource.
Content of provider.tf (the only one .tf file for now) :
provider "azurerm" {
}
If I do a "terraform plan", it works.
If I add the following line, it fails. Please see the error at the end :
resource "azurerm_virtual_network" "myterraformnetwork" {
name = "myVnet"
address_space = ["10.0.0.0/16"]
location = "eastus"
resource_group_name = "RGName"
tags = {
environment = "Terraform Demo"
}
}
I do not have right on subscription level but I do not need to.
With the Azure WebUI I can create resource on this Resource Group without problem.
The error :
Error: Error ensuring Resource Providers are registered: Cannot register provider Microsoft.DevSpaces with Azure Resource Manager: resources.ProvidersClient#Register: Failure responding to request: StatusCode=403 -- Original Error: autor
est/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'accountName' with object id 'IDaccountName' does not have authorization to perform action 'Microsoft.DevSpaces/r
egister/action' over scope '/subscriptions/subscriptionID' or the scope is invalid. If access was recently granted, please refresh your credentials.".
on provider.tf line 1, in provider "azurerm":
1: provider "azurerm" {
Thank you all !
If anyone else has this issue in a corporate (restricted) Azure environment, and doesn't have the patience to register the provider (which may not be necessary if you don't use the specified terraform resource) - have a look at https://github.com/terraform-providers/terraform-provider-azurerm/issues/4440
Specifically, this may help:
provider "azurerm" {
skip_provider_registration = "true"
It obviously won't help if you actually need the resource that fails to get registered (in our case it was Cannot register provider Microsoft.DevSpaces with Azure Resource Manager, but the resource will be variable depending on your environment and what Terraform decides to support)
For your issue, when you have the Owner role of the resource group, you can create new resources or manage the existing resources as you want. So permission is no problem. With the test on my side, it works well using a user has the Owner role of the resource group.
As the error shows, I think the possible reason is that you have multiple subscriptions in the tenant and the current subscription is not the right one which the user has the right permission. You can try to take a check and set the right subscription via the command:
az account set --subscription subscription_id
Thank you for your answer.
I got this when I execute "az account list" :
"cloudName": "AzureCloud",
"id": "***********0d43",
"isDefault": true,
"name": "BU*******",
"state": "Enabled",
"tenantId": "TENANTID",
"user": {
"name": "LOGINNAME",
"type": "user"
I do not have rights on this subscription but it is the only one that I know.
On Azure WebUI I can see that the RGName is on the same subscription.
This is a capture from Azure WebUI on the RGName :
Azure WebUI
Thank you
You may need to register the Resource provider by clicking on register as shown in below screenshot under subscription id.
I have two subscriptions in Azure. Let's call them sub-dev and sub-prod. Under sub-dev I have resources for development (in a resource group rg-dev) and under sub-prod resources for production (in a resource group rg-prod).
Now, I would like to have only one state-file for both dev and prod. I can do this as I am using Terraform workspaces (dev and prod). There is a Storage Account under sub-dev (rg-dev) named tfsate. It has a container etc. The Azure backend is configured like this:
terraform {
backend "azurerm" {
resource_group_name = "rg-dev"
storage_account_name = "tfstate"
container_name = "tfcontainer"
key = "terraform.tfstate"
}
}
If I want to apply to the dev environment I have to switch Az Cli to the sub-dev. Similarly, for production, I would have to use sub-prod. I switch the default subscription with az cli:
az account set -s sub-prod
Problem is that the state's storage account is under sub-dev and not sub-prod. I will get access errors when trying to terraform init (or apply) when the default subscription is set to sub-prod.
Error: Failed to get existing workspaces: Error retrieving keys for Storage Account "tfstate": storage.AccountsClient#ListKeys: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'user#example.com' with object id '<redacted>' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/sub-prod/resourceGroups/rg-dev/providers/Microsoft.Storage/storageAccounts/tfstate' or the scope is invalid. If access was recently granted, please refresh your credentials."
I have tried couple of things:
I added subscription_id = "sub-dev"
I generated a SAS token for the tfstate storage account and added the sas_token config value (removed resource_group_name)
but in vain and getting the same error.
I tried to az logout but terraform requires me to login first. Do I have to tune the permissions in the Azure end somehow (this is hard as the Azure environment is configured by a 3rd party) or does Terraform support this kind of having your state file under different subscription setup at all?
For better or worse (I haven't experimented much with other methods of organising terraform) we use terraform in the exact way you are describing. A state file, in a remote backend, in a different subscription to my resources. Workspaces are created to handle environments for the deployment.
Our state files are specified like this:
terraform {
required_version = ">= 0.12.6"
backend "azurerm" {
subscription_id = "<subscription GUID storage account is in>"
resource_group_name = "terraform-rg"
storage_account_name = "myterraform"
container_name = "tfstate"
key = "root.terraform.tfstate"
}
}
We keep our terraform storage account in a completely different subscription to our deployments but this isn't necessary.
When configuring your state file like so, it authenticates to the remote backend via az CLI, using the context of the person interacting with the CLI. This person needs to have the "Reader & Data Access" role to the storage account in order to dynamically retrieve the storage account keys at runtime.
With the above state file configured, executing Terraform would be
az login
az account set -s "<name of subscription where you want to create resources>"
terraform init
terraform plan
terraform apply
There's another way to do that. You can use the Access Key associated with the Storage Account on the other subscription(the one you want to have the state files on) and export it as an environment variable.
Bash:
export ARM_ACCESS_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query '[0].value' -o tsv)
Powershell:
$env:ARM_ACCESS_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query '[0].value' -o tsv)
Then switch to the subscription you want to deploy to and deploy.