Hello David Simpson
Welcome to Microsoft Q&A Platform, thanks for posting your query here.
Based on the error message shared, it indicates that the client does not have authorization to perform the action 'Microsoft.Authorization/roleAssignments/write' over the specified scope. This error can occur if the client does not have the required permissions to create a role assignment.
Below are few troubleshooting steps that can help resolve the issue:
- Verify that the client ID and client secret used to authenticate the Terraform provider have the required permissions to create a role assignment. You can check this by ensuring that the client ID and client secret have the 'Owner' or 'Contributor' role assigned to them at the subscription or resource group level.
- Ensure that the 'Network Contributor' role is assigned to the client ID and client secret at the subscription or resource group level. This role is required to create a role assignment for the subnet. You can use Azure CLI or Azure PowerShell to assign the role programmatically. Here's an example using Azure CLI:
az role assignment create --assignee-object-id <client-object-id> --role "Network Contributor" --scope <scope>
Verify that the subnet specified in the 'azurerm_role_assignment' resource exists and is valid. You can check this by running the following command:
az network vnet subnet show --ids <subnet_id>
Replace <subnet_id>
with the ID of the subnet specified in the 'azurerm_role_assignment' resource.
- If the subnet exists and is valid, try creating the role assignment manually using the Azure portal or Azure CLI. This can help you identify any issues with the client ID and client secret or the subnet.
- After ensuring that the client has the necessary permissions and the role assignment is correctly set up, retry the Terraform deployment. It should now be able to create the role assignment without encountering the "AuthorizationFailed" error.
If you continue to experience issues, double-check your configuration and make sure that all the necessary prerequisites, such as subscription access and role assignments, are in place before running Terraform again.
Hope this helps.