Share via

Permission to write and delete on resources of type 'Microsoft.Authorization/roleAssignments' is required on the subscription or its ancestors.

Javed Asif 0 Reputation points
2024-02-08T13:53:41.3433333+00:00

I'm creating Azure Landing zones using Terraform. Here is the main.tf

data "azurerm_client_config" "core" {}
module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
  version = ">= 1.7.0" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints
  default_location = "canadacentral"
  providers = {
    azurerm              = azurerm
    azurerm.connectivity = azurerm
    azurerm.management   = azurerm
  }
  root_parent_id = data.azurerm_client_config.core.tenant_id
  root_id        = var.root_id
  root_name      = var.root_name
  deploy_management_resources = var.deploy_management_resources
  subscription_id_management  = data.azurerm_client_config.core.subscription_id
  deploy_connectivity_resources = var.deploy_connectivity_resources
  subscription_id_connectivity  = data.azurerm_client_config.core.subscription_id
}

But I'm getting error when I run terraform apply command: Error: creating Management Group Subscription Association between "aasba-management" and "Subscription (Subscription: "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")": managementgroups.SubscriptionsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Permission to write and delete on resources of type 'Microsoft.Authorization/roleAssignments' is required on the subscription or its ancestors." Details=[{"raw":"Subscription ID: '/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'"}] │ with module.enterprise_scale.azurerm_management_group_subscription_association.enterprise_scale["/providers/Microsoft.Management/managementGroups/aasba-management/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"], │ on .terraform\modules\enterprise_scale\resources.management_groups.tf line 114, in resource "azurerm_management_group_subscription_association" "enterprise_scale": │ 114: resource "azurerm_management_group_subscription_association" "enterprise_scale" { I created following custom role with the scope of same subscription but getting same error. Any help to resolve the issue will be appreciated.

{
  "Name": "Terraform Custom RBAC Role",
  "IsCustom": true,
  "Description": "Allow to create Role Assignment using Terraform in Azure Landing Zones.",
  "Actions": [
    "Microsoft.Authorization/roleAssignments/write",
    "Microsoft.Authorization/roleAssignments/delete",
    "Microsoft.Authorization/roleAssignments/read",
    "Microsoft.Management/managementGroups/*",
    "Microsoft.Authorization/*/read"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  ]
}
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
900 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 18,876 Reputation points
    2024-02-08T22:42:25.4433333+00:00

    Hello @Javed Asif

    Welcome to the Microsoft Q&A and thank you for posting your questions here. Base on your question, you need help to resolve the permission to write and delete on resources of type 'Microsoft.Authorization/roleAssignments' is required on the subscription or its ancestors.

    The error you're encountering indicates that the service principal or user running Terraform does not have sufficient permissions to manage role assignments within Azure.

    To solve this issue:

    1. The service principal or user running Terraform needs the appropriate permissions to manage role assignments within Azure.
    2. Based on your error review, it shows that you have created a custom RBAC role, which is a good approach. However, ensure that this custom role is assigned at the appropriate scope (/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in your case). NOTE: Make sure this assignment is performed at the subscription level.
    3. The scope of the custom role assignment must match the subscription where you're deploying resources.

    if you do the above, you should be able to resolve the permission issue and successfully deploy your Azure Landing Zones using Terraform, but if you're still having this issues, you may need to further examine the followings:

    1. Your provided JSON seems to cover the required permissions for managing role assignments and management groups but double-check to be sure.
    2. Make sure to reauthenticate Terraform to ensure it's using the updated credentials.
    3. Check your Terraform provider configuration that you're using right credentials.
    4. Enable debugging in Terraform (TF_LOG=DEBUG) to get more detailed information about the API calls being made.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution. Best Regards, Sina

    0 comments
  2. Javed Asif 0 Reputation points
    2024-02-09T00:48:06.8366667+00:00

    Thank you @Sina Salam I'll have another look. At the moment I'm using same subscription in custom role and to run the Terraform. I double checked all other permissions which apparently seems okay. BTW if I use same credentials in Rover, it creates everything okay and I don't need the custom role either. I'll debug to see more information.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.