Unable to delete Azure Monitor Workspace from terraform

Andrei Nicolae 0 Reputation points
2024-03-07T15:38:58.96+00:00

Hello,

I am running as a Service Principal with Owner role on the resource group the following:

Creating an Azure Monitor Workspace using terraform (all good on create), but when I destroy it, I get this error:

"│ Account Name: "nico-tf-amwtest"): polling after Delete: Future#WaitForCompletion: the number of retries has been exceeded: StatusCode=403 -- Original Error: Code="AuthorizationFailed" Message="The client 'e229fa77-785a-41c0-84c1-44543e059713' with object id 'e229fa77-785a-41c0-84c1-44543e059713' does not have authorization to perform action 'Microsoft.Monitor/locations/operationResults/read' over scope '/subscriptions/8f2513b2-630e-4353-bb46-e3306011eabf/providers/Microsoft.Monitor/locations/westeurope/operationResults/5370b7fa-9312-4f5e-8947-a70e044c3fc8' or the scope is invalid. If access was recently granted, please refresh your credentials." "

I grant the following roles to the Service Principal: Monitoring Contributor and Monitoring reader

Can you please assist?

Thanks,

Andrei

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,785 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,848 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Monalla-MSFT 11,551 Reputation points
    2024-03-08T16:46:35.44+00:00

    @Andrei Nicolae - Welcome to Microsoft Q&A and thanks for reaching out to us.

    You mentioned that you have already granted the 'Monitoring Contributor' and 'Monitoring Reader' roles to the Service Principal. However, it seems that these roles do not include the required permission to perform the 'Microsoft.Monitor/locations/operationResults/read' action.

    • Ensure that the Service Principal has the correct permissions for the specific operation you’re trying to perform. In your case, it’s related to reading operation results in the Azure Monitor location.
    • You can try granting the 'Reader' role at the subscription level to the Service Principal. This role should include the required permission to perform the Microsoft.Monitor/locations/operationResults/read' action.
    • After granting the 'Reader' role to the Service Principal at the subscription level, try running the destroy command again and see if the issue is resolved. If the issue persists, you may need to check if there are any other permissions that are required for the 'Microsoft.Monitor/locations/operationResults/read' action and grant those permissions to the Service Principal as well.

    Hope this helps. and please feel free to reach out if you have any further questions.


    If the above response was helpful, please feel free to "Accept as Answer" and click "Yes" so it can be beneficial to the community.

    0 comments No comments