Share via

Unable to delete Role Assignment in subnet using Terraform Destroy command

Ifiokobong Offiong 56 Reputation points
2022-03-30T16:51:30.737+00:00

Hi please can someone help me with this?
I created my infrastructure with my terraform config file to a subnet. The infrastructure creation was successful but when i want to clean up my resources using terraform destroy command, i have this error message: 

Error: authorization.RoleAssignmentsClient#Delete: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned
an error. Status=409 Code="ScopeLocked" Message="The scope '/subscriptions/.../resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mysubnet/providers/Microsoft.Authorization/roleAssignments/*..*/' cannot perform delete operation because following scope(s) are locked: '/subscriptions/.../resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet' . Please remove the lock and try again."

Actually The VNet has a Delete lock Type set on it. And i do not want to be disabling the lock anytime i want to do terraform destroy.

Thank you for your suggestion on fixing this error
This is the provider version that i am using 

    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.97.0"
    }
  }
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,762 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
968 questions
Accepted answer
  1. GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator
    2022-04-08T11:15:23.953+00:00

    Hello @Ifiokobong Offiong ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you created your infrastructure with terraform config file to a subnet which has a Delete lock Type set on it's Vnet and the creation was successful but when trying to clean up the recently created resources using Terraform destroy command, you are getting a "cannot perform delete operation because following scope(s) are locked" error. But you do not want to disable the lock when doing a Terraform destroy. Please correct me if my understanding is wrong.

    Per design, when you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.
    Refer : https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#lock-inheritance

    CanNotDelete means authorized users are able to read and modify the resources, but not delete (even the resources you add later).
    Refer : https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock

    The error message you see is not from terraform, it is from the Azure REST API. If there is a delete lock on a resource, you can't even delete the resource using Azure REST APIs directly.
    The parent lock scoped on the Vnet also extends to the roleAssignments & the new AKS cluster that you created with terraform config file.
    So, you need to disable the lock before doing a destroy.

    Kindly let us know if the above helped or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.