Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error for creating 'azuredevops_serviceendpoint_azurerm' #1164

Open
sorin-united opened this issue Sep 20, 2024 · 1 comment
Open

Error for creating 'azuredevops_serviceendpoint_azurerm' #1164

sorin-united opened this issue Sep 20, 2024 · 1 comment
Labels
question

Comments

@sorin-united
Copy link

sorin-united commented Sep 20, 2024
edited
Loading

Terraform (and Azure DevOps Provider) Version

terraform 1.9.0
azuredevops 1.3.0

Affected Resource(s)

azuredevops_serviceendpoint_azurerm

Terraform Configuration Files

------------------------MODULE----------------------------
resource "azuredevops_serviceendpoint_azurerm" "this" {
for_each = var.service_connection_params
project_id = each.value.project_id
service_endpoint_name = each.value.service_endpoint_name
azurerm_spn_tenantid = each.value.tenant_id
azurerm_subscription_id = each.value.subscription_id
azurerm_subscription_name = each.value.subscription_name
resource_group = each.value.resource_group
}

resource "azuredevops_resource_authorization" "this" {
for_each = var.service_connection_params
project_id = each.value.project_id
resource_id = azuredevops_serviceendpoint_azurerm.this[each.key].id
authorized = true
}

------------------------VARIABLES FILE--------------------
variable "service_connection_params" {
type = map(object({
project_id = string
service_endpoint_name = string
tenant_id = string
subscription_id = string
subscription_name = string
resource_group = string
}))
}

------------------------MODULE CALL-----------------------
module "service_connection" {
source = "../"

service_connection_params = {
ado_service_connnection = {
project_id = data.azuredevops_project.teamproject.project_id
service_endpoint_name = "TEST_SC" #data.azurerm_resource_group.rg-devops-arm-poc.name
tenant_id = "88155c28-f750-4013-91d3"
subscription_id = "d4549b4e-03a6-4b02-a194"
subscription_name = "APPS_EU_POC"
resource_group = data.azurerm_resource_group.rg-devops-arm-poc.name
}
}
}

Debug Output

file attached
trace_logs.txt

Panic Output

n/a

Expected Behavior

Successfully create service connection

Actual Behavior

Error:

│ Error: waiting for service endpoint ready. Looking up service endpoint given ID (bffcc32d-d0a8-4915-abed-e146a7d81124) and project ID (4ff74780-9ca2-4de5-8711-086114d194bb): map[errorCode:1 severity: state:Failed statusMessage:Failed to create an app in Microsoft Entra. Error: Insufficient privileges to complete the operation in Microsoft Graph Ensure that the user has permissions to create a Microsoft Entra Application.]

error_ps

Steps to Reproduce

terraform apply the above code provided

  1. terraform apply

Important Factoids

n/a

References

n/a

  • #0000

Mentions:

The error is saying "Insufficient privileges to complete the operation in Microsoft Graph" - but the service principal used HAS the privileges to create service connections - this was separately tested in powershell for Microsoft Graph API.

Looking forward for any feedback, thanks!
@xuzhang3
Copy link
Collaborator

@sorin-united PAT is created under a user account, and this account in AAD should have sufficient permissions. For example, the user in AAD has the Contributor role

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xuzhang3 @sorin-united