Terraform - Azure as a provider and limited access account

Question

I want to deploy some resources on Azure with Terraform. On Azure, I have an account with "Owner rights" on one Resource Group only (RGName), not at the subscription level.

From my Linux server, I installed az cli and I ran az login. At this step, everything is OK.

The problem appears when I want to execute terraform to create one resource.

---

Content of provider.tf (the only one .tf file for now):

provider "azurerm" {
}

If I run the terraform plan command, it works.

If I add the following lines to my tf file, it fails. Please see the error at the end:

resource "azurerm_virtual_network" "myterraformnetwork" {
    name                = "myVnet"
    address_space       = ["10.0.0.0/16"]
    location            = "eastus"
    resource_group_name = "RGName"

    tags = {
        environment = "Terraform Demo"
    }
}

---

I do not have right on subscription level but I do not need to. With the Azure Web UI I can create resource on this Resource Group without problem.

---

The error:

Error: Error ensuring Resource Providers are registered: Cannot register provider Microsoft.DevSpaces with Azure Resource Manager: resources.ProvidersClient#Register: Failure responding to request: StatusCode=403 -- Original Error: autor est/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'accountName' with object id 'IDaccountName' does not have authorization to perform action 'Microsoft.DevSpaces/r egister/action' over scope '/subscriptions/subscriptionID' or the scope is invalid. If access was recently granted, please refresh your credentials.".

on provider.tf line 1, in provider "azurerm": 1: provider "azurerm" {

Answer 1

This is slightly off-topic but I'll put this answer here as this SO question is in the top google results when it comes to this particular topic.

So one reason behind an error like this:

│ Error: Error ensuring Resource Providers are registered.
│
│ Terraform automatically attempts to register the Resource Providers it supports to
│ ensure it's able to provision resources.
│
│ If you don't have permission to register Resource Providers you may wish to use the
│ "skip_provider_registration" flag in the Provider block to disable this functionality.
│
│ Please note that if you opt out of Resource Provider Registration and Terraform tries
│ to provision a resource from a Resource Provider which is unregistered, then the errors
│ may appear misleading - for example:
│
│ > API version 2019-XX-XX was not found for Microsoft.Foo
│
│ Could indicate either that the Resource Provider "Microsoft.Foo" requires registration,
│ but this could also indicate that this Azure Region doesn't support this API version.
│
│ More information on the "skip_provider_registration" flag can be found here:
│ https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#skip_provider_registration
│
│ Original Error: Cannot register providers: Microsoft.TimeSeriesInsights. Errors were: Cannot register provider Microsoft.TimeSeriesInsights with Azure Resource Manager: unexpected status 404 with error: InvalidResourceNamespace: The resource namespace 'Microsoft.TimeSeriesInsights' is invalid..
│
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on provider.tf line 1, in provider "azurerm":
│    1: provider "azurerm" {

could be the version of terraform provider that you're currently using. For example this error occurred for me on 3.89.0 and got fixed when I upgraded the provider to 3.111.0

To check your provider version run terraform providers or just check your .terraform.lock.hcl file.

You can then pin your provider version in providers.tf like so:

terraform {
  required_version = ">= 1.9.0"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.111.0"
    }
  }
}

and then run terraform init -upgrade to apply it.

More info can be found here as well: https://github.com/hashicorp/terraform-provider-azurerm/issues/27466

Answer 2

You may need to register the Resource provider by clicking on register as shown in below screenshot under subscription id.

Answer 3

If anyone else has this issue in a corporate (restricted) Azure environment, and doesn't have the patience to register the provider (which may not be necessary if you don't use the specified terraform resource) - have a look at https://github.com/terraform-providers/terraform-provider-azurerm/issues/4440

Specifically, this may help:

provider "azurerm" {
  skip_provider_registration = "true"

It obviously won't help if you actually need the resource that fails to get registered (in our case it was Cannot register provider Microsoft.DevSpaces with Azure Resource Manager, but the resource will be variable depending on your environment and what Terraform decides to support)

Answer 4

Thank you for your answer.

I got this when I execute "az account list" :

    "cloudName": "AzureCloud",
    "id": "***********0d43",
    "isDefault": true,
    "name": "BU*******",
    "state": "Enabled",
    "tenantId": "TENANTID",
    "user": {
      "name": "LOGINNAME",
      "type": "user"

I do not have rights on this subscription but it is the only one that I know. On Azure WebUI I can see that the RGName is on the same subscription.

This is a capture from Azure WebUI on the RGName : Azure WebUI

Thank you

Answer 5

For your issue, when you have the Owner role of the resource group, you can create new resources or manage the existing resources as you want. So permission is no problem. With the test on my side, it works well using a user has the Owner role of the resource group.

As the error shows, I think the possible reason is that you have multiple subscriptions in the tenant and the current subscription is not the right one which the user has the right permission. You can try to take a check and set the right subscription via the command:

az account set --subscription subscription_id