Reputation: 2503
What permission is required to remove or add resource lock for Azure SQL with Terraform on Azure Pipeline
I have prod subscription where deploying pipeline fails because of permission missing. My Azure AD user have no permission to create or remove locks of Azure SQL.
I wonder what and how to configure user permission so that Azure Pipeline can create, edit or remove resource locks?
TERRAFORM:
resource "azurerm_management_lock" "hellodb_lck" {
for_each = var.databases
name = "can-not-delete"
scope = azurerm_sql_database.hellodb[each.key].id
lock_level = "CanNotDelete"
}
Upvotes: 3
Views: 14696
Answers (2)
Reputation: 1595
This Azure documentation shows that it's either the built-in Owner or User Access Administrator roles or custom roles with the right action, that are allowed to manipulate locks.
To create or delete management locks, you must have access to
Microsoft.Authorization/*orMicrosoft.Authorization/locks/*actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions.
See Shawn's answer for a more detailed explanation.
Upvotes: 6
Reputation: 210
Per documentation the options on permissions to manage locks (each of these is an or):
- User account has elevated rights to the Owner or User Access Administrator role. These two roles are part of the root tenant group for your Azure Tenant.
- User account has access to
Microsoft.Authorization/* - User account has access to
Microsoft.Authorization/locks/*
Microsoft.Authorization Type
There are multiple different built-in roles and Resource permissions that allow a user to manipulate the locks on a resource.
A built-in role that has the required access would be User Access Administrator role as it is given Managed Authorization (aka Microsoft.Authorization/*).
As well, an Owner of a resource is granted * so it inherits the ability to control the locks on the resources as well. Anything under a Contributor on the resource itself does not have the required permissions as they are only given sub types of the Microsoft.Authorization (e.g. Microsoft.Authorization/*/deletes)
Upvotes: 3
Related Questions
- While executing Azure DevOps build pipeline - got the message: This pipeline needs permission to access resources before this continue
- Managing Azure resource locks through Terraform
- Azure DevOps Release Pipelines permission
- Terraform apply can't be ran because of azurerm_management_lock
- How to remove permission of azure devops pipeline from an Azure VM?
- Azure devops pipeline terraform error - 403 when attempting role assignment
- Add azure SQL user with terraform
- Terraform Azure SQL server admin password change forces recreating of resource
- Access rights for Azure DevOps Services pipeline
- Azure Release pipeline, terraform task - unable to authenticate with Azure, reports error 700016