Reputation: 1135
Azure Bicep and tenant scope (what-if vs create)
I am deploying management group with Azure Bicep. While create works fine I am facing unexpected (at least for me it's unclear) issue with what-if. I am using this approach. My "target" management group is not root tenant management group. The error message I am getting is:
DeploymentWhatIfResourceError - The request to predict template deployment changes to scope '/providers/Microsoft.Management/managementGroups/target-mg' has failed due to a resource error. See details for more information. AuthorizationFailed - The client '<<redacted>>' with object id '<<redacted>>' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management/managementGroups/test-name' or the scope is invalid. If access was recently granted, please refresh your credentials.
Does what-if requires more permissions than create? I have the following template:
targetScope = 'managementGroup'
param name string = 'test-name'
param displayName string = 'test displayName'
resource managemagentGroup 'Microsoft.Management/managementGroups@2021-04-01' = {
name: name
scope: tenant()
properties: {
details: {
parent: {
id: managementGroup().id
}
}
displayName: displayName
}
}
and then run it like this:
# this fails with the error above.
az deployment mg what-if -f main.bicep -m target-mg -l westeurope
# this works fine
az deployment mg validate -f main.bicep -m target-mg -l westeurope
# this works fine
az deployment mg create -f main.bicep -m target-mg -l westeurope
Anyone run into the same issue?
Upvotes: 0
Views: 989
Answers (1)
Reputation: 8717
I think you're running into a known issue where the ManagementGroup resource provider returns a 403 on a GET (instead of a 404) for a non-existent managementGroup.
What-If does a GET to look at the current state and receives the 403. What-if assumes that 403 means what it says and that you don't have perms. What-if should receive a 404 in this case. To confirm this is what you're running into, if you go ahead and create the mg and then run what-if again it should succeed.
re: perms - if you have perms that will allow validate and create to succeed, then you have sufficient perms at scope - you don't need any perms at the tenant (i.e. "/") scope.
As for a workaround, you can give more perms to the principal to get around this but I haven't been able to nail down what minimal perms are... I know if you're a tenant owner (i.e. perms at "/") this will work - which is why I couldn't reproduce it on my end - but that shouldn't be required and it equates to sudo/root permission, so not a great option. The other option is just to skip what-if when you know the MG doesn't exist, that would require a separate step in the pipeline or somewhere outside the template to detect existence since you can't do that in the template.
That help?
Upvotes: 1
Related Questions
- Azure bicep dependsOn for existing resource
- Azure Bicep comparison with ARM template
- Azure Bicep - Timing of Dependent Module
- Ask Bicep Parameters Conditionally
- Unable to create a azure b2c tenant with bicep
- How can I adapt an existing resource with Azure Bicep?
- Why is 'dependsOn' not recommended in Bicep?
- Azure Bicep in DevOps release pipeline
- Bicep: azure policy assignment scope
- Azure Bicep multiple scopes in template