Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Platform Landing Zone Deployment Fails for management group permissions issues with Azure DevOps #269

Closed
1 task done
jaredfholgate opened this issue Jan 7, 2025 · 3 comments
Closed
1 task done

Bug: Platform Landing Zone Deployment Fails for management group permissions issues with Azure DevOps #269

jaredfholgate opened this issue Jan 7, 2025 · 3 comments
Assignees
@jaredfholgate
Labels
Needs: Attention 👋 Needs attention from the maintainers Type: Bug 🪲 Something isn't working

Comments

@jaredfholgate
Copy link
Member

Is there an existing issue for this?

  • I have searched the existing issues

Infrastructure as Code Type? (Required)

terraform

PowerShell Module Version (Optional)

latest

Bootstrap Module Version (Optional)

latest

Starter Module? (Required)

terraform - complete_multi_region

Starter Module Version (Optional)

latest

Input arguments of the ALZ-PowerShell-Module (Optional)

N/A

Debug Output/Panic Output (Optional)

╷
│ Error: Failed to retrieve resource
│
│   with module.management_groups.module.management_groups.azapi_resource.management_groups_level_0["alzroot"],
│   on .terraform/modules/management_groups.management_groups/main.management_groups.tf line 1, in resource "azapi_resource" "management_groups_level_0":
│    1: resource "azapi_resource" "management_groups_level_0" {
│
│ reading Resource: (ResourceId
│ "/providers/Microsoft.Management/managementGroups/alzroot" / Api Version
│ "2023-04-01"): GET
│ https://management.azure.com/providers/Microsoft.Management/managementGroups/alzroot
│ --------------------------------------------------------------------------------
│ RESPONSE 403: 403 Forbidden
│ ERROR CODE: AuthorizationFailed
│ --------------------------------------------------------------------------------
│ {
│   "error": {
│     "code": "AuthorizationFailed",
│     "message": "The client '341a5e18-bf81-48ad-9cd6-998313ebc55d' with object id '341a5e18-bf81-48ad-9cd6-998313ebc55d' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management/managementGroups/alzroot' or the scope is invalid. If access was recently granted, please refresh your credentials."
│   }
│ }
│ --------------------------------------------------------------------------------
│
╵

Expected Behaviour (Required)

It does not fail.

Actual Behaviour (Required)

It fails.

Steps to Reproduce (Optional)

Run the accelerator with the platform_landing_zone module and Azure DevOps.

Important Factoids (Optional)

This appears to be related to access token refresh in Azure DevOps.

References (Optional)

Azure/terraform-azurerm-avm-ptn-alz#157
@jaredfholgate jaredfholgate added Needs: Triage 🔍 Needs triaging by the team Type: Bug 🪲 Something isn't working Needs: Attention 👋 Needs attention from the maintainers and removed Needs: Triage 🔍 Needs triaging by the team labels Jan 7, 2025
@jaredfholgate jaredfholgate self-assigned this Jan 7, 2025
@jaredfholgate
Copy link
Member Author

This issue was reported over at Azure/terraform-azurerm-avm-ptn-alz#157.

We have been unable to reproduce in our test environments, but there have been 3 reports so far.

It appears to only be a problem with Azure DevOps and the fixes to the AzAPI don't appear to have solved it.

There is ongoing work to improve OIDC auth in the Terraform providers and backend, however I am opening this issue as it may be possible to migrate AzAPI over the the new auth method now, so will see if that has any impact.

FYI: @matt-FFFFFF @Raphael-kainos @paul-e-martin @MatthewGrimshaw

@jaredfholgate
Copy link
Member Author

In order to implement this in the short term, a change is required to the azapi provider. PR raised here: Azure/terraform-provider-azapi#709

This was referenced Jan 11, 2025
Merged
Merged
jaredfholgate added a commit to Azure/alz-terraform-accelerator that referenced this issue Jan 11, 2025
@jaredfholgate
Increase timeouts (#199)
072dae3 
<!-- Thank you for submitting a Pull Request. Please fill out the
template below.-->
## Overview/Summary

Increase timeouts to help with ADO eventual consistency issue

## This PR fixes/adds/changes/removes

1. Azure/terraform-azurerm-avm-ptn-alz#157
2. Azure/ALZ-PowerShell-Module#269

### Breaking Changes

None

## Testing Evidence

Please provide any testing evidence to show that your Pull Request
works/fixes as described and planned (include screenshots, if
appropriate).

## As part of this Pull Request I have

- [x] Checked for duplicate [Pull
Requests](https://github.com/Azure/alz-terraform-accelerator/pulls)
- [x] Associated it with relevant
[issues](https://github.com/Azure/alz-terraform-accelerator/issues), for
tracking and closure.
- [x] Ensured my code/branch is up-to-date with the latest changes in
the `main`
[branch](https://github.com/Azure/alz-terraform-accelerator/tree/main)
- [x] Performed testing and provided evidence.
- [x] Updated relevant and associated documentation.
@jaredfholgate
Copy link
Member Author

@MatthewGrimshaw We will shortly release a new version of the bootstrap module that includes a fix for this issue. We set the AZAPI_RETRY_GET_AFTER_PUT_MAX_TIME to 60m. It actually takes between 10 and 15 minutes for the permissions to become consistent in testing.

I am closing this issue for now. Work continues on token refresh in the providers which may reduce down the time it takes, but this solves the problem for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jaredfholgate jaredfholgate

Labels
Needs: Attention 👋 Needs attention from the maintainers Type: Bug 🪲 Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jaredfholgate