Terraform-provider-azurerm: AzureRm V2: Cannot set up Data Factory code repository without Subscription Level Permissions

Created on 15 Apr 2020  路  4Comments  路  Source: terraform-providers/terraform-provider-azurerm

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I'm trying to deploy a Azure Data Factory with the Azure DevOps repository configured using the following terraform: 

provider "azurerm" {
 version = "=2.3.0"
 features {}
}
resource "azurerm_data_factory" "example" {
  name                = "adf_name"
  location            = "location"
  resource_group_name = "rg_name"
  vsts_configuration {
    account_name      = "account_name"
   branch_name       = "branch_name"
    project_name      = "project_name"
    repository_name   = "repo_name"
    root_folder       = "root_folder"
 }
}

When deploying the above code using Azure Cloud Shell with Contributor role on the resource group and not on the subscription level I get the following error:

Error: Error configuring Repository for Data Factory "adf-name" (Resource Group "rg-name"): datafactory.FactoriesClient#ConfigureFactoryRepo: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '[email protected]' with object id 'xxxxx' does not have authorization to perform action 'Microsoft.DataFactory/locations/configureFactoryRepo/action' over scope '/subscriptions/xxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.

To reproduce the error create a new terraform project and copy the above code, then run:
terraform init
terraform apply

Is there a way to use vsts_configuration without having Contributor role access on the subscription?

question servicdata-factory
Source
picture eedwards36
👍12

Most helpful comment

Just checked the API of Azure and terraform source code. Terraform is using the following rest call to add the git repo:
Configure factory repo

This call requires more than reader permissions over the subscription. However, when using the following rest call, only permissions on the resource group are necessary. This is also the call that is used by the portal of data factory:
Create or update factory

I think the desired behaviour is the last one. It should not be necessary to have contributor permissions on a subscription to add a git config when you have enough permissions on the resource group.

Please fix

picture lmicverm on 18 May 2020
👍8

All 4 comments

Just checked the API of Azure and terraform source code. Terraform is using the following rest call to add the git repo:
Configure factory repo

This call requires more than reader permissions over the subscription. However, when using the following rest call, only permissions on the resource group are necessary. This is also the call that is used by the portal of data factory:
Create or update factory

I think the desired behaviour is the last one. It should not be necessary to have contributor permissions on a subscription to add a git config when you have enough permissions on the resource group.

Please fix

lmicverm picture lmicverm on 18 May 2020
👍8

I am facing the same issue, May I know if there is any update on this or a fix for this ?

elmasimons picture elmasimons on 14 Jul 2020

Any updates to this issue? I am still facing this issue.

sahilchaudhry08 picture sahilchaudhry08 on 14 Oct 2020
👍1

a potential workaround is to use arm for this inside terraform:

resource "azurerm_template_deployment" "vsts-configuration" {
  name = "vsts-configuration-${formatdate("YYYY-MMM-DD-hh-mm-ss-ZZZ", timestamp())}"
  resource_group_name = "RG-NAME"
  deployment_mode = "Incremental"

  lifecycle {
    ignore_changes = [
      name
    ]
  }

  depends_on = [
    azurerm_data_factory.adf
  ]

  parameters = {
    factoryName = azurerm_data_factory.adf.name
    repositoryName = var.vsts_repository_name
    projectName = var.vsts_project_name
  }

  template_body = file("${path.module}/arm/datafactory.json")
}

And ARM template:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "factoryName": {
      "type": "string"
    },
    "projectName": {
      "type": "string"
    },
    "repositoryName": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.DataFactory/factories",
      "name": "[parameters('factoryName')]",
      "apiVersion": "2018-06-01",
      "location": "[resourceGroup().location]",
      "identity": {
        "type": "SystemAssigned"
      },
      "properties": {
        "repoConfiguration": {
        "type": "FactoryVSTSConfiguration",
        "accountName": "AzureDevOpsAccount",
        "collaborationBranch": "master",
        "projectName": "[parameters('projectName')]",
        "repositoryName": "[parameters('repositoryName')]",
        "rootFolder": "/"
      }
    }
  }
  ]
}
mkoptelov picture mkoptelov on 25 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sam-cogan picture sam-cogan  路  3Comments
steffencircle picture steffencircle  路  3Comments
mikemorris picture mikemorris  路  3Comments
Faaux picture Faaux  路  3Comments
rolandjohann picture rolandjohann  路  3Comments