Hello,
I am running into some issues creating a Subscription through terraform.
In my yaml pipeline, I am specifying the following:
env:
AZDO_PERSONAL_ACCESS_TOKEN: xxxxxxxxxxxxxxxxxxxxxx
ARM_CLIENT_ID: xxxxxxxxxxxxxxxxxxxxxx
ARM_CLIENT_SECRET: xxxxxxxxxxxxxxxxxxxxxx
ARM_TENANT_ID: xxxxxxxxxxxxxxxxxxxxxx
ARM_SUBSCRIPTION_ID: xxxxxxxxxxxxxxxxxxxxxx
These values are associated with a service principal that I know is able to create an account. I have tested this by running a powershell script as that principal and successfully creating an account.
When trying to go through this same process with terraform however, I am running into this error:
Error: creating new Subscription (Alias âtest-subâ): subscription.AliasClient#Create: Failure sending request: StatusCode=0 â Original Error: Code=âUserNotAuthorizedâ Message=âUser is not authorized to create subscriptions on this enrollment accountâ
What information is required for the " azurerm_billing_enrollment_account_scope â data source.
data "azurerm_billing_enrollment_account_scope" "enrollment" {
billing_account_name = "/providers/Microsoft.Billing/billingAccounts/12345678"
enrollment_account_name = "enrollment_account@business.onmicrosoft.com"
}
resource "azurerm_subscription" "test-sub" {
subscription_name = "test-sub"
alias = "test-sub"
billing_scope_id = data.azurerm_billing_enrollment_account_scope.enrollment.id
}
I have checked in Azure and the user running this pipeline does have authorization to do this. The service principal has âownerâ permissions on the Azure enrollment account.
Is there a way to get more information from terraform/azure? Is there a way to identify which user terraform thinks it is running as and which enrollment account it is being used?