Creating new Subscriptions through Terraform

Hello,

I am running into some issues creating a Subscription through terraform.

In my yaml pipeline, I am specifying the following:

  env:
    AZDO_PERSONAL_ACCESS_TOKEN: xxxxxxxxxxxxxxxxxxxxxx
    ARM_CLIENT_ID: xxxxxxxxxxxxxxxxxxxxxx
    ARM_CLIENT_SECRET: xxxxxxxxxxxxxxxxxxxxxx
    ARM_TENANT_ID: xxxxxxxxxxxxxxxxxxxxxx
    ARM_SUBSCRIPTION_ID: xxxxxxxxxxxxxxxxxxxxxx

These values are associated with a service principal that I know is able to create an account. I have tested this by running a powershell script as that principal and successfully creating an account.

When trying to go through this same process with terraform however, I am running into this error:

Error: creating new Subscription (Alias “test-sub”): subscription.AliasClient#Create: Failure sending request: StatusCode=0 – Original Error: Code=“UserNotAuthorized” Message=“User is not authorized to create subscriptions on this enrollment account”

What information is required for the " azurerm_billing_enrollment_account_scope ” data source.

data "azurerm_billing_enrollment_account_scope" "enrollment" {
billing_account_name = "/providers/Microsoft.Billing/billingAccounts/12345678"
enrollment_account_name = "enrollment_account@business.onmicrosoft.com"
}

resource "azurerm_subscription" "test-sub" {
subscription_name = "test-sub"
alias = "test-sub"
billing_scope_id = data.azurerm_billing_enrollment_account_scope.enrollment.id
}

I have checked in Azure and the user running this pipeline does have authorization to do this. The service principal has ‘owner’ permissions on the Azure enrollment account.

Is there a way to get more information from terraform/azure? Is there a way to identify which user terraform thinks it is running as and which enrollment account it is being used?