Creating new Subscriptions through Terraform

spjavid · September 15, 2021, 7:14pm

Hello,

I am running into some issues creating a Subscription through terraform.

In my yaml pipeline, I am specifying the following:

  env:
    AZDO_PERSONAL_ACCESS_TOKEN: xxxxxxxxxxxxxxxxxxxxxx
    ARM_CLIENT_ID: xxxxxxxxxxxxxxxxxxxxxx
    ARM_CLIENT_SECRET: xxxxxxxxxxxxxxxxxxxxxx
    ARM_TENANT_ID: xxxxxxxxxxxxxxxxxxxxxx
    ARM_SUBSCRIPTION_ID: xxxxxxxxxxxxxxxxxxxxxx

These values are associated with a service principal that I know is able to create an account. I have tested this by running a powershell script as that principal and successfully creating an account.

When trying to go through this same process with terraform however, I am running into this error:

Error: creating new Subscription (Alias “test-sub”): subscription.AliasClient#Create: Failure sending request: StatusCode=0 – Original Error: Code=“UserNotAuthorized” Message=“User is not authorized to create subscriptions on this enrollment account”

What information is required for the " azurerm_billing_enrollment_account_scope ” data source.

data "azurerm_billing_enrollment_account_scope" "enrollment" {
billing_account_name = "/providers/Microsoft.Billing/billingAccounts/12345678"
enrollment_account_name = "enrollment_account@business.onmicrosoft.com"
}

resource "azurerm_subscription" "test-sub" {
subscription_name = "test-sub"
alias = "test-sub"
billing_scope_id = data.azurerm_billing_enrollment_account_scope.enrollment.id
}

I have checked in Azure and the user running this pipeline does have authorization to do this. The service principal has ‘owner’ permissions on the Azure enrollment account.

Is there a way to get more information from terraform/azure? Is there a way to identify which user terraform thinks it is running as and which enrollment account it is being used?

tpeterson39 · November 4, 2021, 5:34pm

Great question!

I am very interested in any replies to this thread, I am running into the exact same issues/errors when trying to deploy subscriptions via Terraform.

I would love to get some clarification on what information is required for the “azurerm_billing_enrollment_account_scope” data source, and where exactly in Azure or Terraform to collect that information.

timkowal · February 14, 2022, 11:42am

Same here. I receive these 401 errors even trying to import existing subscriptions with what I know should be the correct values entered for the billing account scope

Terraform documentation is poor in this regard. I’m questioning if it is even possible as I’m hearing “most” Terraform users do not try to manage subscriptions.

brad-lucas · February 16, 2022, 6:39pm

I recently went through this, and if you’re running into auth issues re: subscription creation, you’ll want to check your the IAM permissions set-up for billing under whichever identity you’re using to execute Terraform.

In my case, I assigned the “Azure subscription creator” role to the service principal to be used in creating subscriptions at the Invoice Section scope for my company’s MCA (Billing Account → Billing Profile → Invoice Section, much like you’d see if you were creating a subscription via the portal).

Hope this helps!