Issue with azuread catalog association - CallerNotResourceOwner: The caller is not the resource

Terraform
1

I’m looking to setup Azure catalogs and access packages with Terraform and found a handy module created here which I’m trying to use: GitHub - fortytwoservices/terraform-azuread-entitlement-management: This module allows you to simply do Entitlement Management in Azure AD through Catalogs and Access Packages

So far so good, until I try to add resources into the access package and then hit an issue with the association. This is the error I’m getting:

Error: Failed to link resource “fbfeaae9-6bcf-4333-xxxx-xxxxxxxxxxxx”@“AadGroup” with access catalog “023678c2-c22b-4609-xxxx-xxxxxxxxxxxx”.

│ with module.catalog.azuread_access_package_resource_catalog_association.resource-catalog-associations[“CatalogName-Aadgroupname”],
│ on .terraform/modules/catalog/modules/azuread/azuread_entitlement_management/main.tf line 152, in resource “azuread_access_package_resource_catalog_association” “resource-catalog-associations”:
│ 152: resource “azuread_access_package_resource_catalog_association” “resource-catalog-associations” {

│ AccessPackageResourceRequestClient.BaseClient.Post(): unexpected status 400
│ with OData error: CallerNotResourceOwner: The caller is not the resource
│ owner.

The module itself has this for the azuread_access_package_resource_catalog_association:

resource “azuread_access_package_resource_catalog_association” “resource-catalog-associations” {
for_each = { for resource in local.resource-catalog-associations-filtered : resource.catalog_resource_association_key => resource }

catalog_id = azuread_access_package_catalog.entitlement-catalogs[each.value.catalog_key].id
resource_origin_id = each.value.resource_origin_id
resource_origin_system = each.value.resource_origin_system

depends_on = [
azuread_access_package_catalog.entitlement-catalogs
]
}

This is the resource part of the variable being fed into the module:

      resources = [ # List of resources, one resource per object
        {
          display_name           = "MyAadGroupName"
          resource_origin_system = "AadGroup"
          resource_origin_id     = "fbfeaae9-6bcf-4333-xxxx-xxxxxxxxxxxx"    # The ID of the Azure resource to be added to the Catalog and Access Package
         }
      ]

Guess I’m trying to figure out if I’m hitting an API bug or if there’s part of the Terraform I’m not understanding correctly.

2

I am not using Terraform, but Microsofts Graph API directly, and I am also getting this error. Which makes no sense, as the ServicePrincipal I am using have the correct API-permissions, it has owner on the catalog and also is the one that created the group I am trying to add as a resource to the catalog.

So it seems this might be some kind of bug. However, it does seem to work if I use the token from my GA-elevated user-account. But that ofc won’t work in the long run.

3

Managed to get this fixed.
Even though the ServicePrincipal was the one that created the group in question, it still had to be added as owner of the specific group. After this was done, it was able to add the group as a resource to the catalog.