Problems managing subscriptions with aliases

ddoby · February 22, 2022, 7:50pm

Hey all, I am hoping someone can help guide with where/how to resolve or troubleshoot this issue. Ultimately, I am trying to create the code to create cloud resource landing zones through an Azure DevOps pipeline. I am using an Azure enrollment account and an SP designated as a subscription creator under that enrollment account. That all works fine for new subscription.

The part I am struggling to figure out, is how to import/manage existing subscriptions. My code either creates a brand new subscription if no Subscription ID is given, or “imports” or creates an alias if a Subscription ID is given. But the code is failing with one of several error messages:

Error: multiple Aliases for Subscription "BLAH" already exist - to be managed via Terraform only one Alias can exist and this resource needs to be imported into the State. Please see the resource documentation for "azurerm_subscription" for more information

Or

Error: checking for existence of Subscription by Alias "<alias>": subscription.AliasClient#Get: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="UserNotAuthorized" Message="User does not have access Microsoft.Subscription/aliases/read over scope providers/Microsoft.Subscription/aliases/<alias>"

I don’t think this issue is a code problem, as running the az account alias commands don’t actually show me any aliases to any of these subscriptions, if run under the EA Owner account or the Terraform SP account.

Any help or guidance would be greatly appreciated.

cholton · May 12, 2022, 8:26pm

Did you ever get this resolved? I am also having the same issue trying to “create” an alias for an existing Subscription.

pduboucher · July 3, 2022, 12:46am

I resolved the same issue when I encountered it like so.

note that

az account alias list

is not the same as

az alias list

When I used, az alias list nothing was returned, but using az account alias list showed me all my subscriptions and the Aliases associated with them.

including the one I was looking to import

    {
      "id": "/providers/Microsoft.Subscription/aliases/<UUID-1>",
      "name": "<UUID-1>",
      "properties": {
        "acceptOwnershipState": null,
        "acceptOwnershipUrl": null,
        "billingScope": null,
        "createdTime": null,
        "displayName": null,
        "managementGroupId": null,
        "provisioningState": "Succeeded",
        "resellerId": null,
        "subscriptionId": "<UUID-2>",
        "subscriptionOwnerId": null,
        "tags": null,
        "workload": null
      },
      "systemData": null,
      "type": "Microsoft.Subscription/aliases"
    },

UUID-2 (replaced in this text) matches the UUID for the subscription I was targetting.
Then I import using the UUID for the ALIAS (UUID-1)

terragrunt import 'azurerm_subscription.example' 
 providers/Microsoft.Subscription/aliases/<UUID-1>

Finally a state show confirms that the correct subscription is imported.

terragrunt state show 'azurerm_subscription.example'