Skip to content

Virtual Machine Contributor / Reader permissions must be done for the cluster resource group AND the VNET resource group #25

New issue
New issue
Open
Open
Virtual Machine Contributor / Reader permissions must be done for the cluster resource group AND the VNET resource group#25
@8ear

Description

@8ear
8ear
opened on Sep 29, 2025

Hi,

Here you set your permissions for the cluster resource group scope

terraform-azure-cloudguard-network-security/modules/high_availability_existing_vnet/main.tf

Line 550 in 9082d29

resource "azurerm_role_assignment" "cluster_virtual_machine_contributor_assignment" {

Which is well for the resources into the cluster resource group.

But Microsoft propose to use a extra resource group for the VNET and route tables.
Which you have already in your variable vnet_resource_group but which is not used for permissions.

Therefore you get the following issue:

Getting information about the VM ceu7fw2...
Id            : /subscriptions/1ba933f5-0f66-4afe-ab5c-110acc3728b2/resourceGroups/prd-connect-weur-rg-fw/providers/Microsoft.Network/networkInterfaces/ceu7fw2-eth0
Subscription  : 1ba933f5-0f66-4afe-ab5c-110acc3728b2
Resource group: prd-connect-weur-rg-fw
Type          : Microsoft.Network/networkInterfaces
Name          : ceu7fw2-eth0
Attempting to read - [OK]
Attempting to write - [Forbidden]
Error:
HTTP/1.1 403 Forbidden
b'{"error":{"code":"LinkedAuthorizationFailed","message":"The client \'f008cec5-5d89-4f83-aebb-56e6a8d49daf\' with object id \'f008cec5-5d89-4f83-aebb-56e6a8d49daf\' has permission to perform action \'Microsoft.Network/networkInterfaces/write\' on scope \'/subscriptions/1ba933f5-0f66-4afe-ab5c-110acc3728b2/resourceGroups/prd-connect-weur-rg-fw/providers/Microsoft.Network/networkInterfaces/ceu7fw2-eth0\'; however, it does not have permission to perform action(s) \'Microsoft.Network/virtualNetworks/subnets/join/action\' on the linked scope(s) \'/subscriptions/1ba933f5-0f66-4afe-ab5c-110acc3728b2/resourceGroups/prd-connect-weur-rg-network/providers/Microsoft.Network/virtualNetworks/prd-connect-weur-vnet-default/subnets/prd-fw-frontend-01\' (respectively) or the linked scope(s) are invalid."}}'

This is only fixed if add also the Virtual Machine Contributor role for the vnet resource group.

Kind regards

Hint:
If you will do this you will get also an error, but this is only for route tables and peerings:

Setting api versions for "high_availability" solution
ARM versions are: {
  "resources": "?api-version=2019-07-01"
}
Testing if DNS is configured...
 - Primary DNS server is: 168.63.129.16
Testing if DNS is working...
 - DNS resolving test was successful
Testing connectivity to login.microsoftonline.com:443...
Testing ClusterXL parameters...
Testing cluster interface configuration...
Testing credentials...
Getting information about the environment...
Getting information about the VM ceu7fw2...
Id            : /subscriptions/1ba933f5-0f66-4afe-ab5c-110acc3728b2/resourceGroups/prd-connect-weur-rg-fw/providers/Microsoft.Network/networkInterfaces/ceu7fw2-eth0
Subscription  : 1ba933f5-0f66-4afe-ab5c-110acc3728b2
Resource group: prd-connect-weur-rg-fw
Type          : Microsoft.Network/networkInterfaces
Name          : ceu7fw2-eth0
Attempting to read - [OK]
Attempting to write - [OK]
Id            : /subscriptions/1ba933f5-0f66-4afe-ab5c-110acc3728b2/resourceGroups/prd-connect-weur-rg-fw/providers/Microsoft.Network/networkInterfaces/ceu7fw2-eth1
Subscription  : 1ba933f5-0f66-4afe-ab5c-110acc3728b2
Resource group: prd-connect-weur-rg-fw
Type          : Microsoft.Network/networkInterfaces
Name          : ceu7fw2-eth1
Attempting to read - [OK]
Attempting to write - [OK]
Getting information about the VM ceu7fw1...
Id            : /subscriptions/1ba933f5-0f66-4afe-ab5c-110acc3728b2/resourceGroups/prd-connect-weur-rg-fw/providers/Microsoft.Network/networkInterfaces/ceu7fw1-eth0
Subscription  : 1ba933f5-0f66-4afe-ab5c-110acc3728b2
Resource group: prd-connect-weur-rg-fw
Type          : Microsoft.Network/networkInterfaces
Name          : ceu7fw1-eth0
Attempting to read - [OK]
Attempting to write - [OK]
Id            : /subscriptions/1ba933f5-0f66-4afe-ab5c-110acc3728b2/resourceGroups/prd-connect-weur-rg-fw/providers/Microsoft.Network/networkInterfaces/ceu7fw1-eth1
Subscription  : 1ba933f5-0f66-4afe-ab5c-110acc3728b2
Resource group: prd-connect-weur-rg-fw
Type          : Microsoft.Network/networkInterfaces
Name          : ceu7fw1-eth1
Attempting to read - [OK]
Attempting to write - [OK]
Testing authorization on routing tables...

Failed to retrieve peered network /subscriptions/51843f39-3ba5-4ecb-8509-654a7787978c/resourceGroups/prd-mgmt-weur-rg-network/providers/Microsoft.Network/virtualNetworks/prd-mgmt-weur-vnet-default
Traceback (most recent call last):
  File "/opt/CPsuite-R81.20/fw1/scripts/azure_ha_test.py", line 177, in get_route_table_ids_for_peering
    vnet = azure.arm('GET', vnet_id)[1]
  File "/opt/CPsuite-R81.20/fw1/scripts/rest.py", line 659, in arm
    max_time=self.max_time)
  File "/opt/CPsuite-R81.20/fw1/scripts/rest.py", line 239, in request
    response)
rest.RequestException: HTTP/1.1 403 Forbidden
b'{"error":{"code":"AuthorizationFailed","message":"The client \'f008cec5-5d89-4f83-aebb-56e6a8d49daf\' with object id \'f008cec5-5d89-4f83-aebb-56e6a8d49daf\' does not have authorization to perform action \'Microsoft.Network/virtualNetworks/read\' over scope \'/subscriptions/51843f39-3ba5-4ecb-8509-654a7787978c/resourceGroups/prd-mgmt-weur-rg-network/providers/Microsoft.Network/virtualNetworks/prd-mgmt-weur-vnet-default\' or the scope is invalid. If access was recently granted, please refresh your credentials."}}'

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions