Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Import PIM requires write permission #25898

Open
1 task done
davidngs1996 opened this issue May 8, 2024 · 0 comments
Open
1 task done

Import PIM requires write permission #25898

davidngs1996 opened this issue May 8, 2024 · 0 comments
Labels
service/authorization v/3.x

Comments

@davidngs1996
Copy link

davidngs1996 commented May 8, 2024
edited

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.1

AzureRM Provider Version

3.99

Affected Resource(s)/Data Source(s)

azurerm_pim_active_role_assignment, azurerm_pim_eligible_role_assignment

Terraform Configuration Files

data "azurerm_client_config" "example" {}

resource "azurerm_management_group" "example" {
  name = "Example-Management-Group"
}

resource "time_static" "example" {}

resource "azurerm_pim_active_role_assignment" "example" {
  scope              = azurerm_management_group.example.id
  role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}"
  principal_id       = data.azurerm_client_config.example.object_id

  schedule {
    start_date_time = time_static.example.rfc3339
    expiration {
      duration_hours = 8
    }
  }

  justification = "Expiration Duration Set"

  ticket {
    number = "1"
    system = "example ticket system"
  }
}

Debug Output/Panic Output

retrieving Role Management Policy: (Principal Id "{objectId}" / Scope "/providers/Microsoft.Management/managementGroups/{managementGroupName}" / Role Definition Id
│ "/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}"): unexpected status 400 (400 Bad Request) with error: InsufficientPermissions: The requestor {ReadOnlyServicePrincipal} does 
│ not have permissions for this request. Please use $filter=asTarget() to filter on the requestor's assignments.

Expected Behaviour

Import successfully

Actual Behaviour

When using Read only SP( with Action: "*/read" ):
terraform plan is working perfectly
import failed due to insufficient permission

Import works only after adding "Microsoft.Authorization/roleAssignments/write".

Why import needs Write permission?

Steps to Reproduce

az login (user level)
terraform apply --auto-approve
remove azurerm_pim_active_role_assignment manually from tfstate

az login --service-principal -t {Tenant-ID} -u {Client-ID} -p {Client-secret} (To use Read only SP)
terraform import azurerm_pim_active_role_assignment.example "/providers/Microsoft.Management/managementGroup/{managementGroupId}|/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}|{objectId}"

Important Factoids

No response

References

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/authorization v/3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@davidngs1996