You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Copy-paste your Terraform configurations here - for large Terraform configs,# please use a service like Dropbox and share a link to the ZIP file. For# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorpresource"azuread_application""jfrog" {
display_name ="Artifactory SAML SSO + SCIM"
}
resource"azuread_service_principal""jfrog" {
client_id = azuread_application.jfrog.client_id
}
locals {
scim_groups = [
data.terraform_remote_state.az.outputs.azuread_group_devops,
]
}
resource"azuread_app_role_assignment""jfrog" {
for_each =toset(local.scim_groups[*].object_id)
app_role_id ="18d14569-c3bd-439b-9a66-3a2aee01d14f"
principal_object_id = each.key
resource_object_id = azuread_service_principal.jfrog.object_id
}
I'm able to add / remove groups to my Enterprise Application (so that the group members are able to login via SAML SSO) via my CI/CD pipeline using GitHub Actions by authenticating as a service principal.
This is how it should look like in the end.
The app registration has the Application.ReadWrite.OwnedBy permission.
The service principal uses OIDC to connect to our Azure AD.
Actual Behavior
It all works locally when I run the command as a user.
It does not work when the command runs inside our CI/CD pipeline which is GitHub Actions. Here we're getting the following error.
azuread_app_role_assignment.jfrog["3ef3cd62-73c6-402f-9951-18da865b3776"]: Destroying... [id=ed84d346-a092-46d6-aae2-b04b1da85370/appRoleAssignment/Ys3zPsZzL0CZURjahls3drJmFKwW-iZJp4rq67_hIuA]
╷
│ Error: Deleting app role assignment for resource "ed84d346-a0[9](***/actions/runs/9064212294/job/24920697658?pr=135#step:6:10)2-46d6-aae2-b04b1da85370" with ID "Ys3zPsZzL0CZURjahls3drJmFKwW-iZJp4rq67_hIuA", got status 403
│
│ AppRoleAssignedToClient.BaseClient.Delete(): unexpected status 403 with
│ OData error: Authorization_RequestDenied: Insufficient privileges to
│ complete the operation.
╵
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.
Hi @zemirco, thanks for reporting this issue. I couldn't say why the DELETE request is being sent without seeing a copy of the plan for this apply, however you will need to assign the AppRoleAssignment.ReadWrite.All app role to your Terraform service principal in order to manage app role assignments. Unfortunately Application.ReadWrite.xyz is not sufficient - as this is a privileged API that technically permits you to add any API permission for any application.
Community Note
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_app_role_assignment
azuread_service_principal
azuread_application
Terraform Configuration Files
Debug Output
https://gist.github.com/zemirco/07a36d90f68ac65f4ebcbfa420f8a94f
Panic Output
Expected Behavior
I'm able to add / remove groups to my Enterprise Application (so that the group members are able to login via SAML SSO) via my CI/CD pipeline using GitHub Actions by authenticating as a service principal.
This is how it should look like in the end.
The app registration has the
Application.ReadWrite.OwnedBy
permission.The service principal uses OIDC to connect to our Azure AD.
Actual Behavior
It all works locally when I run the command as a user.
It does not work when the command runs inside our CI/CD pipeline which is GitHub Actions. Here we're getting the following error.
Steps to Reproduce
terraform apply
References
The text was updated successfully, but these errors were encountered: