I've been deploying changes for the project I'm working on from my desktop since it's a start up and I was building everything from scratch (A lot of trial and error/constantly doing terraform apply, etc), but now that our dev environment is built and we are building our CI/CD, I am building a pipeline for terraform changes so that we can automate the creation of new resources and remove me as the middleman.
The problem we are hitting is that it seems Terraform does not have sufficient privileges in azure devops to create/update/read information in the child B2C tenant account. It's associated with the main account where all our other infrastructure lives, so I had thought the permissions would cascade for terraform but it appears that is not the case.
My question is how can I do a terraform plan / terraform apply using Azure DevOps when my terraform configuration includes the B2C tenant account? I have sufficient privileges to do this locally, so I know it must be possible. I've been looking around but haven't found anything helpful yet. If anyone can even just point me in the right direction for where some resources for resolving this issue might be located, I would appreciate it.
Here is the error I get when TF starts reading the info from the child account:
Error: Retrieving group with object ID: "<id>"
with module.user_management.azuread_group.contributors,
on user_management\main.tf line 9, in resource "azuread_group" "contributors":
9: resource "azuread_group" "contributors"
GroupsClient.BaseClient.Get(): unexpected status 403 with OData error:
Authorization_RequestDenied: Insufficient privileges to complete the
operation.
would the solution be the get the az cli and actually log in as a user? This just feels wrong to do but I'm thinking it should work since it works locally. I just have a feeling this would be a bad practice.
I found a solution for this. What you need to do is create an alias for the the azuread provider, and then for your main account you pass the credentials of an application you create w/ user management access to by setting the client ID and client secret values, and then for the b2c account you do the same thing, set a client ID/secret using an application in the b2c tenant account.