-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Moving subscription to another management group failed #21930
Comments
it happens when remove subscription from a management group too while a RBAC with custom role( data action is in the role definition) in place. |
I ran into this issue today and found that it doesn't occur if you go into the portal and move the subscription yourself from there. Terraform wants to delete the association before it creates a new one to move the subscription, so the subscription will temporarily reside in the root management group. The custom role doesn't exist at the root management group, which is why the error appears. My half-workaround to this was to use
I think the resource needs to be reworked so instead of replacing the resource when the management group changes it will update in place. |
I will take a look into this, since we got the error, too. |
@katbyte @stephybun Sorry for mention there, but I would like to share my design/idea here before starting a implementation. It seems like Azure naively supports moving subscription to other management groups. This is important where a subscription has role assignments with custom role and the custom role has an assignable scope. which is not the Tenant Root. Currently, Terraform tries to remove the Management group association which does work in such scenario. However, moving subscription to other management groups works without issues. Since a subscription can be only assigned to management group, I would suggest to change the ID of azurerm_management_group_subscription_association to the subscriptions id, e.g. Then, I would remove the ForceNew flag from Would you agree with that proposal? |
The issue unfortunately wasn't resolved for me by using I managed to get around the issue using
Note that using the above will not catch any drift introduced by moving the subscription to another management group outside of terraform. To get around this issue I've introduced a step in my deployment pipeline after I apply my terraform configuration which verifies that my subscription is associated to the correct management group |
I have the same issue. When executing terraform using my user account it's able to move subscriptions, with a managed identity that has the same permissions as me it fails with
My account and managed identity are Owners of default management group for subscriptions as well as the management group I'm trying to associate with. Any thoughts on where I'm going wrong? |
Is there an existing issue for this?
Community Note
Terraform Version
1.3.4
AzureRM Provider Version
3.57.0
Affected Resource(s)/Data Source(s)
azurerm_management_group_subscription_association, azurerm_management_group, azurerm_subscription
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
Actual Behaviour
Steps to Reproduce
terraform apply
to move "Sub A" to A2 by adding the subscription id usingazurerm_management_group
or update themanagement_group_id
inazurerm_management_group_subscription_association
.Note: Moving the "Sub A" to another management group worked via Azure portal and command line: https://learn.microsoft.com/en-us/cli/azure/account/management-group/subscription?view=azure-cli-latest#az-account-management-group-subscription-add
Important Factoids
No response
References
No response
The text was updated successfully, but these errors were encountered: