2.86 requires Microsoft.StoragePool/register/action over subscription

[centreboard]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v1.0.11
on windows_amd64
+ provider registry.terraform.io/hashicorp/azurerm v2.86.0

Affected Resource(s)

• provider "azurerm"

Terraform Configuration Files

This affects all our configuration, but a simple example is

# Configure the Microsoft Azure Provider
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~>2.0"
    }
  }
}

provider "azurerm" {
  features {}
}

data "azurerm_resource_group" "web" {
  name = var.webResourceGroup
}

# Create app insights
resource "azurerm_application_insights" "appinsights" {
  name                = "appi-new-web-app"
  location            = data.azurerm_resource_group.web.location
  resource_group_name = data.azurerm_resource_group.web.location
  application_type    = "web"
}

Debug Output

Panic Output

N/A

Expected Behaviour

• No errors when running as a resource group contributor or owner.

• I shouldn't need to request subscription level permissions for all accounts that might manage terraform for Microsoft.StoragePool when we're not using it. A default of having to apply skip_provider_registration doesn't feel right either.

• If they are needed then should this be added to the release notes: https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v2.86.0

Actual Behaviour

│ Error: Error ensuring Resource Providers are registered.
│
│ Terraform automatically attempts to register the Resource Providers it supports to
│ ensure it's able to provision resources.
│
│ If you don't have permission to register Resource Providers you may wish to use the
│ "skip_provider_registration" flag in the Provider block to disable this functionality.
│
│ Please note that if you opt out of Resource Provider Registration and Terraform tries
│ to provision a resource from a Resource Provider which is unregistered, then the errors
│ may appear misleading - for example:
│
│ > API version 2019-XX-XX was not found for Microsoft.Foo
│
│ Could indicate either that the Resource Provider "Microsoft.Foo" requires registration,
│ but this could also indicate that this Azure Region doesn't support this API version.
│
│ More information on the "skip_provider_registration" flag can be found here:
│ https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#skip_provider_registration
│
│ Original Error: Cannnot register providers: Microsoft.StoragePool. Errors were: Cannot register provider Microsoft.StoragePool with Azure Resource Manager: resources.ProvidersClient#Register: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<client>' with object id '<object guid>' does not have authorization to perform action 'Microsoft.StoragePool/register/action' over scope '/subscriptions/<subscription guid>' or the scope is invalid. If access was recently granted, please refresh your credentials.".
│
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on infrastructure.tf line 28, in provider "azurerm":
│   28: provider "azurerm" {

Steps to Reproduce

With an account that's an owner or contributor to a resource group

1. terrafrom init --upgrade -> Update from v2.85 to v2.86
2. terraform plan

Important Factoids

References

• New resource azurerm_storage_disks_pool #14145

[tombuildsstuff]

hi @centreboard

Thanks for opening this issue.

Azure's concept of a Resource Provider requires that the Resource Provider is registered before any API's within that Resource Provider can be called. As such, rather than failing during an API call / to improve the user experience Terraform automatically attempts to register any Resource Providers that it supports by default - to ensure that the API's are available when they're needed; and since this list is stored within Terraform, we extend this list from time to time as Terraform is updated to support new functionality (provided in new Resource Providers).

If you'd prefer to manage Resource Provider Registration outside of Terraform (for example you're running in a restricted environment) - it's possible to opt-out of this behaviour by setting this field in the Provider block.

Since this is working as intended I'm going to close this issue for the moment - but please let us know if disabling this functionality doesn't work for you and we'll take another look.

Thanks!

[centreboard]

Hi @tombuildsstuff

Would you recommend following https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-services-resource-providers#find-resource-provider
and running az resource list -g <existing rg> to find out which providers we're using to then register them like:

resource "azurerm_resource_provider_registration" "example" {
  name = "Microsoft.PolicyInsights"
}

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_provider_registration

For new resource types is there a good way to work out from the docs (e.g. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service) what the provider will be?

Thanks

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.