1

I have two resources azurerm_storage_account and azurerm_cosmosdb_account created in a resource group my-rg.

I also have a azurerm_management_lock set to ReadOnly at my-rg level.

resource "azurerm_storage_account" "main" {
  name                = "my-storage"
  resource_group_name = azurerm_resource_group.main.name 
  ...
}

resource "azurerm_cosmosdb_account" "main" {
  name                = "my-cosmosdb"
  resource_group_name = azurerm_resource_group.main.name
  ...
}

resource "azurerm_resource_group" "main" {
  name     = "my-rg"
  ...
}

resource "azurerm_management_lock" "resource-group-level" {
  name       = "terraform-managed-resources"
  scope      = azurerm_resource_group.main.id
  lock_level = "ReadOnly"
}

When I run terraform apply I run into that errors :

Error: [ERROR] Unable to List Write keys for CosmosDB Account "my-cosmosdb": documentdb.DatabaseAccountsClient#ListKeys: Failure sending request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status= Code="ScopeLocked" Message="The scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-rg/providers/Microsoft.DocumentDB/databaseAccounts/my-cosmosdb' cannot perform write operation because following scope(s) are locked: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-rg'. Please remove the lock and try again."

Error: building Queues Client: retrieving Account Key: Listing Keys for Storage Account "my-storage" (Resource Group "my-rg"): storage.AccountsClient#ListKeys: Failure sending request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status= Code="ScopeLocked" Message="The scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/my-storage' cannot perform write operation because following scope(s) are locked: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-rg'. Please remove the lock and try again."

What should I do in order to allow terraform apply to be run without removing the lock manually?

Note that this is a simplified example and I have many more resources that aren't impacted by this lock. I only have listed the resources involved in the Error log.

Will
  • 1,792
  • 2
  • 23
  • 44

1 Answers1

3

Please check the Considerations before applying your locks.

  • As ,when a ReadOnly lock applied to resource group which is parent to a storage account ,it applies to storage account too.
  • For storage account locked with read only access, List Keys operation is blocked for that account.
  • The operation : List Keys is an HTTPS POST operation, and all POST operations are prevented when a ReadOnly lock is configured for the account.i.e .; Locks prevent the POST method from sending data to the (ARM) API.

When a read-only lock is configured for a storage account, users/client who already have access keys ready can continue to access data but users who don't have the account keys need to use Azure AD credentials to access blob or queue data.

Please check : authorizing-data-operations-when-a-readonly-lock-is-in-effect- Azure Storage | Microsoft Docs for the minimum roles required.

Same may apply to cosmosDB but to ensure try to check list keys in cosmos db by checking if you need to assign Cosmos DB Account Reader role which has Microsoft.DocumentDB/databaseAccounts/readonlykeys/action permissions in it. Manage locks

"permissions": [
    {
      "actions": [
        …
        "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
        …..
      ],

also you can customize actions custom-roles to have Microsoft.DocumentDB/databaseAccounts/listKeys/* action

References:

  1. Azure Cosmos DB read data using role based access control - Stack Overflow
  2. Read-only access to Cosmos DB · Issue · GitHub
kavyaS
  • 8,026
  • 1
  • 7
  • 19