403 Error: Create & Assign Azure Policy Definition at Management Group Level using Terraform

Question

provider "azurerm" {
  features {}
}

data "azurerm_management_group" "management_group" {
  display_name = var.management_group_display_name
}

resource "azurerm_policy_definition" "deployment_policy_definition" {
  name                = "resources-in-eastus-policy"
  policy_type         = "Custom"
  mode                = "All"
  display_name        = "Allowed to only deploy in East US location"
  management_group_id = data.azurerm_management_group.management_group.id

  policy_rule = <<POLICY_RULE
    {
    "if": {
      "not": {
        "field": "location",
        "in": "[parameters('allowedLocations')]"
      }
    },
    "then": {
      "effect": "audit"
    }
  }
POLICY_RULE

  parameters = <<PARAMETERS
    {
    "allowedLocations": {
      "type": "Array",
      "metadata": {
        "description": "The list of allowed locations for resources.",
        "displayName": "Allowed locations",
        "strongType": "location"
      }
    }
  }
PARAMETERS
}

resource "azurerm_management_group_policy_assignment" "mngmt_grp_dep_pol_assign" {
  name                 = "assign-pol-to-mgmt-grp"
  policy_definition_id = azurerm_policy_definition.deployment_policy_definition.id
  management_group_id  = data.azurerm_management_group.management_group.id
  parameters           = <<PARAMETERS
{
  "allowedLocations": {
    "value": [ "eastus" ]
  }
}
PARAMETERS
}

Error: creating/updating Policy Definition "resources-in-eastus-policy": policy.DefinitionsClient#CreateOrUpdateAtManagementGroup: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'live.com#XXX@gmail.com' with object id '0ab7dad7-dba2-46d9-8cc6-878647e9a5cb' does not have authorization to perform action 'Microsoft.Management/managementGroups/Microsoft.Management/1/Microsoft.Authorization/resources-in-eastus-policy/write' over scope '/providers/Microsoft.Management/managementGroups/providers/Microsoft.Management/managementGroups/1/providers/Microsoft.Authorization/policyDefinitions' or the scope is invalid. If access was recently granted, please refresh your credentials."

Azure Roles added for the owner/user of the azure-cli

The ID of the target management group where I am trying to create and assign the policy under the Tenant Root Group is 1

Answer 1

Error:

The client 'live.com#XXX@gmail.com' with object id '0ab7daxxxxxxx-xxxxe9a5cb' does not have authorization to perform action 'Microsoft.Management/managementGroups/Microsoft.Management/1/Microsoft.Authorization/resources-in-eastus-policy/write

• As the error mentions the client doesn’t have proper RBAC role to perform policy definition creation on management groups.
• Try to assign that ObjectId mentioned in the error , the proper role like Management Group Contributor OR Management Group Reader role.

Note: The principal/user which is deploying ,must have permissions like Contributor to create resources at the tenant scope and to assign that permission one must have Owner role

Also see below table from management-group-access :

• From the management group , Go to Access control (IAM), add your client(user/service principal) as an RBAC role

or provide role through powershell:

New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId <objectidofftheclient>

Then wait for some time for the role to reflect and then try to create policy assignment to management group:

Policy assignment made to management group.

Please make sure if the management group is reflected properly and check the id is correct in terraform, if it is already created in portal. Else import them using terraform import and then perform terraform operations.