I'm trying to create a minimal CustomRole for running terraform on my hobby project. One of the first things I'm trying to automate is the creation of a Budget so that I can be sure I get alerted before spending too much money.
The terraform provider uses the following API https://docs.microsoft.com/en-us/rest/api/consumption/budgets/createorupdate
My role definition currently looks like the following
{
"assignableScopes": [
"/subscriptions/<redacted>"
],
"description": "Perform only the actions necesary for running Terraform from GitLab CI",
"id": "/subscriptions/<redacted>/providers/Microsoft.Authorization/roleDefinitions/<redacted>",
"name": "<redacted>",
"permissions": [
{
"actions": [
"Microsoft.Consumption/budgets/read",
"Microsoft.Consumption/budgets/write",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Web/serverfarms/Read",
"Microsoft.Web/serverfarms/Write",
"microsoft.insights/actionGroups/read",
"microsoft.insights/actionGroups/write",
"microsoft.web/register/action"
],
"dataActions": [ ],
"notActions": [ ],
"notDataActions": [ ]
}
],
"roleName": "my-ci-role",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
However terraform is still failing with the following error message
Service returned an error. Status=401 Code="401" Message="Unauthorized. Request ID: 9e51f598-886e-4d66-a037-b82660a72862"
Some services give information on which permission is missing, unfortunately this one doesn't and I have no idea where to find this information.
