In my subscription, I have the Contributor, Resource Policy Contributor, and Security Admin roles at the subscription. When I ran the code:
resource "azurerm_subscription_policy_assignment" "mcsb_assignment" {
name = "mcsb"
display_name = "Microsoft Cloud Security Benchmark"
policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
subscription_id = "/subscriptions/${var.subscription_id}"
}
It returned me an error below:
Error: creating Scoped Policy Assignment (Scope: "/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-2bcc3b93e5db"
│ Policy Assignment Name: "mcsb"): unexpected status 403 with error: AuthorizationFailed: The client 'xxxxxxxx-xxxx-490f-xxxx-75417f195cee' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-75417f195cee' does not have authorization to perform action 'Microsoft.Authorization/policyAssignments/write' over scope '/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-2bcc3b93e5db/providers/Microsoft.Authorization/policyAssignments/mcsb' or the scope is invalid. If access was recently granted, please refresh your credentials.
Any suggestion what other permission I am missing?
Thanks,
Bill
Microsoft
