user permissions error

[pselmani]

Hi,

I have created ad domain services TF module and integrated with Core. It picks it up and terraform validate works when I run make deploy-core but fails at last hurdle with below error. Which user is it referring to as I can't find it on AD

I have done AZ login before hand and I can create ad domain services over the Portal so it seems to be using some different account

Thanks

[pselmani]

I have checked all the User IDs and Enterprise Application IDs but can't find that user it's referring to

[marrobi]

Firstly I would avoid modifying core, and try to use shared services or create a feature request to and make discuss making changes upstream. The reason being your changes can block upgrades to future releases we make.

Where are you executing the command from? Unless you have ARM_CLIENT_ID set terraform should use your Azure CLI login. Are you searching for the object ID in the correct tenant?

[pselmani]

Thank you for your response

That does make sense about core, that did cross my mind. Our challenge is that TRE will be deployed to a new Subscription but will need to make use of an existing AD Domain Services (due to AVD). So not sure at what extent it needs to be integrated into the TRE framework or can it stay completely out of its scope

In regards to error, 'ARM_CLIENT_ID' pointed me to the correct Service Principal, thanks again

[marrobi]

In this scenario I'd keep ADDS completely separate, typically part of the customer landing zone. the TRE networks can peer to to the network that ADDS sits in. The peer can be added in separate TF state.

We do similar in our workspaces:

AzureTRE/templates/workspaces/base/terraform/network/network.tf

Lines 45 to 67 in b63e7ee

	resource "azurerm_virtual_network_peering" "ws_core_peer" {
	name = "ws-core-peer-${local.workspace_resource_name_suffix}"
	resource_group_name = var.ws_resource_group_name
	virtual_network_name = azurerm_virtual_network.ws.name
	remote_virtual_network_id = data.azurerm_virtual_network.core.id
	}
	moved {
	from = azurerm_virtual_network_peering.ws-core-peer
	to = azurerm_virtual_network_peering.ws_core_peer
	}
	resource "azurerm_virtual_network_peering" "core_ws_peer" {
	name = "core-ws-peer-${local.workspace_resource_name_suffix}"
	resource_group_name = local.core_resource_group_name
	virtual_network_name = local.core_vnet
	remote_virtual_network_id = azurerm_virtual_network.ws.id
	}
	moved {
	from = azurerm_virtual_network_peering.core-ws-peer
	to = azurerm_virtual_network_peering.core_ws_peer
	}

Ass for AVD. I don't believe ADDS is a prerequisite any more, it will work with Azure AD.

He had this set up as a PoC - see pull request here - #1865

This is in Bicep, we would likely use terraform going forward to be consistent.

We don't have any production AVD customers ass far as I am aware due to the issue identified here - #1865 (comment) . Also AVD does not support AD guests (researchers are usually guests), or Linux VMs.

If you want to try do a PR to integrate AVD, happy to help as something that often comes up.