azure-devops azure-pipelines terraform-provider-azure azure-static-web-app

Cannot create repository token when create a static web app with terraform

I am trying to create a Azure static web app with terraform. I want it to connect to an azure pipeline.

Here the code in Terraform:

resource "azurerm_static_web_app" "restrictedarea_stapp" {
  name                = "${var.env_prefix}-restrictedarea-stapp-westeu" 
  resource_group_name = azurerm_resource_group.restrictedarea_rg.name
  location            = azurerm_resource_group.restrictedarea_rg.location

  sku_tier            = "Free"
  sku_size            = "Free"

  tags = {
    Source = "${var.iac}"
  }

  repository_url      = "https://dev.azure.com/xxxxx"
  repository_branch   = "${var.env_prefix}"
  repository_token    = "8JNNF9VpMIrtGxwkVoY4BtD04Hemes0KNXgb7FINYvlqxsFujsbFJQQJ99BEACAAAAAjYyruAAASAZDO2MRw"  
}

No error during planning deployment on terraform cloud. But I get this error when I try to apply the updates:

Error: creating Static Site (Subscription: "xxxxx" Resource Group Name: "dev-restrictedarea-rg-westeu" Static Site Name: "dev-restrictedarea-stapp-westeu"): performing CreateOrUpdateStaticSite: unexpected status 400 (400 Bad Request) with response: {"Code":"BadRequest","Message":"Secret Variable is invalid. You do not have permission to create a Variable Group within library. You need to belong to Creator role within the library in order to do this","Target":null,"Details":[{"Message":"Secret Variable is invalid. You do not have permission to create a Variable Group within library. You need to belong to Creator role within the library in order to do this"},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"51021","MessageTemplate":"{0} is invalid. {1}","Parameters":["Secret Variable","You do not have permission to create a Variable Group within library. You need to belong to Creator role within the library in order to do this"],"Code":"BadRequest","Message":"Secret Variable is invalid. You do not have permission to create a Variable Group within library. You need to belong to Creator role within the library in order to do this"}}],"Innererror":null}

So, I check permissions on Aure DevOps. I open my project and I go in pipeline -> library section. I click on Security button and I set the permission required:

I have tried both administrator and creator role. Terraform is the Service Principal I use to connect terraform cloud to Azure for creating resources:

Still same error...

What am I missing? Perhaps I am using a wrong user? I need to create a new one with other permissions?

Thank you for the support.

Solution

Error: creating Static Site (Subscription: "xxxxx" Resource Group Name: "dev-restrictedarea-rg-westeu" Static Site Name: "dev-restrictedarea-stapp-westeu"): performing CreateOrUpdateStaticSite: unexpected status 400 (400 Bad Request) with response: {"Code":"BadRequest","Message":"Secret Variable is invalid. You do not have permission to create a Variable Group within library. You need to belong to Creator role within the library in order to do

Even I got same error when I trying to create an Azure static web app with terraform and connect it to Azure DevOps pipeline.

To resolve the issue, I added the Variable Group scope to PAT token in Azure DevOps in my cases PAT is the repository token as shown below:

After adding the required scopes, the terraform apply command ran successfully without any issues.

Below Azure pipeline:

Azure Output: