0

I am trying to run a minimalistic terraform code in Azure functions. The terraform code will create some azure resources as part of its execution. I am trying to authenticate terraform using the user-assigned-managed-identity of Azure function app. I tried following the docs Managed Service Identity and Terraform to setup the authentication. But somehow terraform is still going to the CLI auth and asking for user credentials. I have set all the required variables as part of my terraform backend config like use_msi, client_id, subscription_id and tenant_id. The managed identity has all the permissions required to create terraform resources.

Need some pointers on how to debug the issue here. Can someone point me to the source code of terraform where its verifying MSI auth? It could give some information about any config that I might be missing.

Terraform init is running with arguments as below:

Running terraform command: init with args: () kwargs: {'no_color': None, 'backend_config': {'container_name': 'xyz', 'key': 'terraform.tfstate', 'storage_account_name': 'xyz', 'use_msi': 'true', 'client_id': '***', 'subscription_id': '***', 'tenant_id': '***', 'msi_endpoint': 'http://a.b.c.d:8081/msi/token'}}

Seeing below error.

ERROR Terraform init stderr: Error: Error building ARM Config: obtain subscription(***) from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.

I verified that the function app is able to hit the MSI endpoint. Before running terraform code, I need access to storage account to fetch some config and its able to fetch that using managed identity. I can see logs where we are hitting msi-endpoint to get the token to access storage account.

Improve this question
2
  • Could you please paste some repro steps/ code ? thanks Commented Feb 7 at 10:23
  • I have added (see ques) the terraform init command thats getting executed. Commented Feb 7 at 10:51

1 Answer 1

Reset to default
0

Authenticate terraform using Azure AD user assigned managed identity

Issue seems to be with the way you authenticate check all the environment variables provided are assigned with correct input.

As per terraform documentation the user managed identiry should also need necessary permission as with contributor level so that it will be able to provision the required.

Also check your using latest version of terraform provider so that any features missing can avoided.

Sample configuration with proper inputs:

provider "azurerm" {
  features {}
  subscription_id = "subscription_id"
}

terraform {
  backend "azurerm" {
    resource_group_name  = "vinay-rg"
    storage_account_name = "testsasdasfaspp"
    container_name       = "test"
    key                  = "terraform.tfstate"

    use_msi          = true
    client_id = "client_id"
    subscription_id     = "subscription_id"
    tenant_id           = "tenant_id"
    msi_endpoint     = "URL"
  }
}

enter image description here

If the issue still persists you can check the preexisting login using command

az account show

and followed by clearing them using the command

az logout

Refer:

Deploying a VM with managed identity using Terraform on Azure fails - Stack Overflow answered by jahnavi

Terraform: Error building ARM Config - Authenticating using the Azure CLI is only supported - Stack Overflow answered by quadroid

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Yes, I am setting all the env variables correctly. Infact my backend config looks exactly same as yours. Just want to quickly check, when did you ran your code? Is it in local env? Can you confirm if you are not logged in as azure user in your terminal? If you are already logged in as azure user, it won't complain anything and might have just picked your credentials from CLI instead of using MSI

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.