Open philo2017 opened 1 week ago
This is a known issue with the azapi provider when running on an Azure VM. You can set the env var $env:ARM_USE_MSI = $false
as a workaround for now. Here is the issue, it is fixed in v2.0 of AzAPI: https://github.com/Azure/terraform-provider-azapi/issues/551
We'll update the bootstrap to target v2.0 when it goes GA (imminent), so will leave this issue open to track that.
Have added the env variable and get a different error message ... │ Error: GET https://api.github.com/orgs/mmmm : 401 Bad credentials [] │ │ with module.github.data.github_organization.alz, │ on ....\modules\github\data.tf line 1, in data "github_organization" "alz": │ 1: data "github_organization" "alz" { │
I have added a GITHUB_TOKEN which works to my environment vars to no avail .
Is there an existing issue for this?
Infrastrcuture as Code Type? (Required)
terraform
Module Versions (Required)
ALZ PowerShell Module: latest Accelerator Bootstrap Modules: latest Terraform Starter Modules: latest Bicep Starter Modules: x.x.x
When trying to run the deploy-accelerator command from an azure virtual machine the code is trying to use the managed identity of the virtual machine to authenticate and not the provided az-cli details . az account show provides the correct details for the tenant \ subscription however deployment fails stating there is a cross-tenant token issuer problem .
Input arguments of the ALZ-PowerShell-Module (Optional)
No response
Debug Output/Panic Output (Optional)
No response
Expected Behaviour (Required)
Script should have ran and produced required outputs
Actual Behaviour (Required)
Script errors appears to be trying to use token from tenant VM resides in , so I assume it's managed identity .
│ Error: Failed to perform action │ │ with data.azapi_resource_action.locations, │ on main.tf line 12, in data "azapi_resource_action" "locations": │ 12: data "azapi_resource_action" "locations" { │ │ performing action locations of "Resource: (ResourceId \"/subscriptions/mysubscriptiontenant\" / Api Version │ \"2022-12-01\")": GET https://management.azure.com/subscriptions/mysubscriptiontenant/locations │ -------------------------------------------------------------------------------- │ RESPONSE 401: 401 Unauthorized │ ERROR CODE: InvalidAuthenticationTokenTenant │ -------------------------------------------------------------------------------- │ { │ "error": { │ "code": "InvalidAuthenticationTokenTenant", │ "message": "The access token is from the wrong issuer 'https://sts.windows.net/virtualmachinetenantid/'. It must match the tenant 'https://sts.windows.net/mysubscriptiontenant/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/fmysubscriptiontenant' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later." │ } │ }
Steps to Reproduce (Optional)
No response
Important Factoids (Optional)
No response
References (Optional)
No response