search

Azure / ALZ-PowerShell-Module

The Azure Landing Zones Accelerators PowerShell module
https://www.powershellgallery.com/packages/ALZ/
MIT License
68 stars 27 forks source link

Bug: When trying to execute from an Azure Virtual Machine the Azapi wants to use the Managed Identity of the Vm not the AZ-CLI creds #213

Open philo2017 opened 1 week ago

philo2017 commented 1 week ago

Is there an existing issue for this?

Infrastrcuture as Code Type? (Required)

terraform

Module Versions (Required)

ALZ PowerShell Module: latest Accelerator Bootstrap Modules: latest Terraform Starter Modules: latest Bicep Starter Modules: x.x.x

When trying to run the deploy-accelerator command from an azure virtual machine the code is trying to use the managed identity of the virtual machine to authenticate and not the provided az-cli details . az account show provides the correct details for the tenant \ subscription however deployment fails stating there is a cross-tenant token issuer problem .

Input arguments of the ALZ-PowerShell-Module (Optional)

No response

Debug Output/Panic Output (Optional)

No response

Expected Behaviour (Required)

Script should have ran and produced required outputs

Actual Behaviour (Required)

Script errors appears to be trying to use token from tenant VM resides in , so I assume it's managed identity .

│ Error: Failed to perform action │ │ with data.azapi_resource_action.locations, │ on main.tf line 12, in data "azapi_resource_action" "locations": │ 12: data "azapi_resource_action" "locations" { │ │ performing action locations of "Resource: (ResourceId \"/subscriptions/mysubscriptiontenant\" / Api Version │ \"2022-12-01\")": GET https://management.azure.com/subscriptions/mysubscriptiontenant/locations │ -------------------------------------------------------------------------------- │ RESPONSE 401: 401 Unauthorized │ ERROR CODE: InvalidAuthenticationTokenTenant │ -------------------------------------------------------------------------------- │ { │ "error": { │ "code": "InvalidAuthenticationTokenTenant", │ "message": "The access token is from the wrong issuer 'https://sts.windows.net/virtualmachinetenantid/'. It must match the tenant 'https://sts.windows.net/mysubscriptiontenant/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/fmysubscriptiontenant' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later." │ } │ }

Steps to Reproduce (Optional)

No response

Important Factoids (Optional)

No response

References (Optional)

No response

jaredfholgate commented 4 days ago

This is a known issue with the azapi provider when running on an Azure VM. You can set the env var $env:ARM_USE_MSI = $false as a workaround for now. Here is the issue, it is fixed in v2.0 of AzAPI: https://github.com/Azure/terraform-provider-azapi/issues/551

We'll update the bootstrap to target v2.0 when it goes GA (imminent), so will leave this issue open to track that.

philo2017 commented 3 hours ago

Have added the env variable and get a different error message ... │ Error: GET https://api.github.com/orgs/mmmm : 401 Bad credentials [] │ │ with module.github.data.github_organization.alz, │ on ....\modules\github\data.tf line 1, in data "github_organization" "alz": │ 1: data "github_organization" "alz" { │

I have added a GITHUB_TOKEN which works to my environment vars to no avail .