Azure / CloudShell

Container Image for Azure Cloud Shell (https://azure.microsoft.com/en-us/features/cloud-shell/)
https://shell.azure.com
MIT License
255 stars 105 forks source link

[BUG] Cloud Shell fails to run Terraform Azure AD 2.x (using MS Graph) due to MSI error #112

Open marcosgm opened 3 years ago

marcosgm commented 3 years ago

To Reproduce

system@Azure:~/cloudshell_msgraph$ cat main.tf
provider "azuread" {
}

data "azuread_client_config" "current" {}

resource "azuread_group" "example" {
  display_name     = "example"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
}
system@Azure:~/cloudshell_msgraph$ terraform init

Initializing the backend...

Initializing provider plugins...
- Finding latest version of hashicorp/azuread...
- Installing hashicorp/azuread v2.6.0...
- Installed hashicorp/azuread v2.6.0 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
system@Azure:~/cloudshell_msgraph$ terraform apply
╷
│ Error: could not configure MSI Authorizer: NewMsiConfig: could not validate MSI endpoint: received HTTP status 404
│
│   with provider["registry.terraform.io/hashicorp/azuread"],
│   on main.tf line 1, in provider "azuread":
│    1: provider "azuread" {
│
╵

Observed Behavior

│ Error: could not configure MSI Authorizer: NewMsiConfig: could not validate MSI endpoint: received HTTP status 404

Expected behavior

I'm Global Admin, and I was able to use Terraform with AzureAD 1.x modules ( using the old Active Directory Graph API). According to the TF upgrade guide, no special actions must be taken when using Azure CLI authentication https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/microsoft-graph

Is this specific to Cloud Shell?

Yes. Azure CLI from a workstation works fine Using Cloud shell, with default credentials, doesn't work with MS Graph API it seems

marcosgm commented 3 years ago

To disable MSI authentication you have to unset the MSI_ENDPOINT unset MSI_ENDPOINT That allows terraform to perform API calls to MS Graph inside cloudshell