Closed wtomaz808 closed 1 year ago
Hi @wtomaz808, thanks for reporting this issue. Please can you advise which authentication method you are using? Can you also try with the latest provider version (v2.43.0) and advise if you're still getting this error? We may need to see a full debug log in order to determine the cause of the error - if this is the case you will be able to submit it privately as needed. Thanks!
This is in happening in Azure US Gov I have tried provider version v.2.43.0 as well and still have the issue.. terraform version Terraform v1.6.1 on windows_amd64
azuread_group.test_engineering: Creating... ╷ │ Error: Could not retrieve calling principal object "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
│ │ with azuread_group.test_engineering, │ on main2.tf line 34, in resource "azuread_group" "test_engineering": │ 34: resource "azuread_group" "test_engineering" { │ │ DirectoryObjects.BaseClient.Get(): unexpected status 302 received with no body
I am authenticating via azure active directory, I am using/signed in with an identity that was GA access to the tenant & sub this is an internal MSFT custom domain xxxx.onmicrosoft.us in Azure US Gov.
I have read there is a compatibility issue with Azure Graph in Azure Gov (??)
@wtomaz808 Thanks for the info. Usage of the provider in all US Gov environments is supported.
It sounds like you're authenticating with a user account via Azure CLI - I'll look into the code and see if I can spot a likely root cause of this error.
It looks like you're getting a 302 response from the API, with no Location
header. We've seen this recently with a couple different endpoints. This is an undocumented (and noncompliant) response and it's unclear what the provider is supposed to do here. I'll reach out to the service team to try and get some clarification.
I was able to deploy the resources (azure entra ID security group) by alterring my versions.tf file to following...
provider "azuread" { environment = "usgovernment" tenant_id = data.azurerm_client_config.current.tenant_id client_id = data.azurerm_client_config.current.client_id }
it appears that I had to tell this individual provider that the environment is usgovernment cloud.. Which I assumed was getting configured in my environment variable for azurerm provider. something I did not have to do in Azureses commercial
@wtomaz808 Thanks for the feedback. How are you setting the environment for AzureRM? You can set the ARM_ENVIRONMENT
environment variable and it should be picked up by both providers. Similarly, you can set the ARM_TENANT_ID
environment variable to specify your tenant, and ARM_CLIENT_ID
for your client ID. If you're setting these directly in the provider block, then you'll have to set them for each provider individually.
Are you using service principal authentication?
here is my azureRM block... provider "azurerm" { environment = "usgovernment" skip_provider_registration = "true" features { resource_group { prevent_deletion_if_contains_resources = false } } }
so you are suggesting replacing environment to ARM_Environment and that variable setting will "carry-over" to the azureAD provider? as well as all other providers? that is very useful to know..
We intentionally consume the same environment variables in both the AzureRM and AzureAD providers (links to arguments for reference), to help simplify practitioners' configurations. On most platforms the env vars must be uppercased e.g. ARM_ENVIRONMENT
.
If you're using Azure CLI authentication, you'll want to omit the client_id
argument in the AzureAD provider
block. It'll work as long as you configure the correct client ID for Azure CLI, but it's easiest to just leave it out. We recommend setting tenant_id
(or environment variable ARM_TENANT_ID
) in all cases for predictability.
Community Note
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_group
Terraform Configuration Files
resource "azuread_group" "test_managers" { display_name = "Education - Managers" security_enabled = true }
Copyright (c) Microsoft Corporation.
Licensed under the MIT License.
terraform { required_version = ">= 1.3" required_providers { azuread = { source = "hashicorp/azuread" version = "2.40" } azurerm = {
} }
Azure Region Lookup
----------------------------------------------------------
Azurerm provider configuration
provider "azurerm" { environment = "usgovernment" skip_provider_registration = "true" features { resource_group { prevent_deletion_if_contains_resources = false } } }
Debug Output
Panic Output
Expected Behavior
create azure AD security groups
Actual Behavior
Steps to Reproduce
log into Azure GOV *this isssue is in Azure Gov
Important Factoids
References
0000