search

hashicorp / terraform-provider-azuread

Terraform provider for Azure Active Directory
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
Mozilla Public License 2.0
430 stars 295 forks source link

Azure US Gov error: resources azruead_group error: Error: Could not retrieve calling principal object "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" #1210

Closed wtomaz808 closed 1 year ago

wtomaz808 commented 1 year ago

Community Note

Terraform (and AzureAD Provider) Version

Affected Resource(s)

azuread_group

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

resource "azuread_group" "test_managers" { display_name = "Education - Managers" security_enabled = true }

Copyright (c) Microsoft Corporation.

Licensed under the MIT License.

terraform { required_version = ">= 1.3" required_providers { azuread = { source = "hashicorp/azuread" version = "2.40" } azurerm = {

  source  = "hashicorp/azurerm"
  version = "~> 3.22"
}   
azurenoopsutils = {
  source  = "azurenoops/azurenoopsutils"
  version = "~> 1.0.4"
}

} }

Azure Region Lookup

----------------------------------------------------------

Azurerm provider configuration

provider "azurerm" { environment = "usgovernment" skip_provider_registration = "true" features { resource_group { prevent_deletion_if_contains_resources = false } } }

Debug Output

Panic Output

Expected Behavior

create azure AD security groups

Actual Behavior

image

Steps to Reproduce

log into Azure GOV *this isssue is in Azure Gov

  1. `terraform init
  2. terraform apply

Important Factoids

References

manicminer commented 1 year ago

Hi @wtomaz808, thanks for reporting this issue. Please can you advise which authentication method you are using? Can you also try with the latest provider version (v2.43.0) and advise if you're still getting this error? We may need to see a full debug log in order to determine the cause of the error - if this is the case you will be able to submit it privately as needed. Thanks!

wtomaz808 commented 1 year ago

This is in happening in Azure US Gov I have tried provider version v.2.43.0 as well and still have the issue.. terraform version Terraform v1.6.1 on windows_amd64

azuread_group.test_engineering: Creating... ╷ │ Error: Could not retrieve calling principal object "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

│ │ with azuread_group.test_engineering, │ on main2.tf line 34, in resource "azuread_group" "test_engineering": │ 34: resource "azuread_group" "test_engineering" { │ │ DirectoryObjects.BaseClient.Get(): unexpected status 302 received with no body

wtomaz808 commented 1 year ago

I am authenticating via azure active directory, I am using/signed in with an identity that was GA access to the tenant & sub this is an internal MSFT custom domain xxxx.onmicrosoft.us in Azure US Gov.

I have read there is a compatibility issue with Azure Graph in Azure Gov (??)

manicminer commented 1 year ago

@wtomaz808 Thanks for the info. Usage of the provider in all US Gov environments is supported.

It sounds like you're authenticating with a user account via Azure CLI - I'll look into the code and see if I can spot a likely root cause of this error.

manicminer commented 1 year ago

It looks like you're getting a 302 response from the API, with no Location header. We've seen this recently with a couple different endpoints. This is an undocumented (and noncompliant) response and it's unclear what the provider is supposed to do here. I'll reach out to the service team to try and get some clarification.

wtomaz808 commented 1 year ago

I was able to deploy the resources (azure entra ID security group) by alterring my versions.tf file to following...

provider "azuread" { environment = "usgovernment" tenant_id = data.azurerm_client_config.current.tenant_id client_id = data.azurerm_client_config.current.client_id }

it appears that I had to tell this individual provider that the environment is usgovernment cloud.. Which I assumed was getting configured in my environment variable for azurerm provider. something I did not have to do in Azureses commercial

manicminer commented 1 year ago

@wtomaz808 Thanks for the feedback. How are you setting the environment for AzureRM? You can set the ARM_ENVIRONMENT environment variable and it should be picked up by both providers. Similarly, you can set the ARM_TENANT_ID environment variable to specify your tenant, and ARM_CLIENT_ID for your client ID. If you're setting these directly in the provider block, then you'll have to set them for each provider individually.

Are you using service principal authentication?

wtomaz808 commented 1 year ago

here is my azureRM block... provider "azurerm" { environment = "usgovernment" skip_provider_registration = "true" features { resource_group { prevent_deletion_if_contains_resources = false } } }

so you are suggesting replacing environment to ARM_Environment and that variable setting will "carry-over" to the azureAD provider? as well as all other providers? that is very useful to know..

manicminer commented 1 year ago

We intentionally consume the same environment variables in both the AzureRM and AzureAD providers (links to arguments for reference), to help simplify practitioners' configurations. On most platforms the env vars must be uppercased e.g. ARM_ENVIRONMENT.

If you're using Azure CLI authentication, you'll want to omit the client_id argument in the AzureAD provider block. It'll work as long as you configure the correct client ID for Azure CLI, but it's easiest to just leave it out. We recommend setting tenant_id (or environment variable ARM_TENANT_ID) in all cases for predictability.