Terraform init with Azure Government Cloud failing with 403.

[jwshive]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Affected Resource(s)

• Terraform v0.14.11 - using an old version as anything 0.15 or above doesn't appear to work with Azure DevOps

Terraform Configuration Files

terraform init -no-color -backend-config=access_key=<my access key> -backend-config=storage_account_name=doccjidtsdevtfsa -backend-config=container_name=dts-terraform -backend-config=key=doccji-dts.tfstate -backend-config=resource_group_name=zgv1-doccji-dtstf-dev-v1-rg -backend-config=subscription_id=<my subscription id>

Debug Output

Panic Output

Expected Behaviour

Terraform state file should be created.

Actual Behaviour

Error: Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthenticationFailed" Message="Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:dda819a6-e01e-000c-55df-50d423000000\nTime:2021-05-24T20:57:21.1166778Z"

Steps to Reproduce

1. terraform init

Important Factoids

This is running in azure government cloud and will run via Azure DevOps. Both azure devops and locally on my laptop produce the same result. All terraform commands will run with a service principal in azure devops. I can list the container out manually with the azure cli on my local machine, though I am doing this as my regular user id.

az storage container list --account-key <my access key> --account-name doccjidtsdevtfsa
[
  {
    "metadata": null,
    "name": "dts-terraform",
    "properties": {
      "etag": "\"0x8D91EE7DE0772EE\"",
      "hasImmutabilityPolicy": "false",
      "hasLegalHold": "false",
      "lastModified": "2021-05-24T19:12:26+00:00",
      "lease": {
        "duration": null,
        "state": null,
        "status": null
      },
      "leaseDuration": null,
      "leaseState": "available",
      "leaseStatus": "unlocked",
      "publicAccess": null
    }
  }
]

References

• 0000

[jwshive]

I feel like the problem is the API is trying to hit: https://doccjidtsdevtfsa.blob.core.windows.net/dts-terraform?comp=list&prefix=doccji-dts.tfstateenv%3A&restype=container:

Details:

2021-05-25T09:01:35.567-0400 [DEBUG] Azure Backend Response for https://doccjidtsdevtfsa.blob.core.windows.net/dts-terraform?comp=list&prefix=doccji-dts.tfstateenv%3A&restype=container:
HTTP/1.1 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
Content-Length: 748
Content-Type: application/xml
Date: Tue, 25 May 2021 13:01:34 GMT
Server: Microsoft-HTTPAPI/2.0
X-Ms-Error-Code: AuthenticationFailed
X-Ms-Request-Id: b093bc6c-201e-011e-7c66-51a66a000000

<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:b093bc6c-201e-011e-7c66-51a66a000000
Time:2021-05-25T13:01:35.6109552Z</Message><AuthenticationErrorDetail>The MAC signature found in the HTTP request 'oo3LO3BPr1EOg0O3XCAQlkpsCEWcqzpWIoFs5hL+gqE=' is not the same as any computed signature. Server used following string to sign: 'GET

But it should be attempting to hit: https://doccjidtsdevtfsa.blob.core.usgovcloudapi.net

I do not know how to tell Terraform to use the other location. My account is setup for Azure Governement.

=> az account show
{
  "environmentName": "AzureUSGovernment",
  "homeTenantId": "my_tenant_id",
  "id": "ece556d9-6345-41ca-8c8d-1f38c9c912f8",
  "isDefault": true,
  "managedByTenants": [],
  "name": "DOCCJI Production - Azure Government",
  "state": "Enabled",
  "tenantId": "my_tenant_id",
  "user": {
    "name": "me@mydomain.onmicrosoft.com",
    "type": "user"
  }
}

[jwshive]

I solved this by adding -backend-config=environment=usgovernment to my init statement.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.