Terraform not using default Subscription ID from AZ CLi

andrewCluey commented 1 month ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.6

AzureRM Provider Version

4.2.0

Affected Resource(s)/Data Source(s)

azurerm_client_config

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "4.2.0"
    }
  }
}

provider "azurerm" {
 features {}
}

data "azurerm_client_config" "current" {
}

output "current" {
    value = data.azurerm_client_config.current 
}

Debug Output/Panic Output

terraform plan

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: `subscription_id` is a required provider property when performing a plan/apply operation
│
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on main.tf line 10, in provider "azurerm":
│   10: provider "azurerm" {

Expected Behaviour

Terraform should use the default Subscription ID from an autenticated AZ CLi session.

az account list -o table
Name                          CloudName    SubscriptionId                               TenantId                          State       IsDefault
-----------------------  -----------       ------------------------------------  -------------------------- -------     -----------
sub1                             AzureCloud   bxxxxxxx-xxxx-xxxxxxxxxxxxxx1      yyyyy-yyyy-yyyyyy-yyy   Enabled  False
sub2                             AzureCloud   bxxxxxxx-xxxx-xxxxxxxxxxxxxx2      yyyyy-yyyy-yyyyyy-yyy   Enabled  False
sub3                             AzureCloud   bxxxxxxx-xxxx-xxxxxxxxxxxxxx3      yyyyy-yyyy-yyyyyy-yyy   Enabled  False
sub4                             AzureCloud   ccxxxxxx-xxxx-xxxxxxxxxxxxxx1      zzzzz-zzzz-zzzzzzz-zzz    Enabled  True

As described in latest documentation: " Configuring Azure CLI authentication in Terraform Now that we're logged into the Azure CLI - we can configure Terraform to use these credentials.

To configure Terraform to use the Default Subscription defined in the Azure CLI - we can use the following Provider block: "

Actual Behaviour

When using V4.x of the Azurerm provider, it does not use the default Azure Subscription from the AZ CLi (as it says it should from the documentation).

The response is also different depending on which minor v4 version is used.

v4.0 prompts for the subscription ID:

> terraform plan
provider.azurerm.subscription_id
  The Subscription ID which should be used.

  Enter a value:

v4.1 has same behaviour as v4.2.

Steps to Reproduce

Create a basic configuration that uses v4.2.0 of the azurerm provider: example:


terraform {
required_providers {
azurerm = {
  source = "hashicorp/azurerm"
  version = "4.2.0"
}
}
}

provider "azurerm" { features {} }

resource "azurerm_resource_group" "main" { name = "rg-test-01" location = "uksouth" }


3. Run `terraform init`
4. Run `terraform plan`

### Important Factoids

_No response_

### References

_No response_

Chambras commented 1 month ago

Hi @andrewCluey thanks for submitting this. I am able to reproduce this odd behavior. It seems it started with 4.1.0

nmiddleton commented 1 month ago

Specifying subscription is now mandatory in 4.0 https://registry.terraform.io/providers/hashicorp/azurerm/4.0.0/docs/guides/4.0-upgrade-guide#specifying-subscription-id-is-now-mandatory

Chambras commented 1 month ago

@nmiddleton so the documentation here https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/azure_cli#configuring-azure-cli-authentication-in-terraform needs to be updated. I sent an update to reflect this new behavior.

jasper475 commented 1 month ago

I faced similar problem from version 3.76.0 when I upgraded to 4.3.0 and found fix below.

FIX: I was able to get the code working by adding "subscription_id " parameter to "azurerm" block

`terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "4.3.0" } } }

provider "azurerm" { subscription_id = "qwer2-5e98q7eo9q8-79erjoi-sdf98-7d-fg9" features { } }`

andrewCluey commented 1 month ago

thanks @jasper475 , that's a fair work around but it can cause problems where you have pipelines & scripts already setup to use AZ cli auth, with built-in environment variables to select the subscription (multiple SDLC environment for example).

I guess we either re-work our pipelines or stick with v3 of the provider. V3 of the provider is favourite i think...

github-actions[bot] commented 1 week ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform-provider-azurerm