search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.34k stars 9.49k forks source link

Remote state listing keys requires az default subscription set #29425

Open drdamour opened 4 years ago

drdamour commented 4 years ago

Community Note

Terraform (and AzureRM Provider) Version

> terraform -v
Terraform v0.12.18
+ provider.azuread v0.7.0
+ provider.azurerm v1.39.0
+ provider.null v2.1.2

Affected Resource(s)

azurerm provider

Terraform Configuration Files

  backend "azurerm" {
    resource_group_name   = "grpX"
    storage_account_name  = "accX"
    container_name        = "cntX"
    key                   = "keyX"
  }

  provider "azurerm" {

    subscription_id = "<myid>"
  }

Debug Output

N/A

Panic Output

N/A

Expected Behavior

TF should attempt to retrieve keys for the subscription identified in the azurerm provider configuration explicitly.

Actual Behavior

TF attempts to retrieve keys for the default subscription of the azure cli

Steps to Reproduce

  1. have an account with access to 2 subscriptions a1 and b1
  2. have tf that has b1 as the subscription with the remote state
  3. login with the az cli
  4. az account set -s a1
  5. terraform init

you'll get an error about not being able to retrieve keys. running the following works around the issue.

  1. az account set -s b1
  2. terraform init

Important Factoids

References

favoretti commented 3 years ago

Since this issue has been reported a long time ago and relates to the version of provider we no longer support - I'm going to close it. Please open a new updated bug report on current versions of terraform and provider if this is still relevant. Thank you.

drdamour commented 3 years ago

@favoretti this is still an issue with the latest version can we please just reopen?

favoretti commented 3 years ago

@drdamour certainly. Apologies for closing too early.

tombuildsstuff commented 3 years ago

Transferring this to Core since Backends are located within the Core repository - so this documentation issue needs to be fixed here

hakanbakacak commented 3 years ago

Hi, I want to contribute to this but even though I read the docs, I couldn't fully understand the situation. I wonder if we should create a new field in this document and give information about the cli? @tombuildsstuff

eladmosh commented 2 years ago

if you look here it doesn't say that the subscription_id is only for SP and MSI, it just pointless to use it when authenticating using azure cli since it will use the azure cli subscription anyway which is exactly what happened here. It tried to search the keys in the azure cli subscription_id and couldn't find it. So I'm not sure what's the problem, seems like expected behavior when authenticating using azure cli.

drdamour commented 2 years ago

@eladmosh yes this ticket is to request it be changed to use the subscription in the provider block so you do NOT have to set the matching subscription with az cli prior to running a terraform init. The backend block knows what subscription is supposed to be used, so why not use that info. or maybe allow setting the subscription id for az cli based authentication.

varshneydevansh commented 1 year ago

I would like to look into this problem, as most of the data for where to look for the related files is already provided.

@favoretti could you please assign this to me?

To reproduce – have an account with access to 2 subscriptions a1 and b1 (for this do I have to create an Azure account?)

crw commented 1 year ago

@varshneydevansh This is listed as a documentation issue, as far as I understand there is no code issue to investigate. You can make a change to the docs and file a PR without this issue being assigned. Thanks!

varshneydevansh commented 1 year ago

Hi @crw,

Thanks for the clarification. So, I looked into this and understood that the subscription_id parameter in the azurerm backend is only documented to work with Service Principal and MSI-based authentication methods, but does not mention how to use it with Azure CLI-based authentication.

So, updating the azurerm backend documentation with guidance on how to use the subscription_id parameter with Azure CLI-based authentication could help clarify in this situation.

All I have to do is to add and explain about the subscription_id parameter that how it can be used with Azure CLI authentication with some clear examples. This is to avoid issues caused by the Terraform attempting to retrieve keys for the default subscription of the Azure CLI.

Am I going in the right direction?

crw commented 1 year ago

Hi @varshneydevansh, I have referred this over to the AzureRM provider team who may provide more feedback. Thanks!

rcskosir commented 1 year ago

Hi @varshneydevansh, thank you for your interest in this issue. We handle discussions related to code and document changes within the PR comments itself, so if you could open a PR with the docs changes you are looking to make and link this issue to it, you will be able to get feedback on your changes.

varshneydevansh commented 1 year ago

Hi @rcskosir,

I created the PR #33461. I wanted to know whether the update which I made is correct or not?

rcskosir commented 1 year ago

@varshneydevansh Thank you for opening a PR. Feedback regarding your PR will happen in the PR comments when a reviewer takes a look.