Error when planning Terraform configuration with Management Group scope

[JoelCanteroGCO]

I'm encountering an issue when running a Terraform pipeline in Azure DevOps with a service connection that has a Management Group scope. The error message indicates that Terraform is unable to determine the subscription ID, which seems to be an issue when using Management Group scope.

Terraform Configuration:

provider "azurerm" {
  alias = "azurerm"
  features {
    resource_group {
      prevent_deletion_if_contains_resources = false
    }
  }
}

Error Message:

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: building account: unable to configure ResourceManagerAccount: subscription ID could not be determined and was not specified
│
│   with provider["registry.terraform.io/hashicorp/azurerm"].azurerm,
│   on providers.tf line 25, in provider "azurerm":
│   25: provider "azurerm" {
│
╵

Details:

Terraform Version: 1.9.14

• Azure Provider Version:

• Azure DevOps Configuration: 3.114.0

• Service Connection: Configured with Management Group scope

• Service Principal Permissions: Owner

• Steps to Reproduce:

• Configure the Azure DevOps pipeline with a service connection scoped to a Management Group (Azure Resource Manager using Workload Identity federation with OpenID Connect (automatic))

• Use the azurerm provider in Terraform with the configuration provided.

• Run terraform plan and observe the error.

Expected Behavior:

Terraform should be able to generate the plan successfully without errors related to subscription ID, given that the scope is set at the Management Group level.

Additional Context:

• The azurerm provider configuration does not include a subscription_id because it is supposed to operate at the Management Group level.
• Verified that the service connection has the correct permissions and is properly configured.

Possible Solution:

• Review how Terraform handles Management Group scopes and subscription resolution.
• Check if there are any updates or fixes related to Management Group scope handling in recent versions of the azurerm provider.

[paulmccrady]

I'm getting the same issue now. Is there chance of an update ?

[mericstam]

Hi, the task does not currently support Service Connection configured with Management Group scope as that type does not populate subscription ID. To solve this we would need to an option to supply the subscription id manually.

[paulmcclbg]

OK, well for myself, this was working fine up to 14/08/2024 then started failing 15/08/2024. Was there a change that can be attributed to the failure since 15/08/2024? Also, what alternatives are there? TIA.

[paulmcclbg]

So I managed to fix this with the help of a colleague by adding a subscription_id = xxx to the azurerm provider block.

[mericstam]

That's great! thanks for updating the issue.