search

microsoft / terraform-provider-fabric

Terraform Provider for Microsoft Fabric
https://registry.terraform.io/providers/microsoft/fabric
Mozilla Public License 2.0
15 stars 4 forks source link

AADSTS700213: No matching federated identity record found #23

Open micahel71 opened 1 day ago

micahel71 commented 1 day ago

🐛 What happened?

Running in Azure Devops with an OIDC configured Service Connection, the call for a "data.fabric_capacity.capacity" fails with this message:

Terraform has been successfully initialized!
+ terraform plan -out=fabric_plan.tfplan -var-file=/home/vsts/work/1/self/config/lab/terraform.tfvars
data.fabric_capacity.capacity: Reading...

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: invalid_client
│ 
│   with data.fabric_capacity.capacity,
│   on workspace.tf line 1, in data "fabric_capacity" "capacity":
│    1: data "fabric_capacity" "capacity" {
│ 
│ AADSTS700213: No matching federated identity record found for presented
│ assertion subject 'p://<ADO_ORG>/<ADO_PROJECT>/<ADO_NAME_OF_PIPELINE>'. Please note
│ that the matching is done using a case-sensitive comparison. Check your
│ federated identity credential Subject, Audience and Issuer against the
│ presented assertion.
│ https://learn.microsoft.com/entra/workload-id/workload-identity-federation
│ Trace ID: 00000000-0000-0000-0000-000000000000 Correlation ID:
│ 00000000-0000-0000-0000-000000000000 Timestamp: 2024-10-01 07:45:48Z
╵

##[error]Script failed with exit code: 1

🔬 How to reproduce?

setup a datasource

data "fabric_capacity" "capacity" {
  display_name = var.capacity_name
}

and run it in a Azure Devops Pipeline.

🏗️ Code Sample / Log

    - task: AzureCLI@2
      displayName: 'Trigger Deployment'
      env:
        TF_IN_AUTOMATION: true
        ARM_USE_OIDC: true
        FABRIC_TENANT_ID: 00000000-0000-0000-0000-000000000000
        FABRIC_CLIENT_ID: <ID of the SPN inside of the ADO service connection>
        FABRIC_OIDC_REQUEST_TOKEN: $(System.AccessToken)
        FABRIC_AZURE_DEVOPS_SERVICE_CONNECTION_ID: <name of the SC>
      inputs:
        azureSubscription: <name of the SC>
        scriptType: bash
        scriptLocation: inlineScript
        inlineScript: |
          set -eux
          terraform -version
          terraform init
          terraform plan -out=fabric_plan.tfplan -var-file=$(Build.SourcesDirectory)/config/lab/terraform.tfvars
          terraform apply -auto-approve fabric_plan.tfplan
        workingDirectory: $(Build.SourcesDirectory)/infra

📷 Screenshots

No response

📈 Expected behavior

Followed the documentation and guidelines so far. What am I missing?

🌌 Environment (Provider Version)

v0.1.0-beta.3

🌌 Environment (Terraform Version)

v1.9.6

🌌 Environment (OS)

Linux

📎 Additional context

No response

🔰 Code of Conduct

micahel71 commented 1 day ago

Update: Switching to a Service Connection with a Client Secret Setup (SPN), I get this:

Terraform has been successfully initialized!
+ terraform plan -out=fabric_plan.tfplan -var-file=/home/vsts/work/1/self/config/lab/terraform.tfvars
data.fabric_capacity.capacity: Reading...

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: list operation
│ 
│   with data.fabric_capacity.capacity,
│   on workspace.tf line 1, in data "fabric_capacity" "capacity":
│    1: data "fabric_capacity" "capacity" {
│ 
│ Could not list resource: The feature is not available
╵

##[error]Script failed with exit code: 1

Ist this true? According to this https://registry.terraform.io/providers/microsoft/fabric/latest/docs/data-sources/capacity SPN should work?!?

DariuszPorowski commented 1 day ago

Hi @micahel71

task: AzureCLI@2 is technically Az CLI that uses own native cli authentication. So, you do not have to specify any additional configuration for OIDC as long as inputs.azureSubscription points to Workload Identity connection.

- task: AzureCLI@2
  displayName: 'Trigger Deployment'
  env:
    TF_IN_AUTOMATION: true
    FABRIC_USE_CLI: true
  inputs:
    azureSubscription: <name of the SC>
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: |
      set -eux
      terraform -version
      terraform init
      terraform plan -out=fabric_plan.tfplan -var-file=$(Build.SourcesDirectory)/config/lab/terraform.tfvars
      terraform apply -auto-approve fabric_plan.tfplan
    workingDirectory: $(Build.SourcesDirectory)/infra

Additional configuration for OIDC is only required when you want to use provider-level authentication without using Az CLI. Example snippet:

- script: |
    set -eux
    terraform -version
    terraform init
    terraform plan -out=fabric_plan.tfplan -var-file=$(Build.SourcesDirectory)/config/lab/terraform.tfvars
    terraform apply -auto-approve fabric_plan.tfplan
  env:
    TF_IN_AUTOMATION: true
    FABRIC_USE_OIDC: true
    FABRIC_TENANT_ID: 00000000-0000-0000-0000-000000000000
    FABRIC_CLIENT_ID: 00000000-0000-0000-0000-000000000000
    FABRIC_OIDC_REQUEST_TOKEN: $(System.AccessToken)
    FABRIC_AZURE_DEVOPS_SERVICE_CONNECTION_ID: 00000000-0000-0000-0000-000000000000
  workingDirectory: $(Build.SourcesDirectory)/infra

Please note that FABRIC_AZURE_DEVOPS_SERVICE_CONNECTION_ID is not a Service Connection name, but ID (GUID). You can find it in the Service Connection URL after you go to the SC details. https://dev.azure.com/<ORG>/<PROJECT>/_settings/adminservices?resourceId=<YOUR SC ID>

DariuszPorowski commented 1 day ago

Update: Switching to a Service Connection with a Client Secret Setup (SPN), I get this:

Terraform has been successfully initialized!
+ terraform plan -out=fabric_plan.tfplan -var-file=/home/vsts/work/1/self/config/lab/terraform.tfvars
data.fabric_capacity.capacity: Reading...

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: list operation
│ 
│   with data.fabric_capacity.capacity,
│   on workspace.tf line 1, in data "fabric_capacity" "capacity":
│    1: data "fabric_capacity" "capacity" {
│ 
│ Could not list resource: The feature is not available
╵

##[error]Script failed with exit code: 1

Ist this true? According to this https://registry.terraform.io/providers/microsoft/fabric/latest/docs/data-sources/capacity SPN should work?!?

Yes, it's supported.

Is your SPN added to Capacity administrators (access to selected capacity)? or has Fabric Administrator application role (access to all tenant capacities)?

micahel71 commented 1 day ago

Hi @DariuszPorowski ,

thank you for your reply. Current status after implementing your statement:

Terraform has been successfully initialized!
+ terraform plan -out=fabric_plan.tfplan -var-file=/home/vsts/work/1/self/config/lab/terraform.tfvars
data.fabric_capacity.capacity: Reading...

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: read operation
│ 
│   with data.fabric_capacity.capacity,
│   on workspace.tf line 1, in data "fabric_capacity" "capacity":
│    1: data "fabric_capacity" "capacity" {
│ 
│ Unable to find Capacity with 'display_name': <NAME_OF_CAPACITY>
╵

##[error]Script failed with exit code: 1

So it looks like the used SPN is not able to see the capacity. According to your last statement the SPN shall be added to the Capacity administrators. Tried that and it does not work. Clicking on save button in the Azure Portal (Capacity Administrator) does not keep the SPN in the group.

Or add the SPN to Fabric Administrator application role Tried that in the M365 Admin Portal. Does not work as the SPN is not listed for selection. Added the SPN through the Azure Portal to this admin role. Though it does not have any effect. Still having issues.

Did I get you wrong somewhere? Thanks!

DariuszPorowski commented 1 day ago

@micahel71 "Tried that and it does not work. Clicking on save button in the Azure Portal (Capacity Administrator) does not keep the SPN in the group." Not sure I understand this correctly, because it looks like you have issue with Entra or Azure itself if you cannot save a new setting, permission issue?

Please check the draft version of the Fabric Capacity setup guide https://github.com/microsoft/terraform-provider-fabric/blob/docs/guides-improvements/docs/guides/fabric_capacity_setup.md (which is currently under review) and try to follow for your capacity.

micahel71 commented 13 hours ago

@DariuszPorowski thanks for your input. As usual the problem was me. I tried to change the Capacity Administrator group on a paused capacity (stupid me), therefore my changes in the member assignments were not saved (!). Maybe something worth to emphasize in your "Fabric Capacity setup guide" ;-)

The Devops pipeline works now as desired:

Terraform has been successfully initialized!
+ terraform plan -out=fabric_plan.tfplan -var-file=/home/vsts/work/1/self/config/lab/terraform.tfvars
data.fabric_capacity.capacity: Reading...
data.fabric_capacity.capacity: Read complete after 5s [id=00000000-0000-0000-0000-000000000000]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

(...)

Buut now I have the issue, that my formerly created (seperate) "App Registration for the User context" does not work anymore, which it did before messing around with the ADO part. Was there a change in the Fabric-API in the meantime? I mean, I really don't understand why this isn't working anymore. What could I have changed to disable that method? When I start Terraform on my local CLI I only see this:

terraform plan -out=plan.tfplan -var-file=../config/lab/terraform.tfvars
data.fabric_capacity.capacity: Reading...
data.fabric_capacity.capacity: Still reading... [10s elapsed]
data.fabric_capacity.capacity: Still reading... [20s elapsed]
data.fabric_capacity.capacity: Still reading... [30s elapsed]
data.fabric_capacity.capacity: Still reading... [40s elapsed]
data.fabric_capacity.capacity: Still reading... [50s elapsed]
data.fabric_capacity.capacity: Still reading... [1m0s elapsed]
data.fabric_capacity.capacity: Still reading... [1m10s elapsed]
data.fabric_capacity.capacity: Still reading... [1m20s elapsed]
data.fabric_capacity.capacity: Still reading... [1m30s elapsed]
data.fabric_capacity.capacity: Still reading... [1m40s elapsed]
data.fabric_capacity.capacity: Still reading... [1m50s elapsed]
data.fabric_capacity.capacity: Still reading... [2m0s elapsed]
data.fabric_capacity.capacity: Still reading... [2m10s elapsed]
data.fabric_capacity.capacity: Still reading... [2m20s elapsed]^C
Interrupt received.

Any ideas?

DariuszPorowski commented 3 hours ago

@micahel71 I added you suggestion to troubleshooting guide, thanks! https://registry.terraform.io/providers/microsoft/fabric/latest/docs/guides/troubleshooting#i-am-getting-error-the-feature-is-not-available

No change on the API, this still works - just tested today with other collogues. Try to follow logging in the troubleshooting guide - having more data may help. https://registry.terraform.io/providers/microsoft/fabric/latest/docs/guides/troubleshooting#logging