Azure AD Provider 0.11.0 fails to find an Azure Subscription using just the tenant ID

[marc-sensenich]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

terraform -v
Terraform v0.12.26
+ provider.azuread v0.11.0
+ provider.azurerm v2.18.0

az version
{
  "azure-cli": "2.8.0",
  "azure-cli-command-modules-nspkg": "2.0.3",
  "azure-cli-core": "2.8.0",
  "azure-cli-nspkg": "3.0.4",
  "azure-cli-telemetry": "1.0.4",
  "extensions": {
    "azure-iot": "0.9.3",
    "storage-preview": "0.2.10"
  }
}

Affected Resource(s)

• The provider itself

Terraform Configuration Files

provider "azuread" {
  version         = "= 0.11.0"
  tenant_id       = "tenat-id"
}

Debug Output

Error: Error building AzureAD Client: Error retrieving the Profile from the Azure CLI: Subscription "tenant-id" was not found in your Azure CLI credentials. Please verify it exists in `az account list`. Please re-authenticate using `az login`.

  on main.tf line 21, in provider "azuread":
  21: provider "azuread" {

Panic Output

Expected Behavior

A terraform plan with the provided configuration should have worked

Actual Behavior

A terraform plan failed due to the provided error

Steps to Reproduce

1. terraform init
2. terraform plan

Workaround

Provide an Azure Subscription ID

References

• Stop requiring subscription_id and update configuration guides #271

[rafabu]

in case anyone else stumbles over this: Short term workaround until it is fixed: pin the 0.10 version.

    provider "azuread" {
        version = "= 0.10"
        tenant_id = "tenant-id"
    }

[manicminer]

Hi @marc-sensenich, thanks for reporting this. I've been able to reproduce - it looks like this only occurs with CLI authentication. Another potential workaround if you want/need to use 0.11 would be to authenticate using an app/service principal and configure credentials using environment variables, e.g.

export ARM_CLIENT_ID=00000000-0000-0000-0000-000000000000
export ARM_CLIENT_SECRET=s3cr3t

We'll work on fixing this as quickly as we can.

[manicminer]

Note this issue only seems to occur if you omit the subscription ID from your configuration, either by unsetting ARM_SUBSCRIPTION_ID or removing subscription_id from the provider block. If you continue to specify a subscription ID as you would have with 0.10, the provider setup should work as normal.

[rafabu]

Hi @manicminer, just checked back and actually I hadn't used the azuread provider with subscription_id ever - but as I always use it together with the azurerm one, it might have silently consumed it from there until 0.11?

[manicminer]

@rafabu Were you setting the subscription_id via environment variable? Could you provide a sample of that configuration (as described) for the azurerm and azuread providers? Thanks!

[alejandrod]

I think it should use -allow-no-subscriptions. Playing with the azure-cli, it makes it work.

[ghost]

This has been released in version 1.1.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azuread" {
    version = "~> 1.1.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!