ARM_SUBSCRIPTION_ID / subscription_id migration

[sebastianreloaded]

Hi,
im upgrading from 0.11.0 to 1.0.0 and one of the things that is changing is the removal of the subscription_id field.
But i don't quite get the implications. What is the correct way to use the provider now?

If i keep everything the same, i get the following error:
Error: building AzureAD Client: obtain subscription(<tenantid>) from Azure CLI: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1

But as far as i understand there is no new property, instead the provider should just use the tenant. so i don't know whats the problem...

Anybody has an idea whats going on?

[manicminer]

Hi @sebastianreloaded, thanks for raising this.

The move away from subscription IDs in 1.0.0 has been tricky with regards to Azure CLI authentication. Until recently, you were able to sign in to the CLI using az login --allow-no-subscriptions and it would populate "tenant level accounts". Unfortunately this behavior is a moving target and the latest version of the CLI seems to not be doing this where a subscription is found linked to a tenant.

We have additional workarounds in progress to try and address this, plus related documentation changes.

You can try signing in with az login --allow-no-subscriptions -t your-tenant-id, but unfortunately, if for your tenant, Azure CLI doesn't populate "tenant level accounts", you won't be able to use CLI authentication and will have to use a service principal, or stick with 0.11 until we can get a fix out.

[ericis]

Yes, I had this working locally, where I use a normal az login interactive login, but this was failing with a dockerized az login where the Subscription ID is passed in the ARM_SUBSCRIPTION_ID environment variable.

So, I am also seeing the same behavior.

I used the downgrade to 0.11.0 to fix until the latest version has been patched.

provider "azuread" {
  // BUG: https://github.com/terraform-providers/terraform-provider-azuread/issues/314#issuecomment-688546039
  version = "=0.11.0"
}

[vsabella]

I think the issue is this:

  SubscriptionID:     d.Get("tenant_id").(string), // TODO: delete in v1.1

in internal/provider/provider.go - by setting the subscriptionId to the tenantId all hell breaks loose, especially in GovCloud.

[manicminer]

That line is specifically for Azure CLI, which has historically overloaded the subscription ID field with the tenant ID for subscriptionless 'accounts' (it should not have any effect with other authentication types)

[gek0]

Any updates on this? Especially seeing hashicorp/go-azure-helpers#60 merged

[manicminer]

@gek0 Good spot! I'm looking at it this week with a view to getting a release out as soon as possible.

[ghost]

This has been released in version 1.1.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azuread" {
    version = "~> 1.1.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!