Support for Refreshing AzureRM Client Subscription Cache when using Provider Alias

[laughtonsm]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When provisioning a subscription via Terraform, it would be useful to also provision some of the supporting services required from a governance perspective. i.e. diagnostics settings, Defender for Cloud pricing, Default RBAC groups and assignments etc.

Currently, to do this we must use a provider alias for the newly created subscription. However, though the correct Subscription ID is passed from the resource creating the subscription to the provider correctly, the provider alias is unable to find the subscription by it's ID since the JSON generated when the provider was initialised does not contain the newly created subscription. An az account list --refresh would refresh the cached JSON and allow the subscription to be used. However, there does not appear to be a way to enforce this for an alternate provider.

I'm not sure whether this is the correct place to put this, but I think it would be worthwhile. Maybe this could be implemented as a provider 'feature'?

provider "azurerm" {
  alias = "remote"
  features {}
  subscription_id = azurerm_subscription.subscription_id
  tenant_id       = var.tenant_id
}
provider "azurerm" {
  features {}
  subscription_id = var.subscription_id
  tenant_id       = var.tenant_id
}

data "azurerm_subscription" "current" {}
data "azurerm_subscription" "remote" {
  provider = azurerm.remote
}

data "azurerm_billing_enrollment_account_scope" "this" {
  billing_account_name    = var.billing_account_id
  enrollment_account_name = var.enrollment_account_id
}

resource "azurerm_subscription" "this" {
  subscription_name = local.subscription_name
  billing_scope_id  = data.azurerm_billing_enrollment_account_scope.this.id
  workload          = var.workload_type
  tags              = local.combined_tags
}

resource "azurerm_resource_group" "this" {
  provider = azurerm.remote
  name     = local.resource_group_name
  location = var.location
  tags     = local.combined_tags
}

The above results in the following error:

Error: building AzureRM Client: obtain subscription(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Subscription 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' not found. Check the spelling and casing and try again.
│
│ with provider["registry.terraform.io/hashicorp/azurerm"].remote,
│ on provider.tf line 9, in provider "azurerm":
│ 9: provider "azurerm" {
│
╵
ERRO[0240] 1 error occurred:
* exit status 1

New or Affected Resource(s)/Data Source(s)

azurerm_subscription

Potential Terraform Configuration

No response

References

No response

[tombuildsstuff]

hey @laughtonsm

Taking a look through here this appears to be a duplicate of #15894 (but for subscriptions, not management groups - although the solution is the same) - would you mind subscribing to that issue for updates?

Thanks!

[laughtonsm]

Hi @tombuildsstuff. Sure thing. I had a look but didn't find this earlier, but yes, the same issue. Would be really useful if this could be resolved somehow. Following....

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.