v0.3.3 azurerm provider fails to read cli auth if subscription_id is set

[JettJones]

Terraform Version

Terraform v0.10.8
also saw with Terraform v0.10.7

Affected Resource(s)

• azurerm_* // Any azurerm resource.

Terraform Configuration Files

variable "subscription_id" {}

provider "azurerm" {
  // Use version = "0.3.2" to cause terraform plan to succeed 
  version = "~> 0.3.3"
  // Comment out subscription_id to cause terraform plan to succeed.
  subscription_id = "${var.subscription_id}"
}

resource "azurerm_resource_group" "resources" {
  location = "West US"
  name = "repro-0.3.3"
}

Debug Output

https://gist.github.com/JettJones/df731f1b7f370d79962dddaa1ee4594d

Expected Behavior

Expected terraform plan to succeed, and report a resource group (in this example) that would be created.

Actual Behavior

Terraform reports not finding CLI credentials. At the same time I can look directly into ~/.aws/accessTokens.json to see tokens with valid expiration times.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform init
2. az login
3. terraform plan

Important Factoids

Running on Windows 10.

>az --version
azure-cli (2.0.20)

full output: https://gist.github.com/JettJones/d49b20f42403ba7563695098141f951c

Two notable workarounds, either of these allow me to create azure resources (without re-running az login).

• forcing the version to "0.3.2"
• removing the subscription_id from the provider configuration.

References

[codyja]

We are hitting this too I believe. Had to resort back to Service Principals.

[tombuildsstuff]

Hey @JettJones @codyja

Thanks for raising this issue :)

I've been taking a look into this - when implementing this functionality I was assuming that both a Subscription ID and a Tenant ID in the Provider block, rather than just a Subscription ID - however that's not the case.. I'm working on a fix for this at the moment with the intention of shipping this in the next release.

Thanks!

cc @pmarques

[tobiaswi]

Hi @tombuildsstuff
I can verify that this issue even occurs when both SubscriptionID and TenantID are set in the Provider block.
(terraform 0.10.8 and azurerm 0.3.3)

i run
az login -t $tenant.onmicrosoft.com
az account set --subscription $subscriptionName
terraform plan

"module.$moduleName.provider.azurerm: No valid (unexpired) Azure CLI Auth Tokens found. Please run az login."

Pinning the version to {version = "0.3.2"} fixes the issue

Do you want me to open another issue or is this here ok for you?

[tombuildsstuff]

@tobiaswi thanks for the info, in this issue should be fine - I'll look to continue with #574 later today

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!