I have a repo in which I have terraform infrastructure declared. I'm changing it by moving repeatable parts to modules and created folders for each environment. GitHub workflow is running init, plan and apply. As I have created new directories, I'm changing "working-directory" for init part, but I receive error Failed to get existing workspaces containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure:
I have arm access keys declared as envs in workflow. I tried to move it around but no luck. I dont know why terraform can initialise from main directory but can't initialise from child directory.
I tried to reproduce the same in my environment:
I got same error in case of storageaccount itself:
This error occurs when one doesn’t have access to the backend or the container where the terraform state is stored.
Please make sure that you are logged in to the subscription or tenant where you have access to resources.
In my case I logged in to another subscription that caused the error .
Set the subscription correctly.
az account set --subscription "xxx"
and then run terraform init
To reconfigure for new working directory :
Run terraform init -reconfigure
Or run below command to migratethe state:
terraform init -migrate-state
terraform {
backend "azurerm" {
resource_group_name = "rg"
storage_account_name = "remotestatekavstr"
container_name = "terraform"
key = "terraform.tfstate"
}
}
Then the terraform is initialized successfully:
Note:
1.Check for any spelling corrections of the storage account or container .
2.When changed to new directory , reconfigure the terraform backend or migrate .
Also check this creating-azure-storage-containers-in-a-storage-account-with-network-rules-with
Related
Since adding backend "azurerm" to my Terraform main.tf file it's now returning a 404 on the resource group created to maintain the state file.
I'm at a bit of a loss to explain why, the session is logged in to the correct tenant and subscription using Connect-AzAccount and Set-AzContext methods in the Az PowerShell module.
Here's my setup:
main.tf
## Terraform Configuration
terraform {
# Azure Remote State
backend "azurerm" {
resource_group_name = "abc-uat-tfstate"
storage_account_name = "abcuattfstate"
container_name = "tfstate"
key = "myapp.uat.tfstate"
}
# Provider Dependencies
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0.0"
}
}
}
## Provider Configurations
# Azure
provider "azurerm" {
subscription_id = var.subscriptionId
features {}
}
...
When I run terraform init on this main.tf file I receive the following error:
However note, I can immediately run Get-AzResourceGroup and it returns the group as I see it in Azure Portal.
Until I added the backend it was creating resources correctly so I'm thinking this is a simple configuration issue but after reviewing all the docs don't see what I've got wrong.
Ok, operator error as I suspected.
Running az login --tenant '...' and then az account set --subscrption '...' resolved the problem. terraform init now works correctly.
I should have thought about this earlier.
since today I am experiencing an error concerning terraform initilization using Azure AD Authentication.
Terrform v1.2.2
Az Cli v2.37.0
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
}
backend "azurerm" {
tenant_id = "XXX"
subscription_id = "XXX"
resource_group_name = "XXX"
storage_account_name = "XXX"
container_name = "tfstate"
key = "devops.terraform.tfstate"
use_azuread_auth = true
}
}
terraform init
> Error: obtaining Authorization Token from the Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: User 'XXX' does not exist in MSAL token cache. Run `az login`.
Upon running az login or az logout/az login, the error remains.
Deleting MSAL token cache file or az account clear do not help, either.
I am using latest versions of terraform and az cli. I was using terraform v1.1.x before when I encountered the error but upgrading did not solve it, either.
Also, the user definetly exists in the msal_token_cache.json at Account.username.
Any suggestions?
Cheers,
AJ
SOLVED:
After reinstalling az cli, the issue resolved. I think it is a problem with WSL2. If not both terraform and az cli are windows binaries (or both linux binaries), configuration is probably all over the place.
Thanks anyway!
Thank You AJQREA sharing the solution. Posting it as an solution to help other community member who might encounter the same problem in future.
The error is due to you having changed the password of your Azure account and the access token stored on the disk becoming invalid.
Terraform internally is just calling az account get-access-token - as such you should be able to run the same command to see the error.
Solution : After reinstalling or upgrading the azure-cli-iot-ext extension, Terraform was able to retrieve the access token again with new updated password.
Reference : https://github.com/hashicorp/terraform-provider-azurerm/issues/3686
I cannot create any resource in azure cloud using terraform.
WSL2 - Ubuntu:
Ubuntu 20.04.3 LTS
Terraform version:
Terraform v1.1.5
AZ CLI version:
"azure-cli": "2.33.0"
"azure-cli-core": "2.33.0"
"azure-cli-telemetry": "1.0.6"
At the beggining I login to azure subscription through az login. I have only one available subscription on this account and I am owner.
Then I create "main.tf" file same as here : https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#example-usage
After "terraform init" i do "terraform plan" but i recive that error:
Error: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: resources.ProvidersClient#List: Failure sending request: StatusCode=0 -- Original Error: Get "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers?api-version=2016-02-01": dial tcp: lookup management.azure.com on 000.00.000.0:00: cannot unmarshal DNS message
with provider["registry.terraform.io/hashicorp/azurerm"],
on main.tf line 10, in provider "azurerm":
10: provider "azurerm" {
Also i go through this way: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret
My app has contributor/owner priviliges at the subscription level.
Then adding this configuration :
provider "azurerm" {
features {}
subscription_id = "00000000-0000-0000-0000-000000000000"
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = var.client_secret
tenant_id = "00000000-0000-0000-0000-000000000000"
}
Finally I get the same error. Do you have any ideas?
sudo vim /etc/resolv.conf
and change nameserver value to 8.8.8.8
It should work, but every time you reboot you should do this action or write a script to automate it!
I am trying to provision a storage account but running it results in error:
Error: Error reading static website for AzureRM Storage Account "sa12345461234512name":
accounts.Client#GetServiceProperties:
Failure responding to request: StatusCode=403 -- Original Error: autorest/azure:
Service returned an error. Status=403 Code="AuthorizationPermissionMismatch"
Message="This request is not authorized to perform this operation using this permission.\n
RequestId:05930d46-301e-00ac-6d72-f021f0000000\n
Time:2020-03-02T09:09:44.9417598Z"
Running OS Windows 10 Pro.
Steps to replicate (in Powershell with Azure CLI installed)
az login
mkdir dummyFolder
cd dummyFolder
create config.tf
terraform init
terraform plan
terraform apply -auto-approve
Config.tf contents
# Configure the Azure Provider
provider "azurerm" {
version = "=2.0.0"
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "Australia East"
}
resource "azurerm_storage_account" "example" {
name = "sa12345461234512name"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
tags = {
environment = "staging"
}
}
Not sure what i am missing, all other resources work fine, just the storage account.
This is a bug in the azure provider, see: https://github.com/terraform-providers/terraform-provider-azurerm/issues/5869
Update your provider; it doesn't seem to be related to the terraform version.
From:
# Configure the Azure Provider
provider "azurerm" {
# whilst the `version` attribute is optional, we recommend pinning to a given version of the Provider
version = "=2.0.0"
features {}
}
To:
provider "azurerm" {
version = "~> 2.1.0"
features {}
}
Just to add to this since none of above worked. In my case it first didn't work, then next day worked just to not work again in the evening... Not changing versions or anything, was same computer.
It turned out that my time settings on my Ubuntu running in Windows was skewed. Just simply running a sudo ntpdate time.nist.gov to update time solved the problem.
Found the issue. Its got to do with Terraform.
Just checked for updates and notices 0.12.21 is out (I was runnning 0.12.20).
Seems like if running AzureARM 2.0.0 then really need to be min 0.12.21 to make it work.
Same problem as #tesharp experienced.
On my Ubuntu WSL2 the following command fixed the problem:
sudo hwclock -s
using the provider block
provider "azurerm" {
subscription_id = var.subscription_id
version = "=1.44"
}
and after successfully logging in with
az login
running
terraform plan
I get the following error:
Error: Error building account: Error getting authenticated object ID: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 2
on main.tf line 21, in provider "azurerm":
21: provider "azurerm" {
UPDATE:
If I change the provider block to:
provider "azurerm" {
version = "~> 1.43"
}
and set the environment variables
ARM_USE_MSI=true
ARM_SUBSCRIPTION_ID=<...>
ARM_TENANT_ID=<...>
HTTP_PROXY=<...>
HTTPS_PROXY=<...>
http_proxy=<...>
https_proxy=<...>
than after executing terraform plan I get the following error:
Connection to 169.254.169.254 failed. No route to host.
which is very strange, as it seems to me, that a service endpoints IP is "hardcoded" into the terraform client.
Even though I was already logged in via az cli, forcing another:
az login
Resolved this for me.
Removing variable
ARM_USE_MSI=true
Solved my problem.
This variable tells terraform to use Managed Service Identity. See the docs. The problem was, that the Azure Instance Metadata service endpoint(available on the above mentioned IP), that is used from that point, is only accessible from within a VM, and I was running the terraform from my desktop.
az login --tenant TENANT_ID
resolved by using tenant ID
Initially, I tried to log in with "az login" but got a similar error you posted.