Problem
Terraform gives the following error when trying to use terraform plan or terraform apply after create a service principal in Azure:
provider.azurerm: No valid (unexpired) Azure CLI Auth Tokens found. Please run az login.
Steps to Reproduce
Create a service principal in Azure via az ad sp create-for-rbac.
Add the service principal configuration as a provider block to your .tf file:
provider "azurerm" {
alias = "tf_bootstrap"
client_id = "55708466-3686-xxxx-xxxx-xxxxxxxxxxxx"
client_secret = "88352837-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
tenant_id = "129a861e-a703-xxxx-xxxx-xxxxxxxxxxxx"
subscription_id = "c2e9d518-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
resource "azurerm_resource_group" "dev" {
name = "dev-rg"
location = "East US"
}
Attempt to run terraform plan.
If using the alias key in a provider block, as shown in the question, a provider key must be specified in each data or resource blocks.
For example:
// When a provider alias has been defined.
resource "azurerm_resource_group" "dev" {
provider = "azurerm.tf_bootstrap"
name = "dev-rg"
location = "East US"
}
If you miss a provider for one of your resources or data blocks, authentication fails on that block.
Note however that is also valid to not specify an alias key in the original provider block. In that case, it is no longer necessary to specify a provider key in every resource and data block; the provider key can be omitted.
// When a provider alias has not been defined.
resource "azurerm_resource_group" "dev" {
name = "dev-rg"
location = "East US"
}
Related
I use Azure ARM templates for deploying Azure resources.
Now I have been asked to convert a few of the ARM templates into Terraform files.
I am new to terraform world. I just went through some online examples of creating Azure resources using Terraform's AzureRM provider. but, nowhere did I find a way to set the API version for the Azure resource provider.
For example, In the ARM template, we can specify "apiVersion" for any resources but in the Terraform there is no option to choose the API version.
Does anyone know how to choose API Version in Terraform for Azure?
In Terrform we don't speficy the api version for each resource likewise we do in ARM template.
In terraform we only use the AzureRM provider version. If you are not mentioning specific version it will take the latest AzureRM provider version
The Azure Provider can be used to configure infrastructure in Microsoft Azure using the Azure Resource Manager API's.
Like below
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.10.0"
}
}
}
provider "azurerm" {
features {}
}
data "azurerm_resource_group" "example" {
name = "v-rasXXXXree"
#location = "West Europe"
}
resource "azurerm_virtual_network" "example-2" {
name = "peternetwork2"
resource_group_name = data.azurerm_resource_group.example.name
address_space = ["10.0.2.0/24"]
location = data.azurerm_resource_group.example.location
}
For more information please refer this official terarform document
I have created some resources in Azure using Terraform and a Service principal:
A resource group
A virtual network
A virtual machine
Now, I need to create a virtual Gateway from this resource group and virtual network, but using a personal Azure account in the same Organization.
How can I add my user email as a Administrator to this resource group, from Terraform, using the Service Principal credentials?
You can use Terraform resource azurerm_role_assignment to add Owner permissions for your user to this resource group.
Example:
resource "azurerm_resource_group" "this" {
name = "example"
location = "West Europe"
}
resource "azurerm_role_assignment" "this" {
scope = azurerm_resource_group.this.id
role_definition_name = "Owner"
principal_id = "<Your user object id>"
}
Register an application with the Microsoft identity platform can be found here
Each time when I redeploy the application, the registration will be deleted from the identity platform, and I don't want to do doing the registration again by click around in the portal.
Can I doing this via Terraform azure provider code?
You could use the terraform Azure Active Directory provider to manage it. You could refer to samples in this blog for more details.
For example, you may want to registry a basic application and associated it with a service principal then assign a contributor role to it.
# Configure the Microsoft Azure Active Directory Provider
provider "azuread" {}
provider "azurerm" {
features {}
}
data "azurerm_subscription" "primary" {
}
# Create an application
resource "azuread_application" "example" {
display_name = "example"
}
# Create a service principal
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
}
# Assign a Contributor role
resource "azurerm_role_assignment" "test" {
scope = data.azurerm_subscription.primary.id
role_definition_name = "Contributor"
principal_id = azuread_service_principal.example.object_id
}
What is Terraform equivalent to
az vm encryption enable --name --resource-group --volume-type OS --aad-client-id --aad-client-secret --disk-encryption-keyvault https:///secrets//
Based on this Repository
We configure the Azure Key Vault service for Server-side encryption
(SSE) for the Azure Managed Disk in this config. The procedured can be
procured using the Terraform provider azurerm_disk_encryption_set.
resource "azurerm_disk_encryption_set" "example" {
name = "des"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
key_vault_key_id = azurerm_key_vault_key.example.id
identity {
type = "SystemAssigned"
}
}
I want to deploy some resources on Azure with Terraform.
On Azure, I have an account with "Owner rights" on one Resource Group only(RGName). Not at the subscription level.
From my linux server, I installed "az cli" and I did "az login". At this step, everything is OK.
The problem appears when I want to execute terraform to create one resource.
Content of provider.tf (the only one .tf file for now) :
provider "azurerm" {
}
If I do a "terraform plan", it works.
If I add the following line, it fails. Please see the error at the end :
resource "azurerm_virtual_network" "myterraformnetwork" {
name = "myVnet"
address_space = ["10.0.0.0/16"]
location = "eastus"
resource_group_name = "RGName"
tags = {
environment = "Terraform Demo"
}
}
I do not have right on subscription level but I do not need to.
With the Azure WebUI I can create resource on this Resource Group without problem.
The error :
Error: Error ensuring Resource Providers are registered: Cannot register provider Microsoft.DevSpaces with Azure Resource Manager: resources.ProvidersClient#Register: Failure responding to request: StatusCode=403 -- Original Error: autor
est/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'accountName' with object id 'IDaccountName' does not have authorization to perform action 'Microsoft.DevSpaces/r
egister/action' over scope '/subscriptions/subscriptionID' or the scope is invalid. If access was recently granted, please refresh your credentials.".
on provider.tf line 1, in provider "azurerm":
1: provider "azurerm" {
Thank you all !
If anyone else has this issue in a corporate (restricted) Azure environment, and doesn't have the patience to register the provider (which may not be necessary if you don't use the specified terraform resource) - have a look at https://github.com/terraform-providers/terraform-provider-azurerm/issues/4440
Specifically, this may help:
provider "azurerm" {
skip_provider_registration = "true"
It obviously won't help if you actually need the resource that fails to get registered (in our case it was Cannot register provider Microsoft.DevSpaces with Azure Resource Manager, but the resource will be variable depending on your environment and what Terraform decides to support)
For your issue, when you have the Owner role of the resource group, you can create new resources or manage the existing resources as you want. So permission is no problem. With the test on my side, it works well using a user has the Owner role of the resource group.
As the error shows, I think the possible reason is that you have multiple subscriptions in the tenant and the current subscription is not the right one which the user has the right permission. You can try to take a check and set the right subscription via the command:
az account set --subscription subscription_id
Thank you for your answer.
I got this when I execute "az account list" :
"cloudName": "AzureCloud",
"id": "***********0d43",
"isDefault": true,
"name": "BU*******",
"state": "Enabled",
"tenantId": "TENANTID",
"user": {
"name": "LOGINNAME",
"type": "user"
I do not have rights on this subscription but it is the only one that I know.
On Azure WebUI I can see that the RGName is on the same subscription.
This is a capture from Azure WebUI on the RGName :
Azure WebUI
Thank you
You may need to register the Resource provider by clicking on register as shown in below screenshot under subscription id.