1

So I am trying to connect Terraform to Azure Gov but it seems like the environment in the code is not being read. Or I am just way off with this any help will be greatly appreciated.

Here is the code, very basic just trying to get it to connect and store something in the statefile.

terraform {
  backend "azurerm" {
    #resource_group_name   = "terraform-test"
    storage_account_name  = "terraformstate01"
    container_name        = "tstate01"
    key                   = "terraform.tfstate"
    access_key            = "ACCESS_KEY_GOES_HERE"
  }
}

# Configure the Azure provider
provider "azurerm" { 
  # The "feature" block is required for AzureRM provider 2.x. 
  # If you are using version 1.x, the "features" block is not allowed.
  version = "2.76.0"
  environment = "usgovernment"
  features {}
}

resource "azurerm_resource_group" "state-demo-secure" {
  name     = "state-demo"
  location = "usgovvirginia"
}

What is going on here also attached is the error I get when running Terraform init.

Initializing the backend...
╷
│ Error: Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthenticationFailed" Message="Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:c5022f4e-c01e-0002-51f4-74a3d7000000\nTime:2021-07-09T18:55:41.1228617Z"```
Ralphael Johnson
  • 55
  • 1
  • 10
  • enable trace logging and run `terraform init` again, you'll likely find a better error: `$env:TF_LOG='trace'` and `terraform init` – Adam Vincent Jul 09 '21 at 19:38
  • are you deploying this via PowerShell or the CLI? If so, you need to log into azure gov using `Connect-AzAccount -EnvironmentName AzureUSGovernmen` or `az cloud set --name AzureUSGovernment` – Ken W - Zero Networks Jul 09 '21 at 20:09
  • @AdamVincent will try that, thanks and report back with the findings. The error is pretty bland but I think its not reading the gov endpoints. I have logged in multiple times an checked my environment to ensure I am logged in. – Ralphael Johnson Jul 12 '21 at 00:42
  • I haven't used azure gov since the azurerm provider added the environment param, but I would assume it would work as expected or else we would see a bug report. I'm thinking the error lies with the access token. What about temporarily generating a SAS token with the appropriate permissions, or perhaps managed identity (which I would recommend over using the access token anyways, if at all possible) – Adam Vincent Jul 12 '21 at 02:18

1 Answers1

1

As mentioned by Ken W MSFT in comments section, you need to set the Cloud Environment before calling the .tf file instead of calling it in azurerm provider.

If its public then there is no requirement to do so , but as you are trying to use exclusive clouds which are private you need to set the environment as required using azure CLI or azure powershell before working in that cloud.

Commands for CLI:

$ az cloud set --name AzureChinaCloud|AzureGermanCloud|AzureUSGovernment

Command for Powershell:

Connect-AzAccount -EnvironmentName AzureChinaCloud|AzureGermanCloud|AzureUSGovernment

Reference:

Azure Provider: Authenticating via the Azure CLI | Guides | hashicorp/azurerm | Terraform Registry

Ansuman Bal
  • 9,705
  • 2
  • 10
  • 27