0

I am trying to use a managed-identity to authenticate to Azure and run terraform from a virtual machine in the AzureUSGovernment cloud. I've followed the guide found here to configure terraform to use a managed-identity.

However whenever I run terraform apply/plan etc I see the following error:

│ Error: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: resources.ProvidersClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="SubscriptionNotFound" Message="The subscription 'xxxxxxxxx-xxxx-xxxxx-xxxxx-xxxxxxxxxxx' could not be found."

(xxxxxxxxx-xxxx-xxxxx-xxxxx-xxxxxxxxxxx is me redacting the subscription-id)

Below is a snippet of my configuration and my workflow/process for bootstrapping:

  1. Create a Virtual Machine with a managed identity, assign it the Owner role (just for testing purposes)
  2. Run az cloud set -n AzureUSGovernment
  3. Run az login --identity
  4. Run the terraform code.

Other Important Things to Note:

  • The exact same configuration/process works just fine in Azure Commercial.
  • Running az commands from the VM works just fine (I have RBAC permissions to do things in the account)
  • Here is my provider.tf:
provider "azurerm" {
  features {}
  use_msi = true
  subscription_id = "MYSUB-ID"
  tenant_id = "MYTENANT-ID"
}

Any help is super appreciated! Thanks!

Ismail
  • 3
  • 3

1 Answers1

2

I tried testing it using my environment and I got the exact same error as you are getting :

enter image description here

Note: This is because the the subscription I am using is not on Azure Government cloud instead its in Azure Cloud. Please make sure you are using the correct subscription for which you have created the managed identity and the ensure the environment its in.

And , After you checked the subscription and environment , you can skip these steps :

Run az cloud set -n AzureUSGovernment
Run az login --identity

Instead you can directly use the the terraform code:

provider "azurerm" {
  features {}
  use_msi = true
  subscription_id = "948d4068-xxxx-xxxxxx-xxxxxxx-xxxxxxxx"
  tenant_id = "72f988bf-xxxx-xxxxx-xxxxxx-xxxxxxxxx"
  environment = "usgovernment"
}

resource "azurerm_resource_group" "test" {
    name="xterraformtest12345"
    location ="east us"
}

Note:

If your subscription is in public then there is no need to set the environment and if its in some other then you can set the environment as required.

Output: After removing the environment as the subscription is in public cloud

enter image description here

Ansuman Bal
  • 9,705
  • 2
  • 10
  • 27
  • Thank you so much! Basically what I was missing was the `environment` block in the provider. – Ismail Sep 28 '21 at 14:12