Home > Software design >  Terraform Azure: enforcing Client id and Secret?
Terraform Azure: enforcing Client id and Secret?

Time:12-03

I have a simple terraform code

# Configure the Microsoft Azure provider
provider "azurerm" {
  features {}
}

# Create a Resource Group if it doesn’t exist
resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West US"
}

It used to work as I logged in the Terminal using my User credentials , but now it throws an error

│ Error: building AzureRM Client: 3 errors occurred:
│       * A Subscription ID must be configured when authenticating as a Service Principal using a Client Secret.       
│       * A Client ID must be configured when authenticating as a Service Principal using a Client Secret.
│       * A Tenant ID must be configured when authenticating as a Service Principal using a Client Secret.
│
│
│
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on main.tf line 2, in provider "azurerm":
│    2: provider "azurerm" {

What is causing this issue? I can't create a Service Principal due to lack of permission at the Active Directory. How do I make it work again without the Service Principal?

CodePudding user response:

I guess you're executing this from a local PC or a VM. The use of service principal here is to authenticate between your PC and Azure Portal. There are other methods too, like using managed identity services. It is better to get a SPN if you don't have one. Please find the reference link: Terraform-Azure Authentication

You have mentioned it used to work. I think the PC you are using must have the following environment variables configured.

ARM_CLIENT_ID
ARM_CLIENT_SECRET
ARM_SUBSCRIPTION_ID
ARM_TENANT_ID

or there must be a local configuration file must be available.

CodePudding user response:

You must need provide this subscription_id, tenant_id, client_id, and client_secret details when you are running on locally or in CICD.

These values will authenticate your azure account and create the resources which you want to create based upon the code.

Below are the authentication methods link: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_certificate please do check it.

In any organization the users will be get a least privilege. If you are provisioning terraform activities, you need at least a contributor role (you can provision limited resources).

Another alternative way is you can use the service principal details existing App Registration, ask your admin to add your name as an owner of that App Registration.

You can ask your admin to create a new APP registration and add your name as owner for the App Registartion, ask to add required api permissions, create and share the client_secret with you, add the required role to APP registration based upon your requirement.

  • Related