How to Use Service Managed identity to provision resource in Azure using Terraform

1
votes

I'm confronting an error related to Managed Identity. I want to provision virtual machines using Terraform in Azure. Here is my code block:

terraform {
  # Use a recent version of Terraform
  required_version = ">= 0.13"

  # Map providers to thier sources, required in Terraform 13+
  required_providers {

    # Azure Resource Manager 2.x
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 2.0"
    }
  }
}

provider "azurerm" {
  
  features {}
  use_msi = true
  //  subscription_id = "XXXXXXXXX-4663-4c2e-XXXX-XXXXXXXXX"
  // tenant_id       = "XXXXXXXXX-232r-3w2e-XXXX-XXXXXXXXX"
}

I've tried with both enabling use_msi = true and later with tenant_id along with subscription_id

It prompts me a following error:

Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions//providers?api-version=2016-02-01: StatusCode=0 -- Original Error: the MSI endpoint is not available. Failed HTTP request to MSI endpoint: Get "http://177.xxx.232.324/metadata/identity/oauth2/token?api-version=2018-02-01": dial tcp 177.xxx.232.324:80: connectex: A socket operation was attempted to an unreachable network.

NOTE I've already set subscription with

az account set --subscription="XXXXXXXXXXXXXXXXXX"

however no success.

What should i keep in my code base or what is the right approach?

1
azureterraformterraform-provider-azure

1 Answers

1
votes

The problem is that you only tell Terraform to use a managed identity when you set use_msi = true. We need to run the terraform workspace on the managed identity support Azure services in the Azure environment. The MSI does not work in the on-premise environment because we can not enable identity for it.

As that document mentioned:

We recommend using a service principal or a managed identity when running Terraform non-interactively (such as when running Terraform in a CI/CD pipeline), and authenticating using the Azure CLI when running Terraform locally.

For example, suppose you have a system-assigned identity enabled Azure VM.

enter image description here

Assign permission on this identity.

enter image description here

Configuring Terraform to use a managed identity. Note that set use_msi to true tells Terraform to use a managed identity. Then you can use this MSI to authenticate with Azure to create other Azure resources.

RDP to the Azure VM and run the Terraform commands. The following sample code creates a resource group in my current subscription with the system assigned identity.

provider "azurerm" {
  
  subscription_id = var.subscription_id
  # client_id       = var.client_id
  # client_secret   = var.client_secret
  tenant_id       = var.tenant_id

  # skip_provider_registration = true

 features {}

 use_msi = true

}

terraform {
  required_providers {
    azurerm = {
    source = "hashicorp/azurerm"
    # version = "=2.46.0"
    }

  }
}

data "azurerm_subscription" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West US"
}


output "current_subscription_display_name" {
  value = data.azurerm_subscription.current.display_name
}

enter image description here