How to Use Service Managed identity to provision resource in Azure using Terraform

Question

I'm confronting an error related to Managed Identity. I want to provision virtual machines using Terraform in Azure. Here is my code block:

terraform {
  # Use a recent version of Terraform
  required_version = ">= 0.13"

  # Map providers to thier sources, required in Terraform 13+
  required_providers {

    # Azure Resource Manager 2.x
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 2.0"
    }
  }
}

provider "azurerm" {
  
  features {}
  use_msi = true
  //  subscription_id = "XXXXXXXXX-4663-4c2e-XXXX-XXXXXXXXX"
  // tenant_id       = "XXXXXXXXX-232r-3w2e-XXXX-XXXXXXXXX"
}

I've tried with both enabling use_msi = true and later with tenant_id along with subscription_id

It prompts me a following error:

Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions//providers?api-version=2016-02-01: StatusCode=0 -- Original Error: the MSI endpoint is not available. Failed HTTP request to MSI endpoint: Get "http://177.xxx.232.324/metadata/identity/oauth2/token?api-version=2018-02-01": dial tcp 177.xxx.232.324:80: connectex: A socket operation was attempted to an unreachable network.

NOTE I've already set subscription with

az account set --subscription="XXXXXXXXXXXXXXXXXX"

however no success.

What should i keep in my code base or what is the right approach?

Answer 1

I think you may run your terraform code from your local machine. So try to run you code in Azure environment such as Azure cloud shell then you may surprise that your terraform code will work well.

If you still need to run your terraform code from your local machine to provision azure resources. I think you may need to authenicate with service principal so you can follow this https://learn.microsoft.com/en-us/azure/developer/terraform/authenticate-to-azure-with-service-principle?tabs=bash

Answer 2

The problem is that you only tell Terraform to use a managed identity when you set use_msi = true. We need to run the terraform workspace on the managed identity support Azure services in the Azure environment. The MSI does not work in the on-premise environment because we can not enable identity for it.

As that document mentioned:

We recommend using a service principal or a managed identity when running Terraform non-interactively (such as when running Terraform in a CI/CD pipeline), and authenticating using the Azure CLI when running Terraform locally.

For example, suppose you have a system-assigned identity enabled Azure VM.

Assign permission on this identity.

Configuring Terraform to use a managed identity. Note that set use_msi to true tells Terraform to use a managed identity. Then you can use this MSI to authenticate with Azure to create other Azure resources.

RDP to the Azure VM and run the Terraform commands. The following sample code creates a resource group in my current subscription with the system assigned identity.

provider "azurerm" {
  
  subscription_id = var.subscription_id
  # client_id       = var.client_id
  # client_secret   = var.client_secret
  tenant_id       = var.tenant_id

  # skip_provider_registration = true

 features {}

 use_msi = true

}

terraform {
  required_providers {
    azurerm = {
    source = "hashicorp/azurerm"
    # version = "=2.46.0"
    }

  }
}

data "azurerm_subscription" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West US"
}


output "current_subscription_display_name" {
  value = data.azurerm_subscription.current.display_name
}