terraform-provider-azurerm: Azurerm provider not working with custom Azure Cloud Metadata Host (secret / private / undocumented cloud support)

Community Note

  • Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v1.1.7 on darwin_amd64

  • provider registry.terraform.io/hashicorp/azurerm v2.98.0

Affected Resource(s)

This affects the core azurerm provider.

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

https://drive.google.com/file/d/10CwuPjVP3SKWj_vuHhHqylxEHVLCqUOw/view?usp=sharing

Debug Output

https://gist.github.com/laughn-man/51824d5a77c61924215565a7b16f2746

Panic Output

No panic output

Expected Behaviour

The terraform apply command should have attempted to create the storage account normally.

Actual Behaviour

Terraform apply throws the error, unable to find environment “testa” from endpoint “localhost:7045”: invalid environment specified: testa. There are 2 issues here:

  1. Even though TestA is a profile being returned from the localhost:7045 metadata host, terraform can’t seem to see it. The error message has the profile name as testa, instead of TestA but this doesn’t seem to be the issue. If you do the above steps for the testb profile you will still get the error.
  2. In main.tf the provider variable environment is set to Blah. This seems to be totally ignored, and instead azurerm is using the default cloud setup on the CLI instead. Since the metadata_host variable is set, environment should be set to the profile to use, if I understand the documentation correctly.

Steps to Reproduce

All the code for this is in the provided AzureEndpoint.zip file. It contains 2 pieces, a .Net 6 API project that will create a metadata host site on localhost, and the test Terraform project. To reproduce the issue follow the below steps:

  1. Extract the contents of the AzureEndpoint.zip file. This should create a folder called AzureEndpoint.
  2. In a terminal go to the extracted folder.
  3. Run the following to build and run the the custom endpoint. .Net 6 is required.
dotnet build
dotnet run

This will create a https://localhost:7045/metadata/endpoints site that will return 2 profiles TestA and testb. You will likely have to add the self signed certificate returned from this site to the trusted certificates on your local machine, or else terraform will complain about not trusting it in the next step.

  1. Open a second terminal and cd into the AzureEndpoint/terraform-test folder. Then do the following:
# Register a new Azure Cloud with the Azure CLI.
az cloud register --name TestA --cloud-config @"cloud.json"
# Set the TestA Cloud as default.
az cloud set --name TestA
# Login to TestA. Since it is pointed to the public cloud your public Azure account should still work.
az login
# Init terraform
terraform init
# Apply terraform, this will give you the error.
terraform apply

Important Factoids

This issue does not seem to be a problem when running in a standard Azure Cloud. It only affects custom Cloud environments. It looks like this issue was introduced in version 2.94.0. 2.93.1 does not throw the error.

References

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 2
  • Comments: 20 (10 by maintainers)

Most upvoted comments

Hi @manicminer, thanks for getting back to me. That is interesting about the MS Graph endpoint. I can’t find an updated metadata schema that has the MS Graph endpoint. It almost seems like MS wants you know the MS Graph endpoint based on the Cloud you are using, see https://docs.microsoft.com/en-us/graph/deployments#microsoft-graph-and-graph-explorer-service-root-endpoints, so I don’t know if it will ever appear in the metadata.

None if this helps for custom clouds however. I will ask around a bit about it and post if I find out anything.

+2
laughn-man on Mar 14, 2022

@laughn-man we’ve got a thread with Microsoft trying to track down if this information is available via the MetaData Endpoint, for example: https://management.azure.com/metadata/endpoints?api-version=2020-06-01

That endpoint is available in all Azure Environments, although the information returned can differ on the environment this is run within e.g.:

Since the AAD Graph endpoint is returned there, we believe the MS Graph endpoint should be returned here too (potentially it already is in a new API version) - but we’d need that information returned to be able to surface this, I’m not sure if you’re aware if that’s available in a new API Version?

As this Environment configuration and the rest of the Env. configuration is pulled from the MetaData Endpoint, it makes sense for this to be returned, so we’d need to wait to hear back from Microsoft here to determine how to proceed rather than adding a new field for this specifically.

+1
tombuildsstuff on Apr 4, 2022
Read more comments on GitHub
← terraform-provider-azurerm: azurerm: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded
terraform-provider-azurerm: AzureRm V2: Cannot create keyVault without Subscription Level Permissions →