Use Azure Entra Authentication provider in template

Recently I've had the idea to provide a template that our developers can then use to create a specific resource configuration in their own subscriptions to test as close to production as possible. To do this my idea was to use the access token via coder_external auth and then use this in a azurerm_provider block:

data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
}
data "coder_external_auth" "azure" {
  id = "primary-azure" # this is the name of our external auth endpoint users use to login
}
# see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
provider "azurerm" {
  use_oidc = true
  client_id = "<auth app client id>"
  oidc_token = data.coder_external_auth.azure.access_token
  tenant_id = "<tenant id>"
  subscription_id = data.coder_parameter.subscription_id.value
  features {}
}
resource "azurerm_resource_group" "rg" {
  name = "rg-coder-dev-test"
  location = "westeurope"
}

data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
}
data "coder_external_auth" "azure" {
  id = "primary-azure" # this is the name of our external auth endpoint users use to login
}
# see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
provider "azurerm" {
  use_oidc = true
  client_id = "<auth app client id>"
  oidc_token = data.coder_external_auth.azure.access_token
  tenant_id = "<tenant id>"
  subscription_id = data.coder_parameter.subscription_id.value
  features {}
}
resource "azurerm_resource_group" "rg" {
  name = "rg-coder-dev-test"
  location = "westeurope"
}

however, when I try to build the template I run into multiple issues:

1. the subscription id is empty when trying to build (obviously as it comes from the parameter)
2. when supplying a default subscription id, the next error is Error: unable to build authorizer for Resource Manager API: could not configure AzureCli Authorizer: could not parse Azure CLI version: launching Azure CLI: exec: "az": executable file not found in $PATH
on main.tf line 32, in provider "azurerm":

the second error sounds like it cannot authenticate and then tries to fall back to cli authentication.
I've also tried to submit a hard coded token I've created before using powershell but that token also did not work and resulted in the same error.

Am I fundamentally misunderstanding something here?
And how would I correctly create the template I'm thinking about?

Coder.com•13mo ago•

38 replies

michi

Use Azure Entra Authentication provider in template

data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
}
data "coder_external_auth" "azure" {
  id = "primary-azure" # this is the name of our external auth endpoint users use to login
}
# see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
provider "azurerm" {
  use_oidc = true
  client_id = "<auth app client id>"
  oidc_token = data.coder_external_auth.azure.access_token
  tenant_id = "<tenant id>"
  subscription_id = data.coder_parameter.subscription_id.value
  features {}
}
resource "azurerm_resource_group" "rg" {
  name = "rg-coder-dev-test"
  location = "westeurope"
}

data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
}
data "coder_external_auth" "azure" {
  id = "primary-azure" # this is the name of our external auth endpoint users use to login
}
# see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
provider "azurerm" {
  use_oidc = true
  client_id = "<auth app client id>"
  oidc_token = data.coder_external_auth.azure.access_token
  tenant_id = "<tenant id>"
  subscription_id = data.coder_parameter.subscription_id.value
  features {}
}
resource "azurerm_resource_group" "rg" {
  name = "rg-coder-dev-test"
  location = "westeurope"
}

Use Azure Entra Authentication provider in template

Use Azure Entra Authentication provider in template

Similar Threads

Similar Threads

Similar Threads