terraformgithub-actionsterraform-provider-azureazure-rm

Terraform Plan Error: Unable to Build Authorizer for Azure Resource Manager API


I am encountering an error while running terraform plan. The error message is as follows:

Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: unable to build authorizer for Resource Manager API: could not configure AzureCli Authorizer: obtaining subscription ID: obtaining account details: running Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on providers.tf line 17, in provider "azurerm":
│   17: provider "azurerm" {

This is my Provider.tf file:-

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=4.4.0"
    }
    azapi = {
      source  = "Azure/azapi"
      version = "1.9.0"
    }
  }
}

provider "azurerm" {
  storage_use_azuread = true
  features {}
}

This is my github action workflow-call file where I am defined all the needed environment variables.

name: Terraform Plan

on:
  workflow_call:
    inputs:
      environment:
        required: true
        description: Environment used to config Github environments
        type: string
      location:
        required: true
        description: The azure region location to deploy the resources
        type: string
      terraform_version:
        required: true
        description: The Terraform version to use
        type: string
        default: "1.6.6"
      terraform_directory:
        required: true
        description: The path to the terraform code relative to the root directory
        type: string
        default: ./terraform/selfhosted-dp-appsvc
      terraform_workspace:
        required: true
        description: Terraform workspace to use
        type: string
        default: dev-default
      terraform_plan_output:
        required: true
        description: Name of the terraform plan output
        type: string
      terraform_apply:
        required: false
        description: Whether to apply terraform play or not
        type: boolean
        default: false

env:
  TF_VAR_location: ${{ inputs.location }}
  TF_VAR_env: ${{ inputs.environment }}
  ARM_CLIENT_ID: ${{ secrets.AARM_CLIENT_ID_NON_PROD }}
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_NON_PROD }}
  ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID_NON_PROD }}
  ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID_NON_PROD}}
  ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY_NON_PROD }}

jobs:
  terraform:
    name: terraform
    runs-on: uhg-runner
    environment: ${{ inputs.environment }}

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Setup Terraform
        uses: uhg-actions/setup-terraform@v2
        with:
          terraform_version: ${{ inputs.terraform_version }}

      - name: Terraform init
        working-directory: ${{ inputs.terraform_directory }}
        run: terraform init -reconfigure -backend-config=${{ inputs.environment }}/backend.config

      - name: Terraform workspace
        working-directory: ${{ inputs.terraform_directory }}
        run: terraform workspace new ${{ inputs.terraform_workspace }} || terraform workspace select ${{ inputs.terraform_workspace }}

      - name: Terraform Validate
        working-directory: ${{ inputs.terraform_directory }}
        run: terraform validate

      - name: Terraform plan
        working-directory: ${{ inputs.terraform_directory }}
        run: terraform plan -input=false -var-file=${{ inputs.environment }}/terraform.tfvars -out=${{ inputs.terraform_plan_output }}

      - name: Terraform Apply
        if: ${{ inputs.terraform_apply }}
        working-directory: ${{ inputs.terraform_directory }}
        run: terraform apply -input=false ${{ inputs.terraform_plan_output }}

This is my github action file:

name: AZ CONTAINER APP IAC pipeline

on:
  workflow_dispatch:
    inputs:
      environment:
        type: environment
        description: 'Environment to deploy'
        required: true
        default: 'non-prod'
         
permissions:
  contents: read
  pull-requests: write

jobs:
  deployment-cgw-az-containerapp-centralus:
    name: AZ CONATINER APP deployment [CentralUS]
    uses: ./.github/workflows/azure-tf.yaml
    with:
      environment: ${{ github.event.inputs.environment || 'non-prod' }}
      terraform_version: "1.6.6"
      terraform_workspace: ${{ github.event.inputs.environment }}-az-container-app
      terraform_directory: ./terraform/containerapp
      location: centralus
      terraform_plan_output: ${{ github.event.inputs.environment }}-az-container-app-centralus-tfplan
      terraform_apply: true
    secrets: inherit

Solution

  • Build Authorizer for Azure Resource Manager API while using terraform.

    Hello vikash sharma, seems like you have already found a workaround for your problem, I am highlighting the approach, please feel free to add your inputs or your workaround solution to this as it may help other folks having similar problem on SO.

    The blocker you mentioned that the is due to Azure CLI (az) is not logged in which is mandatory to authenticate.

    As GuiFalourd suggested the typo due to extra "A" at the beginning could be causing the error since Terraform might not be able to pick up the correct client ID.

    Updated line

    ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID_NON_PROD }}
    

    Make sure that all other environment variables (ARM_CLIENT_SECRET, ARM_TENANT_ID, ARM_SUBSCRIPTION_ID, and ARM_ACCESS_KEY) are accurately named and match your secrets configuration.

    refer:

    https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure

    https://dev.to/willvelida/deploying-to-azure-with-terraform-and-github-actions-5191