I am using Terraform to create a storage container on Microsoft Azure to store remote state files. To create the storage container, I have wrote the appropriate terraform code and applied the infrastructure, using a local state file. The problem is when then add the azurerm backend to my main.tf to migrate the local state, I am getting the following error:
terraform init -reconfigure
Initializing the backend...
> ╷
Error: Error building ARM Config: please ensure you have installed Azure CLI version 2.0.79 or newer. Error parsing json result from the Azure CLI: launching Azure CLI: exec: "az": executable file not found in $PATH.
I have the following environment variables set:
- ARM_SUBSCRIPTION_ID=xxxxxxxxxxxxxxx
- ARM_TENANT_ID=xxxxxxxxxxxxx
- ARM_CLIENT_ID=xxxxxxxxxxxxx
And I am using input vars to handle the client_certificate_path and client_certificate_password.
When I terraform init/plan/apply using a local backend, everything works as expected:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">=3.52.0"
}
}
}
provider "azurerm" {
features {}
client_certificate_path = var.client_certificate_path
client_certificate_password = var.client_certificate_password
}
My expectation is that by adding the azurerm backend, I should be able to use terraform init -migrate-state to migrate the state information to the remote backend. Here is the code:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">=3.52.0"
}
}
backend "azurerm" {
resource_group_name = "exampletfstate"
storage_account_name = "exampletfstate"
container_name = "exampletfstate"
key = "state.terraform.tfstate"
}
}
provider "azurerm" {
features {}
client_certificate_path = var.client_certificate_path
client_certificate_password = var.client_certificate_password
}
and here is the result:
❯ terraform init -migrate-state
Initializing the backend...
╷
│ Error: Error building ARM Config: please ensure you have installed Azure CLI version 2.0.79 or newer. Error parsing json result from the Azure CLI: launching Azure CLI: exec: "az": executable file not found in $PATH.
It feels like terraform isn’t picking up the service principle credentials when using the azurerm backend, but I cannot put my finger on what is happening.
Terraform/Provider Versions:
❯ terraform --version
Terraform v1.4.5
on darwin_arm64
+ provider registry.terraform.io/hashicorp/azurerm v3.52.0
2
Answers
I have this morning discovered the cause.
In order for terraform to read the tfstate from azure, it needs all credentials up front, including the cert path and password that I am declaring in the provider settings. Terraform seems to pull state information before asking for missing input vars.
To unblock myself for now, I have written a bash wrapper around terraform so that the cert path/password are added as environment variables which terraform can read when it looks for the remote state files. This isn't my ideal solution as I need to manage the security of these vars by unsetting them after use etc.
The following is configured in my terraform code.
main.tf
You need to do
az loginLogin with the credentials and
Set subscription
az account set --subscription <desiredSubscriptionId>With wrong tenant you may face errors as :
Error building ARM Config: please ensure you have installed Azure CLI versionIn that case run the below command to set correct tenant where proper permissions like contributor are given .
az login --tenant TENANT_IDThen try to run
terraform initI have v1.0.7 terraform version
terraform --versionproviders.tf
Also refer Build Infrastructure – Terraform Azure Example | Terraform | HashiCorp Developer
Reference :
Authenticate Terraform to Azure | Microsoft Learn