C
Coder.com2mo ago
michi

Use Azure Entra Authentication provider in template

Recently I've had the idea to provide a template that our developers can then use to create a specific resource configuration in their own subscriptions to test as close to production as possible. To do this my idea was to use the access token via coder_external auth and then use this in a azurerm_provider block: 
data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
}
data "coder_external_auth" "azure" {
  id = "primary-azure" # this is the name of our external auth endpoint users use to login
}
# see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
provider "azurerm" {
  use_oidc = true
  client_id = "<auth app client id>"
  oidc_token = data.coder_external_auth.azure.access_token
  tenant_id = "<tenant id>"
  subscription_id = data.coder_parameter.subscription_id.value
  features {}
}
resource "azurerm_resource_group" "rg" {
  name = "rg-coder-dev-test"
  location = "westeurope"
}
data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
}
data "coder_external_auth" "azure" {
  id = "primary-azure" # this is the name of our external auth endpoint users use to login
}
# see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
provider "azurerm" {
  use_oidc = true
  client_id = "<auth app client id>"
  oidc_token = data.coder_external_auth.azure.access_token
  tenant_id = "<tenant id>"
  subscription_id = data.coder_parameter.subscription_id.value
  features {}
}
resource "azurerm_resource_group" "rg" {
  name = "rg-coder-dev-test"
  location = "westeurope"
}
however, when I try to build the template I run into multiple issues: 1. the subscription id is empty when trying to build (obviously as it comes from the parameter) 2. when supplying a default subscription id, the next error is Error: unable to build authorizer for Resource Manager API: could not configure AzureCli Authorizer: could not parse Azure CLI version: launching Azure CLI: exec: "az": executable file not found in $PATH on main.tf line 32, in provider "azurerm": the second error sounds like it cannot authenticate and then tries to fall back to cli authentication. I've also tried to submit a hard coded token I've created before using powershell but that token also did not work and resulted in the same error. Am I fundamentally misunderstanding something here? And how would I correctly create the template I'm thinking about?
26 Replies
Codercord
Codercord2mo ago
<#1344606210602700800>
Category
Help needed
Product
Coder (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Phorcys
Phorcys2mo ago
hey, i don't think this is possible when using providers i've tried that in the past but provisioners are being loaded before any other resources, which means that the data is going to be empty
michi
michiOP2mo ago
ah thats unfortunate. was hoping to avoid creating arm templates for this and instead use coder for the many features it provides. do you have an idea how I could reach this using coder?
Phorcys
Phorcys2mo ago
see https://github.com/hashicorp/terraform/issues/27934 for this issue
GitHub
Provider configuration cannot depend on data sources during import ...
As documented in Import: Provider Configuration, a provider used during import cannot depend on data sources for its configuration*. As of v0.14, data sources can now be handled entirely during pla...
michi
michiOP2mo ago
But I'm doing this in some (non-coder) terraform repositories. It usually works fine unless the data does not have a value
Phorcys
Phorcys2mo ago
i think you would need to either use a central azure subscription or have devs input the data manually
michi
michiOP2mo ago
I have a central azure tenant, but the devs have their own subscriptions
Phorcys
Phorcys2mo ago
hmm, i am not sure then, i've never got it to work in Coder and assumed it was a terraform thing honestly yeah i've used the wrong wording sorry
michi
michiOP2mo ago
no worries
Phorcys
Phorcys2mo ago
is there any way you could be able to not use per-dev subscriptions maybe?
michi
michiOP2mo ago
the main goal was to utilize the free azure budget each developer gets with their MSDN subscriptions. Sure I can also do it in one subscription but then I would have to pay the bill
Phorcys
Phorcys2mo ago
makes sense it seems you should be able to work around this by setting it in a local variable first 
data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
}
data "coder_external_auth" "azure" {
  id = "primary-azure" # this is the name of our external auth endpoint users use to login
}

locals {
  azure_oidc_token = data.coder_external_auth.azure.access_token
  azure_subscription_id = data.coder_parameter.subscription_id.value
}

# see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
provider "azurerm" {
  use_oidc = true
  client_id = "<auth app client id>"
  oidc_token = local.azure_oidc_token
  tenant_id = "<tenant id>"
  subscription_id = local.azure_subscription_id
  features {}
}
resource "azurerm_resource_group" "rg" {
  name = "rg-coder-dev-test"
  location = "westeurope"
}
data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
}
data "coder_external_auth" "azure" {
  id = "primary-azure" # this is the name of our external auth endpoint users use to login
}

locals {
  azure_oidc_token = data.coder_external_auth.azure.access_token
  azure_subscription_id = data.coder_parameter.subscription_id.value
}

# see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
provider "azurerm" {
  use_oidc = true
  client_id = "<auth app client id>"
  oidc_token = local.azure_oidc_token
  tenant_id = "<tenant id>"
  subscription_id = local.azure_subscription_id
  features {}
}
resource "azurerm_resource_group" "rg" {
  name = "rg-coder-dev-test"
  location = "westeurope"
}
i haven't tested it though
michi
michiOP2mo ago
I also tried it with hard coded values instead of the parameter and the token from the external auth, I've ran into the same issue there I just tried it with the locals, also comes to the same error What is the intentional use of coder_external_auth? I don't quite get it from the documentation
Phorcys
Phorcys2mo ago
It allows to get tokens for services via OAuth, like you're doing usually you'd use it to connect to the GitHub CLI, an Artifactory instance or something else
michi
michiOP2mo ago
ah I understand. so nothing to be used in the terraform code directly but on the data plane
Phorcys
Phorcys2mo ago
you can use it inside the terraform code directly but providers are handled in a specific way within terraform it really depends on what you want to do with the token, most of the time you're just passing it down to the container/pod you're provisioning
michi
michiOP2mo ago
Okay, thank you. I'll have to look somewhere else for this use case then. Coder itself is great though and saves us a lot of work in other cases
Phorcys
Phorcys2mo ago
most of the time if you can achieve it with terraform you should be able to do it with Coder as well, i'm just not really sure of the specifics there and can't find anything meaningful online as for this, i haven't used the Azure provider a lot the config seems correct to me, so i'm not sure how are you setting the default value?
michi
michiOP2mo ago
you mean for the subscription_id? in the parameter: 
data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
  default = "<my-subscription-id>"
}
data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
  default = "<my-subscription-id>"
}
Phorcys
Phorcys2mo ago
maybe try using coalesce instead 
data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
}
data "coder_external_auth" "azure" {
  id = "primary-azure" # this is the name of our external auth endpoint users use to login
}
# see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
provider "azurerm" {
  use_oidc = true
  client_id = "<auth app client id>"
  oidc_token = data.coder_external_auth.azure.access_token
  tenant_id = "<tenant id>"
  subscription_id = coalesce(data.coder_parameter.subscription_id.value, "<default>")
  features {}
}
resource "azurerm_resource_group" "rg" {
  name = "rg-coder-dev-test"
  location = "westeurope"
}
data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
}
data "coder_external_auth" "azure" {
  id = "primary-azure" # this is the name of our external auth endpoint users use to login
}
# see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
provider "azurerm" {
  use_oidc = true
  client_id = "<auth app client id>"
  oidc_token = data.coder_external_auth.azure.access_token
  tenant_id = "<tenant id>"
  subscription_id = coalesce(data.coder_parameter.subscription_id.value, "<default>")
  features {}
}
resource "azurerm_resource_group" "rg" {
  name = "rg-coder-dev-test"
  location = "westeurope"
}
michi
michiOP2mo ago
I also tried something like this with I token I created via powershell 
Connect-AzAccount
Get-AzAccessToken -ResourceUrl "https://management.azure.com"
Connect-AzAccount
Get-AzAccessToken -ResourceUrl "https://management.azure.com"
provider "azurerm" {
  use_oidc = true
  client_id = "<clientid>"
  oidc_token = "<token>"
  tenant_id = "<tenantid>"
  subscription_id = "<subscriptionid>"
  features {}
}
provider "azurerm" {
  use_oidc = true
  client_id = "<clientid>"
  oidc_token = "<token>"
  tenant_id = "<tenantid>"
  subscription_id = "<subscriptionid>"
  features {}
}
Phorcys
Phorcys2mo ago
given the provider block loads early, maybe the default isn't set yet somehow
michi
michiOP2mo ago
might of course also be the case that my entra app gives me a token that is not permitted to that, or I'm doing something really wrong in the provider config, I can't rule that out
Phorcys
Phorcys2mo ago
hey, were you able to figure this out?
michi
michiOP2mo ago
Unfortunately haven't had the time to invest more into this But the approach will most likely be that we have a principal that developers have to enroll to their subscription. Then we deploy via that principal. I'll let you know when I find time to set this up
Phorcys
Phorcys2mo ago
sounds good!

Did you find this page helpful?