michi
michi
PostsComments
CCoder.com
Created by michi on 2/27/2025 in #help
Use Azure Entra Authentication provider in template
Recently I've had the idea to provide a template that our developers can then use to create a specific resource configuration in their own subscriptions to test as close to production as possible. To do this my idea was to use the access token via coder_external auth and then use this in a azurerm_provider block: 
data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
}
data "coder_external_auth" "azure" {
  id = "primary-azure" # this is the name of our external auth endpoint users use to login
}
# see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
provider "azurerm" {
  use_oidc = true
  client_id = "<auth app client id>"
  oidc_token = data.coder_external_auth.azure.access_token
  tenant_id = "<tenant id>"
  subscription_id = data.coder_parameter.subscription_id.value
  features {}
}
resource "azurerm_resource_group" "rg" {
  name = "rg-coder-dev-test"
  location = "westeurope"
}
data "coder_parameter" "subscription_id" {
  name = "Subscription ID"
  description = "The Subscription ID of your Azure MPN Subscription. The subscription has to reside in the axinf tenant."
  mutable = false
}
data "coder_external_auth" "azure" {
  id = "primary-azure" # this is the name of our external auth endpoint users use to login
}
# see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
provider "azurerm" {
  use_oidc = true
  client_id = "<auth app client id>"
  oidc_token = data.coder_external_auth.azure.access_token
  tenant_id = "<tenant id>"
  subscription_id = data.coder_parameter.subscription_id.value
  features {}
}
resource "azurerm_resource_group" "rg" {
  name = "rg-coder-dev-test"
  location = "westeurope"
}
however, when I try to build the template I run into multiple issues: 1. the subscription id is empty when trying to build (obviously as it comes from the parameter) 2. when supplying a default subscription id, the next error is Error: unable to build authorizer for Resource Manager API: could not configure AzureCli Authorizer: could not parse Azure CLI version: launching Azure CLI: exec: "az": executable file not found in $PATH on main.tf line 32, in provider "azurerm": the second error sounds like it cannot authenticate and then tries to fall back to cli authentication. I've also tried to submit a hard coded token I've created before using powershell but that token also did not work and resulted in the same error. Am I fundamentally misunderstanding something here? And how would I correctly create the template I'm thinking about?
39 replies