Creating an Azure subscription and deploying to it in same stream using SP

c240amg · May 3, 2023, 11:19am

Hi all,

I am using my own AAD account to create subscriptions and deploy resources to them in a single stream. This all works fine.

Now as I am migrating to an EA (Enterprise Agreement), to be able to create subscriptions, I need to apply the Subscription creator role. This sadly, is only available to Service principals when you’re on an EA.

So I created a login script using source ./login.sh

#!/bin/sh
# Login as yourself
az login

# Grab some data
appID=$(az keyvault secret show --name terraform-service-appid --vault-name ow --query value -o tsv)
appSecret=$(az keyvault secret show --name terraform-service-appid-and-secret --vault-name ow --query value -o tsv)
tenantID=$(az account show --query tenantId -o tsv)

# Now login as the SP
az login --service-principal --username ${appID} --password ${appSecret} --tenant ${tenantID}
echo "Logged in as an SP"

subscriptionID=$(az account show --query id -o tsv)

export ARM_CLIENT_ID=${appID}
export ARM_CLIENT_SECRET=${appSecret}
export ARM_SUBSCRIPTION_ID=${subscriptionID}
export ARM_TENANT_ID="xxxxxx"

echo You are logged in as:
az account show --query user -o tsv

and logged in, and then tried to run my code, and get this:

╷
│ Error: building AzureRM Client: 1 error occurred:
│ 	* A Subscription ID must be configured when authenticating as a Service Principal using a Client Secret.
│ 
│ 
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"].internal,
│   on x_provider.tf line 19, in provider "azurerm":
│   19: provider "azurerm" {
│ 
╵
ERRO[0012] Terraform invocation failed in /Users/phil.spencer/git/platform-nextgen/Azure/client/uk-lo/032-00-pks 
ERRO[0012] 1 error occurred:
	* exit status 1

my provider is dynamically configured, and pulls the subscription data from when i create it.

provider "azurerm" {
  features {}
  alias           = "default"
  subscription_id = "sub id"
  tenant_id       = "tenant_id"
}

# This is the subscription we want to deploy to
provider "azurerm" {
  features {}
  alias           = "client"
  subscription_id = module.client_subscription.subscription_id
  tenant_id       = "tenant_id"
}

tried using various methods of tolist, toset etc, but keep getting the same error.

Any ideas?

I’d hate to break the one stream, and create the subscription with one set of TF code and then deploy to it with another set of TF code.