Is it possible to run terraform plan without AZ login with the Azurerm provider?

One immediate error I get is the following:

│ ERROR: Please run ‘az login’ to setup account.

│ with provider[“Terraform Registry”],
│ on cdk.tf.json line 16, in provider.azurerm[0]:
│ 16: }

cdk.tf.json contains the following:

  "provider": {
    "azurerm": [
      {
        "features": {
        }
      }
    ]
  }

Any help is appreciated!

Since everything the provider does involves reading or writing via the Azure API, how could it do anything useful without logging in?

A mock plan would have been nice, just to get an impression of what might get planned

Oh right, I see - a comparison between new Terraform source files and pre-existing Terraform state. Yes, that theoretically ought to be possible without talking to the API.

Are you using the -refresh=false flag? Without that, Terraform will attempt to check its state is accurate even when just doing a plan.

Even with that, it’s possible the provider is being overly up-front in its validation and it will still fail. (I don’t use Azure, so I can’t easily check.) If that’s the case, it’s possible figuring out some dummy configuration good enough to placate the validation might be successful.

I tried using the -refresh=false flag, sadly, that did not fix it. Could you elaborate a bit more regarding the dummy configuration? I’m not that familiar with Terraform… yet :slight_smile:

I’m not really familiar with Azure, myself :slight_smile:

I had speculated that it might be enough to fill in some placeholder credentials, that wouldn’t actually be used.

However, playing around with terraform-provider-azurerm a bit, it appears it absolutely insists on contacting the Azure API even to plan a simple addition of a single resource.

So, I guess, with the way the provider is written, what you’re looking for isn’t possible.

yes you need to configure some environment variables associate with a Service Principal configure previously.

export ARM_CLIENT_ID=
export ARM_CLIENT_SECRET=
export ARM_TENANT_ID=
export ARM_SUBSCRIPTION_ID=

1 Like

Hi @Arc_lag,

Both the plan and apply operations will typically require credentials in most providers, because this can help to ensure Terraform can produce a reliable plan that is more likely to be applyable.

A command you can use “offline” just to check if your configuration passes the validation rules that are built in to the provider is terraform validate, although I see that you are using CDK for Terraform so I’m not sure what is the equivalent cdktf command for validation.

I don’t see a command in the list that seems obviously related to validation, so if there isn’t currently such a command I think the fallback would be to run cdktf synth to generate the cdk.tf.json file and then run terraform validate in the directory which contains that file.

1 Like

@apparentlymart is right, there is no validate command in CDKTF yet, but you can use terraform validate in the output directory.

Though, we do have an open issue containing the idea of invoking terraform validate after synthesizing: Validate Terraform code on synth · Issue #1309 · hashicorp/terraform-cdk · GitHub

1 Like