I have been using the “acme_certificate” resource with DNS zones hosted in Azure but I am experiencing problems when the zone resides in a different subscription to the subscription I am connected to. Its almost like its ignoring the config block.
When I run it, it errors and says it cant find the resource group. I know its not using the config block as if I then create a resource group with the same name in the current subscription it moves onto a different error saying it cant find dns zone.
I know the variables are correct as I can auth via the CLI.
Can anyone shed any light on what I am doing wrong!? Do I have the syntax wrong for the config block or something!?
Im wondering if it may be that some env variables are already set.
Would that mean its using the values of those rather than the ones i’m passing into the config block!?
Im running terraform via an Azure DevOps pipeline which is why im thinking some of the values may already be set.
I’m curious to see what HTTP status code or response you are getting as the error.
First thing I thought of was to use a data source. This will do a API call to the DNS resource group, and gather various attributes that can be referenced for later.
Additionally, testing auth Azure Terraform provider with one of the methods proposed in the documentation locally before you put it into the Azure pipeline.
The fact that the CLI auth works is a good sign, I assume it would be a provider misconfiguration. So the Terraform block, env vars or credentials file would need validated and reviewed.
I can’t say for sure since I haven’t done any testing, but maybe those are some leads you can review.
We had a similar error, our DNS zone was hosted in different subscription and resource group to other resources, following worked for us using vars from an app registration configured for access, I believe a key part for us was that the client_id needed read at the subscription level and read/write on the DNS zone itself to locate it,