Problems with "acme_certificate" resource


I have been using the “acme_certificate” resource with DNS zones hosted in Azure but I am experiencing problems when the zone resides in a different subscription to the subscription I am connected to. Its almost like its ignoring the config block.

This is the code I am using:

resource “acme_certificate” “this” {

account_key_pem = acme_registration.reg.account_key_pem
common_name = var.certificate_common_name

dns_challenge {
provider = “azure”
config = {
AZURE_CLIENT_ID = azuread_service_principal.sp.application_id
AZURE_CLIENT_SECRET = random_string.password.result
AZURE_SUBSCRIPTION_ID = var.azure_dns_zone_subscription_id
AZURE_TENANT_ID = var.azure_dns_zone_tenant_id
AZURE_RESOURCE_GROUP = var.azure_dns_zone_resource_group

When I run it, it errors and says it cant find the resource group. I know its not using the config block as if I then create a resource group with the same name in the current subscription it moves onto a different error saying it cant find dns zone.

I know the variables are correct as I can auth via the CLI.

Can anyone shed any light on what I am doing wrong!? Do I have the syntax wrong for the config block or something!?

Im wondering if it may be that some env variables are already set.
Would that mean its using the values of those rather than the ones i’m passing into the config block!?
Im running terraform via an Azure DevOps pipeline which is why im thinking some of the values may already be set.

Hi @JamesStanley,

Could you provide the error you are reviewing?

I’m curious to see what HTTP status code or response you are getting as the error.

First thing I thought of was to use a data source. This will do a API call to the DNS resource group, and gather various attributes that can be referenced for later.

Additionally, testing auth Azure Terraform provider with one of the methods proposed in the documentation locally before you put it into the Azure pipeline.

The fact that the CLI auth works is a good sign, I assume it would be a provider misconfiguration. So the Terraform block, env vars or credentials file would need validated and reviewed.

I can’t say for sure since I haven’t done any testing, but maybe those are some leads you can review.