Targeted Terraform Destroy erroring seemingly due to ignoring some environment variables


Encountered an issue recently whereby an attempt to carry out targeted destruction on a resource fails, citing “Error build ARM config: subscription / tenant IDs must be configured when authenticating as a Service Principal using a client secret”

I did encounter this error a few days before the attempted production deployment, in a sandboxed mock-up; however, in that scenario the error was displayed during the refresh, but the apply / -destroy proceeded without further issues. Now, the error is displayed during both the refresh and apply / -destroy and the task fails.

We’re running Terraform via Azure DevOps pipelines on a scaleset VM as the build agent; it’s running Terraform v1.0.2. azurerm versions used have been both 2.95 and latest. azuread versions used were both 1.6 and latest.

The service principal is current and its secret has not expired. The service connection in use by the pipeline has been verified.

Client ID and secret for the SP are stored in secret variables in the DevOps pipeline library group, as are the tenant / subscription IDs and others. They’re referenced in the DevOps pipeline job via env: ARM_SUBSCRIPTION_ID / ARM_TENANT_ID etc, pointing at the library group secrets.

I’ve tried reconfiguring the first stage in the pipeline to write both the library group secret values to the pipeline, and then to write the corresponding environment variables to the pipeline; both return the correct values for the subscription and the tenant.

I then tried specifying the subscription, tenant and client IDs plus the client secret in the provider block; the issue was unaffected.

Finally I tried directly logging into azure via the AZ CLI at the beginning of the task; the error persists.

I wondered if it might be something to do with the deprecated ADAL vs MSAL, and the default of ADAL in the older version of Terraform we’re using, for forced use of Microsoft Graph; the error persists.

I realise target should only be used in unusual use-cases; however, I’d categorise this as one of those as, due to the way this particular deployment has been arranged, it requires targeted destruction and rebuild of one VM while keeping the other online, then rebuilding the other machine; the purpose being to take advantage of the fact that Microsoft patch their base images after Patch Tuesday and thereby avoid the standard method of Windows patching.

Any advice / suggestions, please … ? I’ve tried everything I can think of short of updating the Terraform version (this is using shared build agents) and everything I’ve tried points to the environment variables definitely being populated correctly, but Terraform for some reason not recognising this during this pipeline job …