Terraform 1.1.5 "use_microsoft_graph = true" not working?

Hi everyone,

I am starting to test migrating from Terraform 1.0.0 to 1.1.5, and also migrate to the use of Microsoft Graph per the Azure AD Graph deprecation on June 30, 2020.

To test, I started tcpdump then ran terraform apply with:

terraform {
  backend "azurerm" {
  }
required_version = "~> 1.0.0"
...
}

looking at the tcpdump logs I see, as expected, DNS lookups/connectivity to
https://graph.windows.net

Then, I switched terraform to version 1.1.5 and updated my configuration with:

terraform {
  backend "azurerm" {
     use_microsoft_graph = true
  }
required_version = "~> 1.1.0"
...
}

then ran “terraform init -reconfigure” and ran apply again with tcpdump running.

Looking at the tcpdump logs, I expected to see DNS lookups/connectivity to https://graph.microsoft.com, but I did NOT see these. I see more DNS lookups/connectivity to https://graph.windows.net.

My interpretation is that Terraform 1.1.5, even with the correct directive and reconfiguration, does not use Microsoft Graph. Can anyone give me some insights as to what could be happening?

Thanks in advance!

Michal

Hi @michal.hoppe,

I’m not personally familiar with these Azure backend concepts, so hopefully someone who is more familiar will see this and respond, but for my part I looked at the part of the backend code which handles that new argument:

It seems like the behavior of this flag is to choose between two different methods on the underlying Azure SDK, which are then responsible for making whatever network calls you are seeing.

I see it also emits a different log line in each case, so if you set the environment variable TF_LOG=DEBUG when you run Terraform you should presumably be able to see it show one of the following log lines to indicate what type of token it requested:

[DEBUG] Obtaining a MSAL / Microsoft Graph token for Resource Manager..
 OR
[DEBUG] Obtaining a ADAL / Azure Active Directory Graph token for Resource Manager..