Bug Report: management Terraform workspace erroring out after 6.1.0 upgrade

[c4milo]

[c4milo]

It seems the data source was introduced in #968, @matt-FFFFFF, any idea?

[matt-FFFFFF]

Looks like you need to set up auth for the AzAPI provider?

[c4milo]

ohh, @matt-FFFFFF is that a new requirement? we didn't have a provider block for it before. We use managed identities from our TFC workers.

[matt-FFFFFF]

It's not new, AzAPI has been in the module for a while. It usually takes the same auth configuration as AzureRM, and it doesn't need a provider block like AzureRM does.

It is used for MG diag settings too so you could test with that.

Managed identity will work, but you need to configure AzAPI to use it. In this case you'll need to add a provider block. See here: https://registry.terraform.io/providers/Azure/azapi/latest/docs#use_msi

[c4milo]

Thanks a lot for the pointer @matt-FFFFFF! Here is how we fixed it, FWIW:

Before

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.84"
    }
  }
}

# Define the provider configuration
provider "azurerm" {
  features {}

  use_cli                    = false
  tenant_id                  = var.tenant_id
  subscription_id            = var.subscription_id_management
  skip_provider_registration = true
}

After

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.84"
    }

    azapi = {
      source  = "azure/azapi"
      version = "~> 1.15"
    }
  }
}

provider "azapi" {
  use_cli                    = false
  tenant_id                  = var.tenant_id
  subscription_id            = var.subscription_id_management
  skip_provider_registration = true
}

# Define the provider configuration
provider "azurerm" {
  features {}

  use_cli                    = false
  tenant_id                  = var.tenant_id
  subscription_id            = var.subscription_id_management
  skip_provider_registration = true
}

Terraform Cloud variables for the management workspace (workload identity):

[matt-FFFFFF]

Nice - yeah for workload identity federation (OIDC) all you need is tenant and client id.

[matt-FFFFFF]

Also unless you have explicit resources in your root module you don't need the required provider entry. Terraform will get it from the loaded modules.

[c4milo]

@matt-FFFFFF, we don't have explicit azapi resources, no. However, for some reason, Terraform didn't seem to pick them up, hence the error in the screenshot above. It worked once we explicitly configured it, as shown in the comment above.

[matt-FFFFFF]

Fair enough. Glad it's working

[c4milo]

Thanks to you 🙏🏻