Azure US Gov error: resources azruead_group error: Error: Could not retrieve calling principal object "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

[wtomaz808]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

• terraform version
  Terraform v1.6.1
  on windows_amd64

• provider registry.terraform.io/azurenoops/azurenoopsutils v1.0.4
• provider registry.terraform.io/hashicorp/azuread v2.40.0
• provider registry.terraform.io/hashicorp/azurerm v3.75.0

Affected Resource(s)

azuread_group

Terraform Configuration Files

• terraform version
  Terraform v1.6.1
  on windows_amd64

• provider registry.terraform.io/azurenoops/azurenoopsutils v1.0.4
• provider registry.terraform.io/hashicorp/azuread v2.40.0
• provider registry.terraform.io/hashicorp/azurerm v3.75.0

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

resource "azuread_group" "test_managers" {
display_name = "Education - Managers"
security_enabled = true
}

Copyright (c) Microsoft Corporation.

Licensed under the MIT License.

terraform {
required_version = ">= 1.3"
required_providers {
azuread = {
source = "hashicorp/azuread"
version = "2.40"
}
azurerm = {

  source  = "hashicorp/azurerm"
  version = "~> 3.22"
}   
azurenoopsutils = {
  source  = "azurenoops/azurenoopsutils"
  version = "~> 1.0.4"
}

}
}

Azure Region Lookup

#----------------------------------------------------------

Azurerm provider configuration

provider "azurerm" {
environment = "usgovernment"
skip_provider_registration = "true"
features {
resource_group {
prevent_deletion_if_contains_resources = false
}
}
}

Debug Output

Panic Output

Expected Behavior

create azure AD security groups

Actual Behavior

Steps to Reproduce

log into Azure GOV *this isssue is in Azure Gov

1. `terraform init
2. terraform apply

Important Factoids

References

• #0000

[manicminer]

Hi @wtomaz808, thanks for reporting this issue. Please can you advise which authentication method you are using? Can you also try with the latest provider version (v2.43.0) and advise if you're still getting this error? We may need to see a full debug log in order to determine the cause of the error - if this is the case you will be able to submit it privately as needed. Thanks!

[wtomaz808]

*This is in happening in Azure US Gov *
I have tried provider version v.2.43.0 as well and still have the issue..
terraform version
Terraform v1.6.1
on windows_amd64

• provider registry.terraform.io/azurenoops/azurenoopsutils v1.0.4
• provider registry.terraform.io/hashicorp/azuread v2.43.0
• provider registry.terraform.io/hashicorp/azurerm v3.75.0
• provider registry.terraform.io/hashicorp/null v3.2.1

azuread_group.test_engineering: Creating...
╷
│ Error: Could not retrieve calling principal object "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

│
│ with azuread_group.test_engineering,
│ on main2.tf line 34, in resource "azuread_group" "test_engineering":
│ 34: resource "azuread_group" "test_engineering" {
│
│ DirectoryObjects.BaseClient.Get(): unexpected status 302 received with no body

[wtomaz808]

I am authenticating via azure active directory, I am using/signed in with an identity that was GA access to the tenant & sub this is an internal MSFT custom domain xxxx.onmicrosoft.us in Azure US Gov.

I have read there is a compatibility issue with Azure Graph in Azure Gov (??)

[manicminer]

@wtomaz808 Thanks for the info. Usage of the provider in all US Gov environments is supported.

It sounds like you're authenticating with a user account via Azure CLI - I'll look into the code and see if I can spot a likely root cause of this error.

[manicminer]

It looks like you're getting a 302 response from the API, with no Location header. We've seen this recently with a couple different endpoints. This is an undocumented (and noncompliant) response and it's unclear what the provider is supposed to do here. I'll reach out to the service team to try and get some clarification.

[wtomaz808]

I was able to deploy the resources (azure entra ID security group) by alterring my versions.tf file to following...

provider "azuread" {
environment = "usgovernment"
tenant_id = data.azurerm_client_config.current.tenant_id
client_id = data.azurerm_client_config.current.client_id
}

it appears that I had to tell this individual provider that the environment is usgovernment cloud.. Which I assumed was getting configured in my environment variable for azurerm provider. something I did not have to do in Azureses commercial

[manicminer]

@wtomaz808 Thanks for the feedback. How are you setting the environment for AzureRM? You can set the ARM_ENVIRONMENT environment variable and it should be picked up by both providers. Similarly, you can set the ARM_TENANT_ID environment variable to specify your tenant, and ARM_CLIENT_ID for your client ID. If you're setting these directly in the provider block, then you'll have to set them for each provider individually.

Are you using service principal authentication?

[wtomaz808]

here is my azureRM block...
provider "azurerm" {
environment = "usgovernment"
skip_provider_registration = "true"
features {
resource_group {
prevent_deletion_if_contains_resources = false
}
}
}

so you are suggesting replacing environment to ARM_Environment and that variable setting will "carry-over" to the azureAD provider? as well as all other providers? that is very useful to know..

[manicminer]

We intentionally consume the same environment variables in both the AzureRM and AzureAD providers (links to arguments for reference), to help simplify practitioners' configurations. On most platforms the env vars must be uppercased e.g. ARM_ENVIRONMENT.

If you're using Azure CLI authentication, you'll want to omit the client_id argument in the AzureAD provider block. It'll work as long as you configure the correct client ID for Azure CLI, but it's easiest to just leave it out. We recommend setting tenant_id (or environment variable ARM_TENANT_ID) in all cases for predictability.