Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wrapper cannot correctly check Azure session since azure-cli v2.30.0 #19

Closed
Shr3ps opened this issue Nov 9, 2021 · 1 comment
Closed

wrapper cannot correctly check Azure session since azure-cli v2.30.0 #19

Shr3ps opened this issue Nov 9, 2021 · 1 comment
Assignees
@Shr3ps

Comments

@Shr3ps
Copy link
Member

Shr3ps commented Nov 9, 2021

Context:

Claranet terraform-wrapper relies on the Python SDK azure-cli-core lib to retrieve a CLI Azure session.
This session is used to:

  • check if the Azure session is correct, has the correct rights to access the target Azure Subscription
  • use this session when Azure bakend is used, to get Azure Storage Account keys (and forward them to Terraform)

terraform-wrapper v8.1.2 depends on azure-cli-core v2.29.0 which uses ADAL library for Azure authentication. (Session tokens are stored in the $AZURE_CONFIG_DIR/accessTokens.json file.
With azure-cli and azure-cli-core v2.30.0, Microsoft has introduced a CORE breaking change: they now uses MSAL library for Azure authentication. (See Changelog info: https://github.com/MicrosoftDocs/azure-docs-cli/blob/main/docs-ref-conceptual/release-notes-azure-cli.md#core)
Session tokens are now stored in $AZURE_CONFIG_DIR/msal_token_cache.json file.

Issue description:
First case:

  • You have a valid Azure session, generated via azure login command and using azure-cli v2.29 (or anterior version)
  • You now upgrade to azure-cli v2.30.0 (or more recent)
  • If you trigger a tfwrapper command (like tfwrapper plan):
    • The init phase will success: tfwrapper will rely on the Azure session available via azure-ci-core v2.29 and ADAL lib
    • The plan phase will crash with an error message from Terraform:
Error: building account: getting authenticated object ID: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1: ERROR: User aaaa.bbbb@fr.clara.net does not exist in MSAL token cache. Run `az login`.
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on main.tf line 1, in provider "azurerm":1: provider "azurerm" {

You need to run again az login with azure-cli v2.30+, so you will have both ADAL and MSAL Azure sessions.

Second Case:

  • You're on a fresh install of azure-cli v2.30.0, you do an az login command
  • Because this has genererated a MSAL session, tfwrapper will directly fail with:
ERROR   tfwrapper : Error while getting Azure token, check that you are authorized on this subscription then log yourself in with:

 AZURE_CONFIG_DIR=/home/xxxxxxxxxxxx/.run/azure az login

because tfwrapper cannot find the ADAL session.
@Shr3ps Shr3ps self-assigned this Nov 9, 2021
@Shr3ps Shr3ps closed this as completed Nov 16, 2021
@Shr3ps
Copy link
Member Author

Shr3ps commented Nov 16, 2021

Fixed in Release v9.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Shr3ps Shr3ps

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Shr3ps