Skip to content

Conversation

@jackofallops
Copy link
Member

Community Note

  • Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

Enables the ability to specify an API version to use for MSI auth (such as is required to run the provider inside a Container App)

example future Provider config:

provider "azurerm" {
  features {}

  use_msi         = true
  msi_api_version = 2019-11-01
}

example env vars configuration for running in Container Apps

export ARM_USE_MSI=true
export ARM_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # only necessary for user assigned identity
export ARM_MSI_ENDPOINT=$MSI_ENDPOINT
export ARM_MSI_API_VERSION="2019-08-01"

This is a (please select all that apply):

  • Bug Fix
  • New Feature
  • Enhancement
  • Breaking Change

Related Issue(s)

closes #1054

supersedes #1093

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the provider.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

@jackofallops jackofallops requested a review from a team as a code owner June 12, 2025 14:36
@github-actions github-actions bot added the release-once-merged The SDK should be released once this PR is merged label Jun 12, 2025
Copy link
Member

@catriona-m catriona-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jackofallops LGTM!

@jackofallops jackofallops merged commit 9e2faae into main Jun 13, 2025
12 of 18 checks passed
@jackofallops jackofallops deleted the f/configurable-imds-api-version branch June 13, 2025 12:01
@kabal2010
Copy link

kabal2010 commented Jun 16, 2025

Thanks @jackofallops for raising this. Can I please ask if this change is now available? If it's not, can you possibly confirm when it will be so that I can test it? I have checked the Terraform documentation and there is no mention of the new env variable introduced

@kabal2010
Copy link

@jackofallops - I tried making use of the new variable in Azure Container Apps but getting the error as shown below.

2025-06-21T17:59:07.639Z [DEBUG] provider.terraform-provider-azurerm_v4.34.0_x5: [DEBUG] Performing GET Request to "http://localhost:42356/msi/token?api-version=2019-08-01&client_id=3ed79e10-xxxx-xxxx-xxxx-xxxxxxxxxxxx&resource=https%3A%2F%2Fgraph.microsoft.com"
2025-06-21T17:59:07.639Z [DEBUG] provider.terraform-provider-azurerm_v4.34.0_x5: [DEBUG] GET http://localhost:42356/msi/token?api-version=2019-08-01&client_id=3ed79e10-xxxx-xxxx-xxxx-xxxxxxxxxxxx&resource=https%3A%2F%2Fgraph.microsoft.com
2025-06-21T17:59:07.674Z [DEBUG] provider.terraform-provider-azurerm_v4.34.0_x5: [DEBUG] Reading Body from GET "http://localhost:42356/msi/token?api-version=2019-08-01&client_id=3ed79e10-xxxx-xxxx-xxxx-xxxxxxxxxxxx&resource=https%3A%2F%2Fgraph.microsoft.com"
2025-06-21T17:59:07.674Z [ERROR] provider.terraform-provider-azurerm_v4.34.0_x5: Response contains error diagnostic: @caller=github.com/hashicorp/terraform-plugin-go@v0.26.0/tfprotov5/internal/diag/diagnostics.go:58 @module=sdk.proto diagnostic_detail="" diagnostic_severity=ERROR tf_provider_addr=registry.terraform.io/hashicorp/azurerm tf_rpc=Configure diagnostic_summary="building account: could not acquire access token to parse claims: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 403 with body: " tf_proto_version=5.8 tf_req_id=148b3dd9-xxxx-xxxx-xxxx-xxxxxxxxxxxx timestamp=2025-06-21T17:59:07.674Z
2025-06-21T17:59:07.675Z [ERROR] vertex "provider[\"registry.terraform.io/hashicorp/azurerm\"]" error: building account: could not acquire access token to parse claims: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 403 with body:
2025-06-21T17:59:07.675Z [WARN]  Planning encountered errors, so plan is not applyable
2025-06-21T17:59:07.675Z [INFO]  backend/local: refresh calling Refresh
╷
│ Warning: Empty or non-existent state
│ 
│ There are currently no remote objects tracked in the state, so there is nothing to refresh.
╵
╷
│ Error: building account: could not acquire access token to parse claims: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 403 with body: 
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on providers.tf line 22, in provider "azurerm":22: provider "azurerm" {
│ 
╵
2025-06-21T17:59:07.677Z [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2025-06-21T17:59:07.681Z [INFO]  provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/hashicorp/azurerm/4.34.0/linux_amd64/terraform-provider-azurerm_v4.34.0_x5 id=91
2025-06-21T17:59:07.681Z [DEBUG] provider: plugin exited

@vermacodes
Copy link

This feature is still not working. I've created a proxy as a workaround. I will try to create do another PR to try and get a fix merged.

https://github.com/vermacodes/azurerm-msi-api-proxy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

release-once-merged The SDK should be released once this PR is merged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support api-version 2019-08-01 or above for Azure Container App

4 participants