Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cloud Shell doesn't allow running the TF Azure AD 2.x code due to MSI error #633

Closed
marcosgm opened this issue Oct 14, 2021 · 10 comments · Fixed by #660
Closed

Cloud Shell doesn't allow running the TF Azure AD 2.x code due to MSI error #633

marcosgm opened this issue Oct 14, 2021 · 10 comments · Fixed by #660
Milestone

Comments

@marcosgm
Copy link

see Azure/CloudShell#112

╷
│ Error: could not configure MSI Authorizer: NewMsiConfig: could not validate MSI endpoint: received HTTP status 404
│
│   with provider["registry.terraform.io/hashicorp/azuread"],
│   on main.tf line 1, in provider "azuread":
│    1: provider "azuread" {
│
@marcosgm
Copy link
Author

$ cat main.tf
provider "azuread" {
}

data "azuread_client_config" "current" {}

resource "azuread_group" "example" {
  display_name     = "example"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
}

@manicminer
Copy link
Contributor

Hi @marcosgm, thanks for reporting this. We're aware of some issues around MSI authentication in Cloud Shell, which we'll work to address.

As a workaround, Azure CLI authentication does work. Microsoft install a wrapper script at /usr/local/bin/terraform in Cloud Shell which overrides some Terraform authentication variables - at the time of writing if you want to disable MSI authentication you have to unset the MSI_ENDPOINT environment variable.

@marcosgm
Copy link
Author

wow it works!!

$ unset MSI_ENDPOINT
$ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # azuread_group.example will be created
  + resource "azuread_group" "example" {
      + display_name                   = "example"
      + id                             = (known after apply)
      + mail                           = (known after apply)
      + mail_nickname                  = (known after apply)
      + members                        = (known after apply)
      + object_id                      = (known after apply)
      + onpremises_domain_name         = (known after apply)
      + onpremises_netbios_name        = (known after apply)
      + onpremises_sam_account_name    = (known after apply)
      + onpremises_security_identifier = (known after apply)
      + onpremises_sync_enabled        = (known after apply)
      + owners                         = [
          + "2b09d7c3-741e-4975-99c3-f37b9de2564a",
        ]
      + preferred_language             = (known after apply)
      + prevent_duplicate_names        = false
      + proxy_addresses                = (known after apply)
      + security_enabled               = true
      + visibility                     = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azuread_group.example: Creating...
azuread_group.example: Creation complete after 1s [id=acbaba02-b373-4c1c-ba16-5b4f608a8832]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

@marcosgm marcosgm changed the title Cloud Shell doesn't allow running the TF Azure AD 2.x code Cloud Shell doesn't allow running the TF Azure AD 2.x code due to MSI error Oct 15, 2021
@edyoung
Copy link

edyoung commented Oct 18, 2021

@manicminer let us know if you think this is due to an error in Cloud Shell. I can reproduce the issue but I'm not clear what the problem is.

@marcosgm
Copy link
Author

@edyoung I first thought it was a cloudshell bug Azure/CloudShell#112
maybe because the MSI proxy thing in "localhost:50342" wouldn't allow MS Graph API Audience
https://docs.microsoft.com/en-us/azure/cloud-shell/msi-authorization#limitations

But following this tutorial https://kevinhakanson.com/2020-04-22-exploring-the-microsoft-graph-api-from-azure-cloud-shell
it works fine from cloudshell, so the MSI proxy does allow the token to be used to query the MS Graph API

So maybe it's the terraform azuread code that doesn't work well with that Proxy, see for instance how it's done with curl
curl $MSI_ENDPOINT --data "resource=https://graph.microsoft.com/" --header "metadata: true" --silent | jq .access_token -r

Thoughts?

@marcosgm
Copy link
Author

https://github.com/manicminer/hamilton/blob/main/auth/msi.go this is the auth library used by this azuread provider.
I don't see how the MSI endpoint can be automatically detected (i.e. the env var $MSI_ENDPOINT). So maybe run a quick test using that Go library but from the Azure Cloud Shell?

my 2 cents

@marcosgm
Copy link
Author

I went ahead and tested the Go library (Hamilton) and filed a bug as they don't support the MSI endpoints inside cloudshell manicminer/hamilton#116

@manicminer
Copy link
Contributor

manicminer commented Nov 2, 2021

@edyoung Thanks for reaching out - this isn't strictly due to an error in Cloud Shell, rather it's arisen from an assumption that MSI endpoints respond similarly in various environments. There is a sanity check at configuration time that tries to get a 200 response from the metadata service, but either there isn't such a service in Cloud Shell or the URL is different. It's not a huge problem, the sanity check adds minimal value and I believe we can remove it.

@github-actions
Copy link

This functionality has been released in v2.9.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants