Using multiple Azure Service Principals in Terraform Cloud

Question

I am just learning Terraform, and want to use Terraform cloud to implement infrastructure on two subscriptions in Azure. I have found how to do this using multiple azurerm provider blocks and aliasing them, like here:

provider "azurerm" {
  alias = "dev"

  subscription_id = var.DEV_SUB_ID
  tenant_id       = var.DEV_TENANT_ID
  client_id       = var.DEV_CLIENT_ID
  client_secret   = var.DEV_CLIENT_SECRET

  features {}
}

provider "azurerm" {
  alias = "prod"

  subscription_id = var.PROD_SUB_ID
  tenant_id       = var.PROD_TENANT_ID
  client_id       = var.PROD_CLIENT_ID
  client_secret   = var.PROD_CLIENT_SECRET

  features {}
}

I have my repo setup to use GitHub actions, but with this setup, the plan stage fails due to the following error:

terraform error: building azurerm client: please ensure you have installed azure cli version 2.0.79 or newer. error parsing json result from the azure cli: launching azure cli: exec: "az": executable file not found in $path.

Apparently this error is due to me not setting the ARM_SUBSCRIPTION_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET and ARM_TENANT_ID variables in the cloud. However, if I am using multiple subscriptions and thus multiple service principals, why do I have to use these default variables? Surely if I do, all actions will be performed on the subscription for which the service principal is for?

Answer 1

To fix this, you need to set the ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_SUBSCRIPTION_ID and ARM_TENANT_ID to the values for one of your subscriptions, in my case I just used the dev one.

Then, you can safely declare your providers and build the infrastructure for whichever provider you define for it.

In Terraform Cloud, set the default values using any Azure subscription:

Then you can define those same fields for the different subscriptions (providers) that you wish to create infrastructure for: