Background
- It is possible to authenticate using managed identity with the azurerm or azuread provider.
- Microsoft supports authenticating with managed identity on these Azure resources.
- By default, the Terraform Cloud Workspaces execute Terraform remotely on HashiCorp-controlled infrastructure.
- It is only possible to use managed identity when you have control of the resource executing Terraform, and this resource is supported by Microsoft.
Solution
Use Terraform Cloud Agents.
How to enable managed identity authentication
- Configure your Workspace to use the Agent.
- Follow the Azure resource-specific documentation for enabling managed identity. It is also possible to manage this with Terraform. Common examples:
- Ensure that the managed identity is associated with a role and subscription that will be used to run Terraform. Example with
azurerm_role_assignment
.
- Finally, follow the steps in the provider documentation to configure the provider to use managed identity in your Workspace. For the
azuread
provider this looks like:
provider "azuread" {
use_msi = true
tenant_id = "72f988bf-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
Additional Information