Problem
When you use the remote backend with HCP Terraform or Terraform Enterprise to connect to specialized Azure regions (e.g., China, German, or Government), you may encounter the following error:
Confidential Client is not supported in Cross-Cloud request
Cause
This error occurs because the Terraform run environment is not configured to use the correct Azure cloud environment API endpoints. By default, the Azure provider attempts to authenticate against the public Azure cloud. The remote backend workspace in HCP Terraform or Terraform Enterprise is missing the necessary environment variable to override this default behavior.
Solutions
Solution 1: Set the ARM_ENVIRONMENT Variable
To resolve this issue, you must configure the ARM_ENVIRONMENT environment variable in the HCP Terraform or Terraform Enterprise workspace where the error occurs.
- Navigate to the settings for the affected workspace.
- Go to the Variables section.
- Add an Environment Variable with the key
ARM_ENVIRONMENT. - Set the value to match your target Azure cloud environment. For example, for Azure US Government, set the value to
usgovernment.
Possible values for this variable are:
-
public(default) usgovernmentchinagermanstack
Setting this variable ensures that the Azure provider in the remote run environment targets the correct API endpoints for authentication.