aztfexport icon indicating copy to clipboard operation
aztfexport copied to clipboard
verified publisher icon Azure

aztfexport command fails with either azure login error or config - no state

Open samskyworks opened this issue 9 months ago • 1 comments

Regarding azure login error: az login from a Linux jump server works fine When running the following command from the same Linux Jump box right after az login: aztfexport resource-group -n -f -o <output-dir> --log-path <path> --log-level DEBUG <resource-group-name>

I get the following error: Error: Failed to import /subscriptions/yyyy/resourceGroups/xxxx/providers/Microsoft.Insights/actionGroups/azureapp-auto as azurerm_monitor_action_group.res-0: exit status 1

Error: building account: could not acquire access token to parse claims: running Azure CLI: exit status 1: ERROR: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: 2c4843f0-850a-450d-9e76-fd3d9bd22100 Correlation ID: a626d4d6-ad64-41d4-af73-f07b7c6f0644 Timestamp: 2025-04-03 21:05:04Z Interactive authentication is needed. Please run: az login --scope https://graph.microsoft.com/.default

with provider["registry.terraform.io/hashicorp/azurerm"], on /tmp/aztfexport-2070439955/provider.tf line 1, in provider "azurerm": 1: provider "azurerm" {

Regarding Terraform Config error: az login from another Linux machine works fine When I try to run the command from the same Linux Machine right after az login: aztfexport resource-group -n -f -o <output-dir> --log-path <path> --log-level DEBUG <resource-group-name>

I get the following error for multiple subscriptions and multiple resource groups: NOTE: The subscriptions and Resource Groups have multiple resources and yet the error is same for all Importing /subscriptions/yyyy/resourceGroups/xxxx/providers/Microsoft.Network/privateEndpoints/zzzz as azurerm_private_endpoint.res-11 Skipping /subscriptions/yyyy/resourceGroups/xxxx/providers/Microsoft.Network/privateEndpoints/zzzz/privateDnsZoneGroups/container-registry-group [aztfexport]Generating Terraform configurations... [aztfexport] DeInitializing...

Error: generating Terraform configuration: converting from state to configurations: converting terraform state to config: no state

samskyworks avatar Apr 07 '25 15:04 samskyworks

@samskyworks Thank you for opening this issue! The error below has been fixed in v0.17.0:

Error: generating Terraform configuration: converting from state to configurations: converting terraform state to config: no state

Regarding your first error:

running Azure CLI: exit status 1: ERROR: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: 2c4843f0-850a-450d-9e76-fd3d9bd22100 Correlation ID: a626d4d6-ad64-41d4-af73-f07b7c6f0644 Timestamp: 2025-04-03 21:05:04Z Interactive authentication is needed. Please run: az login --scope https://graph.microsoft.com/.default

This indicates that your organization has enabled conditional access for the msgraph scope (i.e. https://graph.microsoft.com/.default), to restrict it to managed devices only.

The msgraph scope is required by the azurerm provider. The reason why you can successfully log in azure cli is because it by default uses the scope https://management.core.windows.net//.default.

This means if you use the same CLI setup for authentication and run terraform import, you'll get the same error.

magodo avatar Apr 07 '25 23:04 magodo