azuredevops_serviceendpoint_azurerm - "azurerm_subscription_id": conflicts with azurerm_management_group_id

[paul-towler]

Trying to create a Manual AzureRM Service Endpoint (ManagementGroup Scoped) in an Azure DevOps Project.

Fails with the following error:

terraform plan -out tfplan
  Error: Conflicting configuration arguments
    with azuredevops_serviceendpoint_azurerm.example,
    on main.tf line 29, in resource "azuredevops_serviceendpoint_azurerm" "example":
    29: resource "azuredevops_serviceendpoint_azurerm" "example" {
  "azurerm_subscription_id": conflicts with azurerm_management_group_id

Example Code:

# Initialise
terraform {
  required_version = ">= 1.3.4"

  # Configure the minimum required providers supported by this module
  required_providers {
    azuredevops = {
      source  = "microsoft/azuredevops"
      version = "0.3.0"
    }
  }
}

# Providers
provider "azuredevops" {
  org_service_url       = "https://dev.azure.com/example-org"
  personal_access_token = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

resource "azuredevops_project" "example" {
  name               = "CUST-Example-Project"
  visibility         = "private"
  version_control    = "Git"
  work_item_template = "Agile"
  description        = "Managed by Terraform"
}

resource "azuredevops_serviceendpoint_azurerm" "example" {
  project_id            = azuredevops_project.example.id
  service_endpoint_name = "Example AzureRM"
  description           = "Managed by Terraform"
  credentials {
    serviceprincipalid  = "00000000-0000-0000-0000-000000000000"
    serviceprincipalkey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  }

  azurerm_spn_tenantid          = "00000000-0000-0000-0000-000000000000"
  azurerm_management_group_id   = "managementGroup"
  azurerm_management_group_name = "managementGroup"
}

[a30004053]

Hello @paul-towler,

Can you please check that the ARM_SUBSCRIPTION_ID is unset in your environment when you run this piece of TF code.

# terraform plan
 Error: Conflicting configuration arguments

   with azuredevops_serviceendpoint_azurerm.test_mgmt_group_scope,
   on main.tf line 24, in resource "azuredevops_serviceendpoint_azurerm" "test_mgmt_group_scope":
   24: resource "azuredevops_serviceendpoint_azurerm" "test_mgmt_group_scope" {

 "azurerm_subscription_id": conflicts with azurerm_management_group_id

# echo $ARM_SUBSCRIPTION_ID
00000000-0000-0000-0000-000000000000

# unset ARM_SUBSCRIPTION_ID

# terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # azuredevops_serviceendpoint_azurerm.test_mgmt_group_scope will be created
  + resource "azuredevops_serviceendpoint_azurerm" "test_mgmt_group_scope" {
      + authorization                 = (known after apply)
      + azurerm_management_group_id   = "xxxx"
      + azurerm_management_group_name = "xxxx"
      + azurerm_spn_tenantid          = "00000000-0000-0000-0000-000000000000"
      + description                   = "Testing provider"
      + id                            = (known after apply)
      + project_id                    = "00000000-0000-0000-0000-000000000000"
      + service_endpoint_name         = "mgmt-xxxx"

      + credentials {
          + serviceprincipalid       = "00000000-0000-0000-0000-000000000000"
          + serviceprincipalkey      = (sensitive value)
          + serviceprincipalkey_hash = (sensitive value)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

[paul-towler]

OK - Thanks - I give it a go.

[nwmcsween]

I get the same error but only if I migrate state from azure to local then any terraform plan after fails with "azurerm_subscription_id": conflicts with azurerm_management_group_id

Fix for whatever reason was creating a new shell session as terraform init -migrate-state does something behind the scenes that creates issues.

[Yann-aware]

The ARM_SUBSCRIPTION_ID env variable is set for authenticating with service principal. How to use a management group type scope in this type of case ? Is there a way for the provider not to automatically gets the value of the variable ?

[fortunkam]

Am hitting the same problem as above. ( "azurerm_management_group_name": conflicts with azurerm_subscription_id )

trying to create a service connection in terraform scoped to a management group in an AzDO pipeline. The service connection being used is a workload identity connection that sets the ARM_SUBSCRIPTION_ID env variable. Looking at the code the resource will grab the env variable regardless of the type of Service connection being created...

I have tried removing the env variable but this then causes problems with terraform authenticating, subscription ID could not be determined and was not specified

[Noel-Jones]

I've just come across this too. All worked fine from the command line but fails in the pipeline, presumably because of the environment variables. Assuming I can't remove the environment variable from the pipeline (given fortunkam's comment). I question why this resource is taking defaults from the environment? It is certainly undocumented.

Would the fix be to simply remove the defaults? Sure some people may find they need to set the subscription id when they previously used a default but that is something that can be easily rectified in their terraform code. I'd appreciate views on this so we can look at a fix because it looks like there may not be a workaround.

[Noel-Jones]

@xuzhang3 why was this closed? Seems odd not to have a reference to a resolution or anything that appears to be an accepted answer.

[xuzhang3]

@xuzhang3 why was this closed? Seems odd not to have a reference to a resolution or anything that appears to be an accepted answer.

This issue has been fixed. Feel free to open another issue if you have other questions.