terraform plan not working with azurerm provider

Question

I want to create a resource group in the azure cloud using terraform, for which I have to configure azurerm provider.

I created SPN using cli.

# az ad sp create-for-rbac --name spn_devops_terraform  --role="Contributor" --scopes="/subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX"

The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
{
  "appId": "YYYYYY-YYYY-YYYY-YYYY-YYYYYYYYY",
  "displayName": "spn_devops_terraform",
  "password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  "tenant": "XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX"
}

To test my SPN spn_devops_terraform, I logged in via cli

az login --service-principal -u YYYYYY-YYYY-YYYY-YYYY-YYYYYYYYY -p XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --tenant XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX

then executed

az vm list --output table

And i can see the list of all the VMS.

Now here is my main.tf file

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.0.2"
    }
  }
}

provider "azurerm" {
  features {}

  subscription_id = "XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX" # copy pasted this from portal.
  client_id       = "YYYYYY-YYYY-YYYY-YYYY-YYYYYYYYY" # this is app_id
  client_secret   = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # password
  tenant_id       = "XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX"  # tenant

}

I initialized the terraform with "terraform init" command which goes fine. But when i execute terraform plan it just hung for 10 mins and i have to press CTRL + C to stop it.

Please wait for Terraform to exit or data loss may occur. Gracefully shutting down...

Stopping operation...

╷
│ Error: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: resources.ProvidersClient#List: Failure sending request: StatusCode=0 -- Original Error: context canceled
│
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on main.tf line 10, in provider "azurerm":
│   10: provider "azurerm" {
│
╵

What i am going wrong? what is fix and if there is any command in CLI or GUI in portal where i can see what is happening?

Answer 1

Tested in my enviromemt getting the same kind of error.It looks like the Service Principal doesn't have the Contributor role assigned to it/Doesn't have access to the subscription.

You can define the scope of service principle while creating it.

$ az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/SUBSCRIPTION_ID"

OR

Just go to the Subscription in the portal, select Access Control (IAM) and Add the Role assignment, Contributor to your Service Principal

You can refer this Terraform Document to Authenticating using a Service Principal with a Client Secret

Reference : Terraform unable to list provider registration status