Removal of ADAL support has now removed support for Azure Stack Hub ADFS Identity users

[TheBlackMini]

This pull request has removed support for Azure Stack Hub when using ADFS as it's identity platform.

See here for confirmation that ADAL is still used by Azure Stack Hub.

Terraform Version

Terraform v1.2.4
on windows_amd64

Terraform Configuration Files

terraform {
  required_version = ">=1.2.0"
  required_providers {
    azurestack = {
      source  = "hashicorp/azurestack"
      version = ">=1.0.0"
    }
  }
  backend "azurerm" {
    metadata_host        = "management.azurestack.local"
    resource_group_name  = "resourcegroup"
    storage_account_name = "storageaccount"
    container_name       = "terraformstate"
    key                  = "prd.terraform.tfstate"
  }
}

provider "azurestack" {
  features {}
}

Debug Output

2022-07-20T01:48:25.146Z [INFO]  Terraform version: 1.2.4
2022-07-20T01:48:25.292Z [DEBUG] using github.com/hashicorp/go-tfe v1.0.0
2022-07-20T01:48:25.293Z [DEBUG] using github.com/hashicorp/hcl/v2 v2.12.0
2022-07-20T01:48:25.294Z [DEBUG] using github.com/hashicorp/terraform-config-inspect v0.0.0-20210209133302-4fd17a0faac2
2022-07-20T01:48:25.295Z [DEBUG] using github.com/hashicorp/terraform-svchost v0.0.0-20200729002733-f050f53b9734
2022-07-20T01:48:25.296Z [DEBUG] using github.com/zclconf/go-cty v1.10.0
2022-07-20T01:48:25.297Z [INFO]  Go runtime version: go1.18.1
............
2022-07-20T01:48:25.353Z [INFO]  Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant <guid-sanitised>
2022-07-20T01:48:25.354Z [DEBUG] Obtaining an MSAL / Microsoft Graph token for Resource Manager..
2022-07-20T01:48:25.772Z [DEBUG] New state was assigned lineage "<guid-sanitised>"

Error: Failed to get existing workspaces: Error retrieving keys for Storage Account "storageaccount": autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: clientCredentialsToken: received HTTP status 400 with response: {"error":"invalid_request","error_description":"AADSTS90002: Tenant '<guid-sanitised>' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.\r\nTrace ID: 8d48edfb-8803-416c-baab-fff262fb1900\r\nCorrelation ID: a6d3cf56-d007-466e-8ce1-d89e7ccec1e2\r\nTimestamp: 2022-07-20 01:51:56Z","error_codes":[90002],"timestamp":"2022-07-20 01:51:56Z","trace_id":"8d48edfb-8803-416c-baab-fff262fb1900","correlation_id":"a6d3cf56-d007-466e-8ce1-d89e7ccec1e2","error_uri":"https://login.microsoftonline.com/error?code=90002"}
│

Expected Behavior

Terraform should continue the support of ADAL for Azure Stack Hub users until an update occurs to ADFS.

Actual Behavior

Support has been removed by the core team.

Steps to Reproduce

terraform init

Additional Context

References

• backend/azurerm: exclusively using Microsoft Graph/MSAL and removing Azure Active Directory Graph/ADAL #31070

[jbardin]

Hi @TheBlackMini,

The example error shown here is with Terraform version v1.2.4, but the linked PR is not going to be released until v1.3. If you are having a problem with v1.2 I don't think it's because of changes in #31070. In order to use ADAL you must set use_microsoft_graph to false, see https://www.terraform.io/language/settings/backends/azurerm.

Since Terraform is working as designed here, I'm going close this out for now. If you have more questions, it's better to use the community forum where there are more users familiar with the specific details of Azure.

Thanks!

[TheBlackMini]

So your answer to this is to version lock at 1.2.x, what about future support?

[jbardin]

@TheBlackMini, I believe that was the intent, which follows the Microsoft documentation indicating that old versions of the Azure ACLI, PowerShell, etc. will all need to be maintained to continue using Stack Hub with ADAL. Perhaps @tombuildsstuff has more comments on the situation.

[manicminer]

Hi @TheBlackMini, thanks for reporting this. We're aware that some Microsoft platforms such as ADFS continue to rely on deprecated AAD backends like the ADAL/v1 authentication service, and Azure Active Directory Graph API. However, as per public guidance from Microsoft we are transitioning our products away from these legacy systems - which whilst originally scheduled for sunset in June, are both now marked for end-of-life by December 2022.

As part of this transition, we do pass milestones where it becomes increasingly impractical to continue supporting both of these legacy systems. In light of the service extension amid the continued dependence on ADAL by ADFS, this has led to a short period where the latest version of the Terraform AzureRM backend doesn't support ADFS.

At this time, our recommendation is to pin your Terraform version to v1.2.x. We recognize this is not an ideal solution, however it is our presumption that ADFS will likely begin supporting MSAL in the near future, particularly as the extended deadline looms in the next few months.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.