fixed problem with subscription_id

Author: Adam Coulter

main.tf

@@ -16,17 +16,7 @@ resource "shell_script" "subscription" {
     delete = ". ./subscription.ps1; Delete"
   }
   environment = {
-    name   = var.name
-    tenant = var.tenant_id
-    type   = local.type_codes[var.type]
+    name = var.name
+    type = local.type_codes[var.type]
   }
 }
-
-data "azurerm_client_config" "current" {}
-
-resource "azurerm_role_assignment" "owners" {
-  for_each             = toset(var.principal_ids)
-  scope                = "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
-  role_definition_name = "Owner"
-  principal_id         = each.key
-}

outputs.tf

@@ -1,14 +1,18 @@
+data "azurerm_subscription" "main" {
+  subscription_id = shell_script.subscription.output.id
+}
+
 output "subscription_id" {
-  value       = shell_script.subscription.output.id
+  value       = data.azurerm_subscription.main.subscription_id
   description = "Subscription ID GUID"
 }
 
 output "id" {
-  value       = "/subscriptions/${shell_script.subscription.output.id}"
+  value       = data.azurerm_subscription.main.id
   description = "Azure resource model subscription path"
 }
 
 output "name" {
-  value       = shell_script.subscription.output.name
+  value       = data.azurerm_subscription.main.display_name
   description = "Name of the subscription"
 }

subscription.ps1

@@ -2,17 +2,16 @@
 # CRUD an Azure Subscription
 # 
 # Requires the following environment variables:
-# - $env:tenant
 # - $env:name
 # - $env:type - string, either "MS-AZR-0148P" (dev/test) or "MS-AZR-0017P" (normal/prod)
 #
 
 $credential = New-Object System.Management.Automation.PSCredential ($env:azsub_client_id, (ConvertTo-SecureString $env:azsub_client_secret -AsPlainText -Force))
-Connect-AzAccount -Credential $credential -Tenant $env:tenant -ServicePrincipal
+Connect-AzAccount -Credential $credential -Tenant $env:azsub_tenant_id -ServicePrincipal
 
 $ErrorActionPreference = 'Stop'
 $old_state = [System.IO.File]::OpenText("/dev/stdin").ReadToEnd() | ConvertFrom-Json
-if($null -ne $old_state) {
+if ($null -ne $old_state) {
     Write-Output "Old state:"
     $old_state | ConvertTo-Json | Write-Output
 }
@@ -21,7 +20,7 @@ function Create {
 
     # Check if subscription name already used in this tenant
     Write-Output "Checking for existing subscription with name $env:name..."
-    $subscription = Get-AzSubscription -TenantId $env:tenant -SubscriptionName $env:name -ErrorAction SilentlyContinue
+    $subscription = Get-AzSubscription -TenantId $env:azsub_tenant_id -SubscriptionName $env:name -ErrorAction SilentlyContinue
     $subscription | ConvertTo-Json | Write-Output
 
     # Create new subscription
@@ -31,7 +30,7 @@ function Create {
         $account | ConvertTo-Json | Write-Output
         Write-Output "Creating subscription..."
         try {
-        $subscription = New-AzSubscription -OfferType $env:type -Name $env:name -EnrollmentAccountObjectId $account[0].ObjectId -ErrorAction Stop
+            $subscription = New-AzSubscription -OfferType $env:type -Name $env:name -EnrollmentAccountObjectId $account[0].ObjectId -ErrorAction Stop
         }
         catch {
             Write-Error "Error: Error when attempting to update subscription name: $($_.Exception.Response)"
@@ -46,16 +45,16 @@ function Create {
     }
 
     # Emit refreshed state
-    @{ id = $subscription.Id; tenant = $subscription.TenantId; name = $subscription.Name } | ConvertTo-Json | Write-Output
+    @{ id = $subscription.Id; name = $subscription.Name } | ConvertTo-Json | Write-Output
 
 
 }
 
 function Read {
-    $subscription = Get-AzSubscription -TenantId $old_state.tenant -SubscriptionId $old_state.id -ErrorAction Stop
+    $subscription = Get-AzSubscription -TenantId $env:azsub_tenant_id -SubscriptionId $old_state.id -ErrorAction Stop
 
     # Emit refreshed state
-    @{ id = $subscription.Id; tenant = $subscription.TenantId; name = $subscription.Name } | ConvertTo-Json | Write-Output
+    @{ id = $subscription.Id; name = $subscription.Name } | ConvertTo-Json | Write-Output
 }
 
 function Update {
@@ -86,7 +85,7 @@ function Update {
 
     # Emit refreshed state
     Write-Host "New state:"
-    @{ id = $old_state.id; tenant = $env:tenant; name = $env:name } | ConvertTo-Json | Write-Output
+    @{ id = $old_state.id; name = $env:name } | ConvertTo-Json | Write-Output
 }
 
 function Delete {

variables.tf

@@ -12,24 +12,3 @@ variable "type" {
     error_message = "Allowed values for subscription type are \"Prod\" or \"DevTest\"."
   }
 }
-
-variable "principal_ids" {
-  type        = list(string)
-  description = "List of principal_ids to give the owner role on this subscription."
-  default     = []
-}
-
-variable "tenant_id" {
-  type        = string
-  description = "Guid of the Azure tenant to create the subscription in."
-}
-
-variable "client_id" {
-  type        = string
-  description = "Service principal to provision the subscription using."
-}
-
-variable "client_secret" {
-  type        = string
-  description = "Service principal secret to provision the subscription using."
-}

versions.tf

@@ -1,7 +1,8 @@
 terraform {
   required_version = ">= 0.13"
   required_providers {
-    azurerm = "~> 2.19"
+    azurerm  = "~> 2.19"
+    external = "~> 1.2"
     shell = {
       source  = "scottwinkler/shell"
       version = "=1.7.2"
@@ -11,17 +12,20 @@ terraform {
 
 provider "azurerm" {
   features {}
-  subscription_id = shell_script.subscription.output.id
-  client_id       = var.client_id
-  client_secret   = var.client_secret
-  tenant_id       = var.tenant_id
+}
+
+data "azurerm_client_config" "current" {}
+
+data "external" "az_client_config" {
+  program = ["pwsh", "-command", "@{tenant=$env:ARM_TENANT_ID;client=$env:ARM_CLIENT_ID;secret=$env:ARM_CLIENT_SECRET} | ConvertTo-Json | Write-Output"]
 }
 
 provider "shell" {
   interpreter = ["pwsh", "-command"]
 
   sensitive_environment = {
-    azsub_client_id     = var.client_id
-    azsub_client_secret = var.client_secret
+    azsub_client_id     = data.external.az_client_config.result.client
+    azsub_client_secret = data.external.az_client_config.result.secret
+    azsub_tenant_id     = data.azurerm_client_config.current.tenant_id
   }
 }