Unsure if there are new requirements for my app registration for terraform to work on a pull request, but we are getting this error suddenly when including tfplan for our pull requests. We confirmed that just running the workflow works from main branch. Let me know if anyone else is seeing this.

GitHub Actions Error: Failed to Get Existing Workspaces

Description

This workflow worked a few days ago, but I’m currently encountering an issue with Terraform when attempting to get existing workspaces. I’m unsure if there were any permission changes within Azure that I need to apply to my Terraform app registration. I have confirmed that we have the Storage Blob Data Contributor role and that the federated identity for presented assertion on pull requests exists. The error only happens on pull requests and started recently.

Error Message

Error: Failed to get existing workspaces: Error retrieving keys for Storage Account “storageAccountName”: autorest/Client#Do: Preparing request failed: StatusCode=0 – Original Error: clientCredentialsToken: received HTTP status 401 with response: “error”:“invalid_client”,“error_description”:“AADSTS700213: No matching federated identity record found for presented assertion subject ‘repo:orgName/repositoryName:pull_request’. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. Workload identity federation - Microsoft Entra Workload ID | Microsoft Learn Trace ID: traceId Correlation ID: idNumber Timestamp: 2024-06-13 15:40:46Z”,“error_codes”:[700213],“timestamp”:“2024-06-13 15:40:46Z”,“trace_id”:“traceId”,“correlation_id”:“idNumber”

Steps to Reproduce

1. Trigger a pull request that initiates the GitHub Actions workflow.
2. Observe the error during the Terraform step.

Troubleshooting Steps Taken

• Verified that the Storage Blob Data Contributor role is assigned.
• Confirmed the existence of federated identity credentials for the presented assertion on pull requests.

Additional Information

• The error message suggests there might be an issue with the federated identity configuration, particularly with the subject, audience, or issuer.

• This issue started occurring recently without any known changes to the configuration.

• HashiCorp Discuss: Terraform failing sometimes with “Failed to get existing workspaces”

Request for Assistance

Has anyone else encountered this issue? If so, how did you resolve it? Any help or insights would be greatly appreciated.

1 post - 1 participant

Read full topic