Using Terraform’s Azure provider (azurerm) with GitHub Actions and Terraform Cloud

I wanted to document this after spending a frustrating amount of time troubleshooting getting this setup. I was getting this error when running Terraform Plan:

Error building AzureRM Client: obtain subscription() from Azure CLI: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.

I followed the well-documented instructions for Authenticating to Azure using a Service Principal and a Client Secret. I stored the 4 values for ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_SUBSCRIPTION_ID, and ARM_TENANT_ID as GitHub encrypted secrets, then set them as environment variables in my GitHub Actions workflow:

The Azure provider has these documented and states the arguments for client_id, client_secret, subcription_id, and tenant_id can be sourced from these environment variables.

For some reason, the Terraform Plan command was not picking them up and kept throwing the error mentioned above "Error building AzureRM Client: obtain subscription() from Azure CLI: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.“

I re-generated the service principal, re-added the values to the GitHub Secrets, tried setting the values for the service principal in the provider block, all to no avail. I finally discovered that Terraform Cloud workspaces have a default execution mode of “Remote”, meaning plans and applies occur on Terraform Cloud’s infrastructure. Because of this, the Plan command could not pick up the environment variables from the GitHub Action. Switching the workspace to local resolved my issue (workspace -> settings -> General):

This is what the complete GitHub Action looks like:

I hope this post will help others who were desperately weeding through search results like I was.