### Terraform Version ```shell 2024-11-18T21:53:10.554Z [INFO] Terraform version: 1.9.8 ``` ### Terraform Configuration Files name: Deploy Terraform with OIDC on: [push] permissions: id-token: write # Require write permission to Fetch an OIDC token. contents: read pull-requests: write jobs: plan: runs-on: ubuntu-latest steps: - name: Login to Azure US Gov Cloud with OIDC uses: azure/login@v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} environment: 'AzureUSGovernment' audience: api://AzureADTokenExchangeUSGov - name: Checkout uses: actions/checkout@v4 - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: 1.9.8 - name: Terraform fmt id: fmt run: terraform fmt -check - name: Terraform init id: init run: terraform init env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} ARM_USE_OIDC: true ARM_USE_AZURE_AD: true ARM_ENVIRONMENT: 'usgovernment' - name: Terraform validate id: validate run: terraform validate -no-color - name: Terraform plan id: plan run: | export TF_LOG=DEBUG terraform plan -no-color env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} ARM_USE_OIDC: true ARM_USE_AZURE_AD: true ARM_ENVIRONMENT: 'usgovernment' ### Debug Output 2024-11-18T21:53:11.561Z [DEBUG] provider.terraform-provider-azurerm_v4.1.0_x5: [DEBUG] Configuring built-in cloud environment by name: "usgovernment" 2024-11-18T21:53:11.563Z [DEBUG] provider.terraform-provider-azurerm_v4.1.0_x5: [DEBUG] GET https://pipelinesghubeus5.actions.githubusercontent.com/RFlMx1kLBD46SLNGGeDAXvbSPaNqWfa2NKKMSH9mQ9UOoEir0l/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/0780a3f0-29df-4982-abec-680ec21f651e/jobs/9201c218-890e-5ac0-5321-fee64b687d25/idtoken?api-version=2.0&audience=api%3A%2F%2FAzureADTokenExchange 2024-11-18T21:53:11.714Z [DEBUG] provider.terraform-provider-azurerm_v4.1.0_x5: [DEBUG] POST https://login.microsoftonline.us/***/oauth2/v2.0/token Error: -18T21:53:12.061Z [ERROR] provider.terraform-provider-azurerm_v4.1.0_x5: Response contains error diagnostic: tf_provider_addr=registry.terraform.io/hashicorp/azurerm tf_req_id=e02bdcb8-277f-5922-96bd-3126f01fd47b tf_rpc=Configure @caller=github.com/hashicorp/terraform-plugin-go@v0.23.0/tfprotov5/internal/diag/diagnostics.go:58 @module=sdk.proto diagnostic_detail="" diagnostic_severity=ERROR diagnostic_summary="building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {\"error\":\"invalid_client\",\"error_description\":\"AADSTS700212: No matching federated identity record found for presented assertion audience 'api://AzureADTokenExchange'. Please note that the matching is done using a case-sensitive comparison. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation Trace ID: c158280b-344c-4b63-8827-7376e3 Error: -18T21:53:12.061Z [ERROR] vertex "provider[\"registry.terraform.io/hashicorp/azurerm\"]" error: building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700212: No matching federated identity record found for presented assertion audience 'api://AzureADTokenExchange'. Please note that the matching is done using a case-sensitive comparison. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation Trace ID: c158280b-344c-4b63-8827-7376e32e0600 Correlation ID: 2ac8090e-3b27-43ff-b6d1-8f1a4f76523b Timestamp: 2024-11-18 21:53:12Z","error_codes":[700212],"timestamp":"2024-11-18 21:53:12Z","trace_id":"c158280b-344c-4b63-8827-7376e32e0600","correlation_id":"2ac8090e-3b27-43ff-b6d1-8f1a4f76523b"} 2024-11-18T21:53:12.061Z [WARN] Planning encountered errors, so plan is not applyable 2024-11-18T21:53:12.062Z [INFO] backend/local: plan operation completed Planning failed. Terraform encountered an error while generating this plan. Error: building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700212: No matching federated identity record found for presented assertion audience 'api://AzureADTokenExchange'. Please note that the matching is done using a case-sensitive comparison. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation Trace ID: c158280b-344c-4b63-8827-7376e32e0600 Correlation ID: 2ac8090e-3b27-43ff-b6d1-8f1a4f76523b Timestamp: 2024-11-18 21:53:12Z","error_codes":[700212],"timestamp":"2024-11-18 21:53:12Z","trace_id":"c158280b-344c-4b63-8827-7376e32e0600","correlation_id":"2ac8090e-3b27-43ff-b6d1-8f1a4f76523b"} with provider["registry.terraform.io/hashicorp/azurerm"], on provider.tf line 10, in provider "azurerm": 10: provider "azurerm" { ### Expected Behavior api://AzureADTokenExchange should actually be api://AzureADTokenExchangeUSGov ### Actual Behavior Errors because wrong API is called. ### Steps to Reproduce 1.terraform plan ### Additional Context Running through Github Actions using OIDC ### References _No response_