cli: add --subscriptionID flag for iam create azure command (#3328)

* deps: update Terraform azurerm to v4
* Set Azure subscription ID when applying Terraform files
* Upgrade azurerm to v4.1.0
* Mark subscriptionID flag as not required
* deps: tidy all modules

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>

.github/actions/constellation_iam_create/action.yml

@@ -27,6 +27,9 @@ inputs:
   #
   # Azure specific inputs
   #
+  azureSubscriptionID:
+    description: "Azure subscription ID to deploy Constellation in."
+    required: true
   azureRegion:
     description: "Azure region to deploy Constellation in."
     required: false
@@ -77,6 +80,7 @@ runs:
       if: inputs.cloudProvider == 'azure'
       run: |
         constellation iam create azure \
+          --subscriptionID="${{ inputs.azureSubscriptionID }}" \
           --region="${{ inputs.azureRegion }}" \
           --resourceGroup="${{ inputs.namePrefix }}-rg" \
           --servicePrincipal="${{ inputs.namePrefix }}-sp" \

.github/actions/e2e_test/action.yml

@@ -46,6 +46,9 @@ inputs:
     description: "AWS OpenSearch User to upload the benchmark results."
   awsOpenSearchPwd:
     description: "AWS OpenSearch Password to upload the benchmark results."
+  azureSubscriptionID:
+    description: "Azure subscription ID to deploy Constellation in."
+    required: true
   azureClusterCreateCredentials:
     description: "Azure credentials authorized to create a Constellation cluster."
     required: true
@@ -249,6 +252,7 @@ runs:
         attestationVariant: ${{ inputs.attestationVariant }}
         namePrefix: ${{ steps.create-prefix.outputs.prefix }}
         awsZone: ${{ inputs.regionZone || 'us-east-2c' }}
+        azureSubscriptionID: ${{ inputs.azureSubscriptionID }}
         azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region  }}
         gcpProjectID: ${{ inputs.gcpProject }}
         gcpZone: ${{ inputs.regionZone || 'europe-west3-b' }}

.github/workflows/e2e-test-daily.yml

@@ -90,6 +90,7 @@ jobs:
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           kubernetesVersion: ${{ matrix.kubernetesVersion }}
           test: ${{ matrix.test }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io

.github/workflows/e2e-test-provider-example.yml

@@ -306,6 +306,19 @@ jobs:
           cat >> _override.tf <<EOF
           locals {
             instance_type = "Standard_DC4es_v5"
+            subscription_id = "$(az account show --query id --output tsv)"
+          }
+          EOF
+          cat _override.tf
+
+      - name: Create Azure SEV-SNP Terraform overrides
+        if: inputs.attestationVariant == 'azure-sev-snp'
+        working-directory: ${{ github.workspace }}/cluster
+        shell: bash
+        run: |
+          cat >> _override.tf <<EOF
+          locals {
+            subscription_id = "$(az account show --query id --output tsv)"
           }
           EOF
           cat _override.tf

.github/workflows/e2e-test-release.yml

@@ -359,6 +359,7 @@ jobs:
           gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: ${{ matrix.test }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io

.github/workflows/e2e-test-weekly.yml

@@ -357,6 +357,7 @@ jobs:
           gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: ${{ matrix.test }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io

.github/workflows/e2e-test.yml

@@ -247,6 +247,7 @@ jobs:
           osImage: ${{ needs.find-latest-image.outputs.image }}
           cliVersion: ${{ inputs.cliVersion }}
           isDebugImage: ${{ needs.find-latest-image.outputs.isDebugImage }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io

.github/workflows/e2e-upgrade.yml

@@ -220,6 +220,7 @@ jobs:
           gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
           gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
           test: "upgrade"
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
           azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
           registry: ghcr.io

.github/workflows/e2e-windows.yml

@@ -84,7 +84,7 @@ jobs:
           $rgName = "e2e-win-${{ github.run_id }}-${{ github.run_attempt }}-$uid"
           "rgName=$($rgName)" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
           .\constellation.exe config generate azure -t "workflow=${{ github.run_id }}"
-          .\constellation.exe iam create azure --region=westus --resourceGroup=$rgName-rg --servicePrincipal=$rgName-sp --update-config --debug -y
+          .\constellation.exe iam create azure --subscriptionID=${{ secrets.AZURE_SUBSCRIPTION_ID }} --region=westus --resourceGroup=$rgName-rg --servicePrincipal=$rgName-sp --update-config --debug -y
 
       - name: Login to Azure (Cluster service principal)
         uses: ./.github/actions/login_azure

cli/internal/cloudcmd/iam.go

@@ -95,6 +95,7 @@ type GCPIAMConfig struct {
 
 // AzureIAMConfig holds the necessary values for Azure IAM configuration.
 type AzureIAMConfig struct {
+	SubscriptionID   string
 	Location         string
 	ServicePrincipal string
 	ResourceGroup    string
@@ -167,6 +168,7 @@ func (c *IAMCreator) createAzure(ctx context.Context, cl tfIAMClient, opts *IAMC
 	defer rollbackOnError(c.out, &retErr, &rollbackerTerraform{client: cl}, opts.TFLogLevel)
 
 	vars := terraform.AzureIAMVariables{
+		SubscriptionID:   opts.Azure.SubscriptionID,
 		Location:         opts.Azure.Location,
 		ResourceGroup:    opts.Azure.ResourceGroup,
 		ServicePrincipal: opts.Azure.ServicePrincipal,

cli/internal/cloudcmd/tfvars.go

@@ -147,6 +147,7 @@ func azureTerraformVars(conf *config.Config, imageRef string) (*terraform.AzureC
 		}
 	}
 	vars := &terraform.AzureClusterVariables{
+		SubscriptionID:       conf.Provider.Azure.SubscriptionID,
 		Name:                 conf.Name,
 		NodeGroups:           nodeGroups,
 		Location:             conf.Provider.Azure.Location,
@@ -191,6 +192,7 @@ func azureTerraformVars(conf *config.Config, imageRef string) (*terraform.AzureC
 
 func azureTerraformIAMVars(conf *config.Config, oldVars terraform.AzureIAMVariables) *terraform.AzureIAMVariables {
 	return &terraform.AzureIAMVariables{
+		SubscriptionID:   conf.Provider.Azure.SubscriptionID,
 		Location:         conf.Provider.Azure.Location,
 		ServicePrincipal: oldVars.ServicePrincipal,
 		ResourceGroup:    conf.Provider.Azure.ResourceGroup,

cli/internal/cmd/iamcreateazure.go

@@ -6,7 +6,9 @@ SPDX-License-Identifier: AGPL-3.0-only
 package cmd
 
 import (
+	"errors"
 	"fmt"
+	"os"
 
 	"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
@@ -26,6 +28,7 @@ func newIAMCreateAzureCmd() *cobra.Command {
 		RunE:  runIAMCreateAzure,
 	}
 
+	cmd.Flags().String("subscriptionID", "", "subscription ID of the Azure account. Required if the 'ARM_SUBSCRIPTION_ID' environment variable is not set")
 	cmd.Flags().String("resourceGroup", "", "name prefix of the two resource groups your cluster / IAM resources will be created in (required)")
 	must(cobra.MarkFlagRequired(cmd.Flags(), "resourceGroup"))
 	cmd.Flags().String("region", "", "region the resources will be created in, e.g., westus (required)")
@@ -45,6 +48,7 @@ func runIAMCreateAzure(cmd *cobra.Command, _ []string) error {
 
 // azureIAMCreateFlags contains the parsed flags of the iam create azure command.
 type azureIAMCreateFlags struct {
+	subscriptionID   string
 	region           string
 	resourceGroup    string
 	servicePrincipal string
@@ -52,6 +56,14 @@ type azureIAMCreateFlags struct {
 
 func (f *azureIAMCreateFlags) parse(flags *pflag.FlagSet) error {
 	var err error
+	f.subscriptionID, err = flags.GetString("subscriptionID")
+	if err != nil {
+		return fmt.Errorf("getting 'subscriptionID' flag: %w", err)
+	}
+	if f.subscriptionID == "" && os.Getenv("ARM_SUBSCRIPTION_ID") == "" {
+		return errors.New("either flag 'subscriptionID' or environment variable 'ARM_SUBSCRIPTION_ID' must be set")
+	}
+
 	f.region, err = flags.GetString("region")
 	if err != nil {
 		return fmt.Errorf("getting 'region' flag: %w", err)
@@ -75,6 +87,7 @@ type azureIAMCreator struct {
 func (c *azureIAMCreator) getIAMConfigOptions() *cloudcmd.IAMConfigOptions {
 	return &cloudcmd.IAMConfigOptions{
 		Azure: cloudcmd.AzureIAMConfig{
+			SubscriptionID:   c.flags.subscriptionID,
 			Location:         c.flags.region,
 			ResourceGroup:    c.flags.resourceGroup,
 			ServicePrincipal: c.flags.servicePrincipal,
@@ -83,6 +96,7 @@ func (c *azureIAMCreator) getIAMConfigOptions() *cloudcmd.IAMConfigOptions {
 }
 
 func (c *azureIAMCreator) printConfirmValues(cmd *cobra.Command) {
+	cmd.Printf("Subscription ID:\t%s\n", c.flags.subscriptionID)
 	cmd.Printf("Region:\t\t\t%s\n", c.flags.region)
 	cmd.Printf("Resource Group:\t\t%s\n", c.flags.resourceGroup)
 	cmd.Printf("Service Principal:\t%s\n\n", c.flags.servicePrincipal)

cli/internal/terraform/variables.go

@@ -172,7 +172,7 @@ type GCPNodeGroup struct {
 	DiskType     string `hcl:"disk_type" cty:"disk_type"`
 }
 
-// GCPIAMVariables is user configuration for creating the IAM confioguration with Terraform on GCP.
+// GCPIAMVariables is user configuration for creating the IAM configuration with Terraform on GCP.
 type GCPIAMVariables struct {
 	// Project is the ID of the GCP project to use.
 	Project string `hcl:"project_id" cty:"project_id"`
@@ -193,6 +193,8 @@ func (v *GCPIAMVariables) String() string {
 
 // AzureClusterVariables is user configuration for creating a cluster with Terraform on Azure.
 type AzureClusterVariables struct {
+	// SubscriptionID is the Azure subscription ID to use.
+	SubscriptionID string `hcl:"subscription_id" cty:"subscription_id"`
 	// Name of the cluster.
 	Name string `hcl:"name" cty:"name"`
 	// ImageID is the ID of the Azure image to use.
@@ -254,6 +256,8 @@ type AzureNodeGroup struct {
 
 // AzureIAMVariables is user configuration for creating the IAM configuration with Terraform on Microsoft Azure.
 type AzureIAMVariables struct {
+	// SubscriptionID is the Azure subscription ID to use.
+	SubscriptionID string `hcl:"subscription_id,optional" cty:"subscription_id"` // TODO(v2.18): remove optional tag. This is only required for migration from var files that dont have the value yet.
 	// Location is the Azure location to use. (e.g. westus)
 	Location string `hcl:"location" cty:"location"`
 	// ServicePrincipal is the name of the service principal to use.

cli/internal/terraform/variables_test.go

@@ -180,7 +180,8 @@ service_account_id = "my-service-account"
 
 func TestAzureClusterVariables(t *testing.T) {
 	vars := AzureClusterVariables{
-		Name: "cluster-name",
+		SubscriptionID: "01234567-cdef-0123-4567-89abcdef0123",
+		Name:           "cluster-name",
 		NodeGroups: map[string]AzureNodeGroup{
 			constants.ControlPlaneDefault: {
 				Role:         "ControlPlane",
@@ -207,7 +208,8 @@ func TestAzureClusterVariables(t *testing.T) {
 	}
 
 	// test that the variables are correctly rendered
-	want := `name                   = "cluster-name"
+	want := `subscription_id        = "01234567-cdef-0123-4567-89abcdef0123"
+name                   = "cluster-name"
 image_id               = "image-0123456789abcdef"
 create_maa             = true
 debug                  = true
@@ -241,13 +243,15 @@ additional_tags = null
 
 func TestAzureIAMVariables(t *testing.T) {
 	vars := AzureIAMVariables{
+		SubscriptionID:   "01234567-cdef-0123-4567-89abcdef0123",
 		Location:         "eu-central-1",
 		ServicePrincipal: "my-service-principal",
 		ResourceGroup:    "my-resource-group",
 	}
 
 	// test that the variables are correctly rendered
-	want := `location                 = "eu-central-1"
+	want := `subscription_id       = "01234567-cdef-0123-4567-89abcdef0123"
+location               = "eu-central-1"
 service_principal_name = "my-service-principal"
 resource_group_name    = "my-resource-group"
 `

dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl

@@ -2,31 +2,25 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "3.111.0"
+  version     = "4.1.0"
-  constraints = "3.111.0"
+  constraints = "4.1.0"
   hashes = [
-    "h1:06sKYI5V2anZnr7t3lOpzO3DSd3AVTGO+53a4OauwoI=",
+    "h1:K2OLOYxwF/onOegr+Y6Sfu/DjEjDLobQBBrLBF3i9TI=",
-    "h1:1gVEyHY/I1EMev2vbb6C6o0fAR+pEZrwGDeqRCDOhvE=",
+    "h1:cwtEEnEESVOgcxtXGz0A2wXCiNZIzm3dC2xHmYuxg9M=",
-    "h1:6mCR0XyitRMsVfvPVpaTGsyNvc44vGeyr5c1O8kryno=",
+    "h1:dKXFrVrjv579ax6iX4wc6lmEAVFsr3iTDjErnPHIjH4=",
-    "h1:8r1THxkuezf0Hys/wnVlPibEB7BeXd6FBahH+xWnmeI=",
+    "h1:iqN6KxIOGYv0N1p5xfNTgsjvDHpE3bZM8s5vIAEgfnQ=",
-    "h1:Q7QmdpMoWo5yQilXPzHjErBe58RVEbGDtM8XB4uGtnw=",
+    "h1:qDmSr5+vMVdWmfBEaIwqSLo5ZLyYk7KYoJo5flny6lk=",
-    "h1:WkapXDimZe5CzZpq3hIrz3RJ5MqIwF0rbL2i3HcPtGw=",
+    "zh:3f332bca3a8b7dc982e428e09c73862d1afda34c2ad7803e70d8ba7b9e2445fd",
-    "h1:ipFQShK0j3mtJeSgSBQDR985KzwC19913+0GkiF8Sfo=",
+    "zh:66b7e4a7a4fd06e0a5a3a22b4f76bda48e50ed3dd26c388738d9cc882b801bce",
-    "h1:oX22BXo+EthR6z90Yuu7EopfeSyG5dxehOrSWbsE+jk=",
+    "zh:6a271175d6e079241f24129f5026e0b16f04e7a548807f115600003d615e0ec3",
-    "h1:oy2sT6XGlo+axoqFYGd6JceoqJTlWOaVKS0rJB0hRus=",
+    "zh:7a6abc7e2ae8d1041d0446bbe87156e0436639676ee1fad40321e8ee6759a454",
-    "h1:uuThLccbeEWYo2wpwDmlZ+TGfm7zCrwaJdw91TA3azg=",
+    "zh:903f6e7f03e5952347ce6ee589d58c829179f2f22220f25cf52ae4efecd7053c",
-    "h1:vgrdy5JWGAK5N44/V75etoHIAMvXKNlMrIHTaWApehA=",
+    "zh:a572b9834cf3b51799c82c5009705c59309d947a6ecdb7e17729868c55e7d0e0",
-    "zh:0db8afb9278993df7e74796bdd125153b07a7045e5ca1756783a8b8cfec564f4",
+    "zh:a7fca14338f0cfb82b17ce085400c210cbc986a87086702e3a11efcb4e53d6e4",
-    "zh:22c424fcfda13dc720caa289248c1b71b2ad20e329fd4a52cc6be7e45f795a4a",
+    "zh:af36c7004702b0a273794914a17a77af1eb972caaad64e0068739e55c1488845",
-    "zh:471a2c1d7353bc21ef28963f006d2cf5276e7885b423fc0b73f2d8ce6cde72dd",
+    "zh:b36f308db1cdc02dee659e3e518186d7dec970d88b6149be3f6b3f8d544e4282",
-    "zh:68bf81cb353c755d48792e881b6405919daa041e35de1d510209237d90d6c21f",
+    "zh:bedf6d13cf4bccc128d8cbb0703a3a8b547629674439ffda5e73563ab775d0f7",
-    "zh:841d8664955bbc77f12095c9b1a4b3923362564a790fd945337759e9bc95d07e",
+    "zh:d1df286a2e5d4a5f6a7f4d29700a25588167ccffa31c686550ef617503df3254",
-    "zh:86e92f959056c573bf4b2be1d6cfa838dab06d3e5a944f371a1131e4c6477d88",
-    "zh:95a096ced57616659687970b5d618c2ce3cd54fa0311b7a7569435cacf39f26f",
-    "zh:c5656a11253ffdaee973e7292dd3c10a1db81f1fc9ee2d3041ae1182f7d25379",
-    "zh:cd6a1049de69280f339d6f83f30a9006bbe003a840a39eb7b5900990c5aadbb0",
-    "zh:e7b3d96f0c9ea47261dbd015f1f64fdb43c8ccb196afda862c0865e30d88245c",
-    "zh:f1ec7da6ab5526845274bff77e023b9faec71c2cf38bd18587274932b2aa2e89",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
   ]
 }

dev-docs/howto/vpn/on-prem-terraform/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.111.0"
+      version = "4.1.0"
     }
     random = {
       source  = "hashicorp/random"
@@ -13,6 +13,10 @@ terraform {
 
 provider "azurerm" {
   features {}
+  subscription_id = var.subscription_id
+  # This enables all resource providers.
+  # In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
+  resource_provider_registrations = "all"
 }
 
 locals {
@@ -103,7 +107,7 @@ resource "azurerm_route_table" "route_table" {
   name                          = "vpn-routes"
   location                      = azurerm_resource_group.rg.location
   resource_group_name           = azurerm_resource_group.rg.name
-  disable_bgp_route_propagation = false
+  bgp_route_propagation_enabled = false
 
   dynamic "route" {
     for_each = var.remote_ts

dev-docs/howto/vpn/on-prem-terraform/variables.tf

@@ -1,3 +1,9 @@
+variable "subscription_id" {
+  type        = string
+  description = "Azure subscription ID. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#subscription_id"
+  default     = ""
+}
+
 variable "resource_group_location" {
   type        = string
   default     = "westeurope"

dev-docs/miniconstellation/azure-terraform/.terraform.lock.hcl

@@ -2,31 +2,25 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "3.111.0"
+  version     = "4.1.0"
-  constraints = "3.111.0"
+  constraints = "4.1.0"
   hashes = [
-    "h1:06sKYI5V2anZnr7t3lOpzO3DSd3AVTGO+53a4OauwoI=",
+    "h1:K2OLOYxwF/onOegr+Y6Sfu/DjEjDLobQBBrLBF3i9TI=",
-    "h1:1gVEyHY/I1EMev2vbb6C6o0fAR+pEZrwGDeqRCDOhvE=",
+    "h1:cwtEEnEESVOgcxtXGz0A2wXCiNZIzm3dC2xHmYuxg9M=",
-    "h1:6mCR0XyitRMsVfvPVpaTGsyNvc44vGeyr5c1O8kryno=",
+    "h1:dKXFrVrjv579ax6iX4wc6lmEAVFsr3iTDjErnPHIjH4=",
-    "h1:8r1THxkuezf0Hys/wnVlPibEB7BeXd6FBahH+xWnmeI=",
+    "h1:iqN6KxIOGYv0N1p5xfNTgsjvDHpE3bZM8s5vIAEgfnQ=",
-    "h1:Q7QmdpMoWo5yQilXPzHjErBe58RVEbGDtM8XB4uGtnw=",
+    "h1:qDmSr5+vMVdWmfBEaIwqSLo5ZLyYk7KYoJo5flny6lk=",
-    "h1:WkapXDimZe5CzZpq3hIrz3RJ5MqIwF0rbL2i3HcPtGw=",
+    "zh:3f332bca3a8b7dc982e428e09c73862d1afda34c2ad7803e70d8ba7b9e2445fd",
-    "h1:ipFQShK0j3mtJeSgSBQDR985KzwC19913+0GkiF8Sfo=",
+    "zh:66b7e4a7a4fd06e0a5a3a22b4f76bda48e50ed3dd26c388738d9cc882b801bce",
-    "h1:oX22BXo+EthR6z90Yuu7EopfeSyG5dxehOrSWbsE+jk=",
+    "zh:6a271175d6e079241f24129f5026e0b16f04e7a548807f115600003d615e0ec3",
-    "h1:oy2sT6XGlo+axoqFYGd6JceoqJTlWOaVKS0rJB0hRus=",
+    "zh:7a6abc7e2ae8d1041d0446bbe87156e0436639676ee1fad40321e8ee6759a454",
-    "h1:uuThLccbeEWYo2wpwDmlZ+TGfm7zCrwaJdw91TA3azg=",
+    "zh:903f6e7f03e5952347ce6ee589d58c829179f2f22220f25cf52ae4efecd7053c",
-    "h1:vgrdy5JWGAK5N44/V75etoHIAMvXKNlMrIHTaWApehA=",
+    "zh:a572b9834cf3b51799c82c5009705c59309d947a6ecdb7e17729868c55e7d0e0",
-    "zh:0db8afb9278993df7e74796bdd125153b07a7045e5ca1756783a8b8cfec564f4",
+    "zh:a7fca14338f0cfb82b17ce085400c210cbc986a87086702e3a11efcb4e53d6e4",
-    "zh:22c424fcfda13dc720caa289248c1b71b2ad20e329fd4a52cc6be7e45f795a4a",
+    "zh:af36c7004702b0a273794914a17a77af1eb972caaad64e0068739e55c1488845",
-    "zh:471a2c1d7353bc21ef28963f006d2cf5276e7885b423fc0b73f2d8ce6cde72dd",
+    "zh:b36f308db1cdc02dee659e3e518186d7dec970d88b6149be3f6b3f8d544e4282",
-    "zh:68bf81cb353c755d48792e881b6405919daa041e35de1d510209237d90d6c21f",
+    "zh:bedf6d13cf4bccc128d8cbb0703a3a8b547629674439ffda5e73563ab775d0f7",
-    "zh:841d8664955bbc77f12095c9b1a4b3923362564a790fd945337759e9bc95d07e",
+    "zh:d1df286a2e5d4a5f6a7f4d29700a25588167ccffa31c686550ef617503df3254",
-    "zh:86e92f959056c573bf4b2be1d6cfa838dab06d3e5a944f371a1131e4c6477d88",
-    "zh:95a096ced57616659687970b5d618c2ce3cd54fa0311b7a7569435cacf39f26f",
-    "zh:c5656a11253ffdaee973e7292dd3c10a1db81f1fc9ee2d3041ae1182f7d25379",
-    "zh:cd6a1049de69280f339d6f83f30a9006bbe003a840a39eb7b5900990c5aadbb0",
-    "zh:e7b3d96f0c9ea47261dbd015f1f64fdb43c8ccb196afda862c0865e30d88245c",
-    "zh:f1ec7da6ab5526845274bff77e023b9faec71c2cf38bd18587274932b2aa2e89",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
   ]
 }

dev-docs/miniconstellation/azure-terraform/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.111.0"
+      version = "4.1.0"
     }
     random = {
       source  = "hashicorp/random"
@@ -22,6 +22,9 @@ terraform {
 provider "azurerm" {
   use_oidc = true
   features {}
+  # This enables all resource providers.
+  # In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
+  resource_provider_registrations = "all"
 }
 
 provider "tls" {}

docs/docs/getting-started/first-steps.md

@@ -80,7 +80,7 @@ If you encounter any problem with the following steps, make sure to use the [lat
     <TabItem value="azure" label="Azure">
 
     ```bash
-    constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config
+    constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest --update-config
     ```
 
     This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in.

docs/docs/reference/cli.md

@@ -655,6 +655,7 @@ constellation iam create azure [flags]
       --region string             region the resources will be created in, e.g., westus (required)
       --resourceGroup string      name prefix of the two resource groups your cluster / IAM resources will be created in (required)
       --servicePrincipal string   name of the service principal that will be created (required)
+      --subscriptionID string     subscription ID of the Azure account. Required if the 'ARM_SUBSCRIPTION_ID' environment variable is not set
 ```
 
 ### Options inherited from parent commands

docs/docs/workflows/config.md

@@ -184,7 +184,7 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml`
 You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials).
 
 ```bash
-constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest
+constellation iam create azure --subscriptionID 00000000-0000-0000-0000-000000000000 --region=westus --resourceGroup=constellTest --servicePrincipal=spTest
 ```
 
 This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`.

e2e/miniconstellation/.terraform.lock.hcl

@@ -2,31 +2,25 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "3.111.0"
+  version     = "4.1.0"
-  constraints = "3.111.0"
+  constraints = "4.1.0"
   hashes = [
-    "h1:06sKYI5V2anZnr7t3lOpzO3DSd3AVTGO+53a4OauwoI=",
+    "h1:K2OLOYxwF/onOegr+Y6Sfu/DjEjDLobQBBrLBF3i9TI=",
-    "h1:1gVEyHY/I1EMev2vbb6C6o0fAR+pEZrwGDeqRCDOhvE=",
+    "h1:cwtEEnEESVOgcxtXGz0A2wXCiNZIzm3dC2xHmYuxg9M=",
-    "h1:6mCR0XyitRMsVfvPVpaTGsyNvc44vGeyr5c1O8kryno=",
+    "h1:dKXFrVrjv579ax6iX4wc6lmEAVFsr3iTDjErnPHIjH4=",
-    "h1:8r1THxkuezf0Hys/wnVlPibEB7BeXd6FBahH+xWnmeI=",
+    "h1:iqN6KxIOGYv0N1p5xfNTgsjvDHpE3bZM8s5vIAEgfnQ=",
-    "h1:Q7QmdpMoWo5yQilXPzHjErBe58RVEbGDtM8XB4uGtnw=",
+    "h1:qDmSr5+vMVdWmfBEaIwqSLo5ZLyYk7KYoJo5flny6lk=",
-    "h1:WkapXDimZe5CzZpq3hIrz3RJ5MqIwF0rbL2i3HcPtGw=",
+    "zh:3f332bca3a8b7dc982e428e09c73862d1afda34c2ad7803e70d8ba7b9e2445fd",
-    "h1:ipFQShK0j3mtJeSgSBQDR985KzwC19913+0GkiF8Sfo=",
+    "zh:66b7e4a7a4fd06e0a5a3a22b4f76bda48e50ed3dd26c388738d9cc882b801bce",
-    "h1:oX22BXo+EthR6z90Yuu7EopfeSyG5dxehOrSWbsE+jk=",
+    "zh:6a271175d6e079241f24129f5026e0b16f04e7a548807f115600003d615e0ec3",
-    "h1:oy2sT6XGlo+axoqFYGd6JceoqJTlWOaVKS0rJB0hRus=",
+    "zh:7a6abc7e2ae8d1041d0446bbe87156e0436639676ee1fad40321e8ee6759a454",
-    "h1:uuThLccbeEWYo2wpwDmlZ+TGfm7zCrwaJdw91TA3azg=",
+    "zh:903f6e7f03e5952347ce6ee589d58c829179f2f22220f25cf52ae4efecd7053c",
-    "h1:vgrdy5JWGAK5N44/V75etoHIAMvXKNlMrIHTaWApehA=",
+    "zh:a572b9834cf3b51799c82c5009705c59309d947a6ecdb7e17729868c55e7d0e0",
-    "zh:0db8afb9278993df7e74796bdd125153b07a7045e5ca1756783a8b8cfec564f4",
+    "zh:a7fca14338f0cfb82b17ce085400c210cbc986a87086702e3a11efcb4e53d6e4",
-    "zh:22c424fcfda13dc720caa289248c1b71b2ad20e329fd4a52cc6be7e45f795a4a",
+    "zh:af36c7004702b0a273794914a17a77af1eb972caaad64e0068739e55c1488845",
-    "zh:471a2c1d7353bc21ef28963f006d2cf5276e7885b423fc0b73f2d8ce6cde72dd",
+    "zh:b36f308db1cdc02dee659e3e518186d7dec970d88b6149be3f6b3f8d544e4282",
-    "zh:68bf81cb353c755d48792e881b6405919daa041e35de1d510209237d90d6c21f",
+    "zh:bedf6d13cf4bccc128d8cbb0703a3a8b547629674439ffda5e73563ab775d0f7",
-    "zh:841d8664955bbc77f12095c9b1a4b3923362564a790fd945337759e9bc95d07e",
+    "zh:d1df286a2e5d4a5f6a7f4d29700a25588167ccffa31c686550ef617503df3254",
-    "zh:86e92f959056c573bf4b2be1d6cfa838dab06d3e5a944f371a1131e4c6477d88",
-    "zh:95a096ced57616659687970b5d618c2ce3cd54fa0311b7a7569435cacf39f26f",
-    "zh:c5656a11253ffdaee973e7292dd3c10a1db81f1fc9ee2d3041ae1182f7d25379",
-    "zh:cd6a1049de69280f339d6f83f30a9006bbe003a840a39eb7b5900990c5aadbb0",
-    "zh:e7b3d96f0c9ea47261dbd015f1f64fdb43c8ccb196afda862c0865e30d88245c",
-    "zh:f1ec7da6ab5526845274bff77e023b9faec71c2cf38bd18587274932b2aa2e89",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
   ]
 }

e2e/miniconstellation/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.111.0"
+      version = "4.1.0"
     }
     random = {
       source  = "hashicorp/random"
@@ -22,6 +22,9 @@ terraform {
 provider "azurerm" {
   use_oidc = true
   features {}
+  # This enables all resource providers.
+  # In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
+  resource_provider_registrations = "all"
 }
 
 provider "tls" {}

terraform-provider-constellation/examples/full/azure/main.tf

@@ -22,6 +22,7 @@ locals {
   control_plane_count  = 3
   worker_count         = 2
   instance_type        = "Standard_DC4as_v5"
+  subscription_id      = "00000000-0000-0000-0000-000000000000"
 
   master_secret      = random_bytes.master_secret.hex
   master_secret_salt = random_bytes.master_secret_salt.hex
@@ -43,6 +44,7 @@ resource "random_bytes" "measurement_salt" {
 module "azure_iam" {
   // replace $VERSION with the Constellation version you want to use, e.g., v2.14.0
   source                 = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/iam/azure"
+  subscription_id        = local.subscription_id
   location               = local.location
   service_principal_name = "${local.name}-sp"
   resource_group_name    = "${local.name}-rg"
@@ -51,6 +53,7 @@ module "azure_iam" {
 module "azure_infrastructure" {
   // replace $VERSION with the Constellation version you want to use, e.g., v2.14.0
   source                 = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/azure"
+  subscription_id        = local.subscription_id
   name                   = local.name
   user_assigned_identity = module.azure_iam.uami_id
   node_groups = {

terraform/infrastructure/azure/.terraform.lock.hcl

@@ -2,31 +2,25 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "3.111.0"
+  version     = "4.1.0"
-  constraints = "3.111.0"
+  constraints = "4.1.0"
   hashes = [
-    "h1:06sKYI5V2anZnr7t3lOpzO3DSd3AVTGO+53a4OauwoI=",
+    "h1:K2OLOYxwF/onOegr+Y6Sfu/DjEjDLobQBBrLBF3i9TI=",
-    "h1:1gVEyHY/I1EMev2vbb6C6o0fAR+pEZrwGDeqRCDOhvE=",
+    "h1:cwtEEnEESVOgcxtXGz0A2wXCiNZIzm3dC2xHmYuxg9M=",
-    "h1:6mCR0XyitRMsVfvPVpaTGsyNvc44vGeyr5c1O8kryno=",
+    "h1:dKXFrVrjv579ax6iX4wc6lmEAVFsr3iTDjErnPHIjH4=",
-    "h1:8r1THxkuezf0Hys/wnVlPibEB7BeXd6FBahH+xWnmeI=",
+    "h1:iqN6KxIOGYv0N1p5xfNTgsjvDHpE3bZM8s5vIAEgfnQ=",
-    "h1:Q7QmdpMoWo5yQilXPzHjErBe58RVEbGDtM8XB4uGtnw=",
+    "h1:qDmSr5+vMVdWmfBEaIwqSLo5ZLyYk7KYoJo5flny6lk=",
-    "h1:WkapXDimZe5CzZpq3hIrz3RJ5MqIwF0rbL2i3HcPtGw=",
+    "zh:3f332bca3a8b7dc982e428e09c73862d1afda34c2ad7803e70d8ba7b9e2445fd",
-    "h1:ipFQShK0j3mtJeSgSBQDR985KzwC19913+0GkiF8Sfo=",
+    "zh:66b7e4a7a4fd06e0a5a3a22b4f76bda48e50ed3dd26c388738d9cc882b801bce",
-    "h1:oX22BXo+EthR6z90Yuu7EopfeSyG5dxehOrSWbsE+jk=",
+    "zh:6a271175d6e079241f24129f5026e0b16f04e7a548807f115600003d615e0ec3",
-    "h1:oy2sT6XGlo+axoqFYGd6JceoqJTlWOaVKS0rJB0hRus=",
+    "zh:7a6abc7e2ae8d1041d0446bbe87156e0436639676ee1fad40321e8ee6759a454",
-    "h1:uuThLccbeEWYo2wpwDmlZ+TGfm7zCrwaJdw91TA3azg=",
+    "zh:903f6e7f03e5952347ce6ee589d58c829179f2f22220f25cf52ae4efecd7053c",
-    "h1:vgrdy5JWGAK5N44/V75etoHIAMvXKNlMrIHTaWApehA=",
+    "zh:a572b9834cf3b51799c82c5009705c59309d947a6ecdb7e17729868c55e7d0e0",
-    "zh:0db8afb9278993df7e74796bdd125153b07a7045e5ca1756783a8b8cfec564f4",
+    "zh:a7fca14338f0cfb82b17ce085400c210cbc986a87086702e3a11efcb4e53d6e4",
-    "zh:22c424fcfda13dc720caa289248c1b71b2ad20e329fd4a52cc6be7e45f795a4a",
+    "zh:af36c7004702b0a273794914a17a77af1eb972caaad64e0068739e55c1488845",
-    "zh:471a2c1d7353bc21ef28963f006d2cf5276e7885b423fc0b73f2d8ce6cde72dd",
+    "zh:b36f308db1cdc02dee659e3e518186d7dec970d88b6149be3f6b3f8d544e4282",
-    "zh:68bf81cb353c755d48792e881b6405919daa041e35de1d510209237d90d6c21f",
+    "zh:bedf6d13cf4bccc128d8cbb0703a3a8b547629674439ffda5e73563ab775d0f7",
-    "zh:841d8664955bbc77f12095c9b1a4b3923362564a790fd945337759e9bc95d07e",
+    "zh:d1df286a2e5d4a5f6a7f4d29700a25588167ccffa31c686550ef617503df3254",
-    "zh:86e92f959056c573bf4b2be1d6cfa838dab06d3e5a944f371a1131e4c6477d88",
-    "zh:95a096ced57616659687970b5d618c2ce3cd54fa0311b7a7569435cacf39f26f",
-    "zh:c5656a11253ffdaee973e7292dd3c10a1db81f1fc9ee2d3041ae1182f7d25379",
-    "zh:cd6a1049de69280f339d6f83f30a9006bbe003a840a39eb7b5900990c5aadbb0",
-    "zh:e7b3d96f0c9ea47261dbd015f1f64fdb43c8ccb196afda862c0865e30d88245c",
-    "zh:f1ec7da6ab5526845274bff77e023b9faec71c2cf38bd18587274932b2aa2e89",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
   ]
 }

terraform/infrastructure/azure/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.111.0"
+      version = "4.1.0"
     }
     random = {
       source  = "hashicorp/random"
@@ -17,6 +17,10 @@ provider "azurerm" {
       prevent_deletion_if_contains_resources = false
     }
   }
+  subscription_id = var.subscription_id
+  # This enables all resource providers.
+  # In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
+  resource_provider_registrations = "all"
 }
 
 locals {
@@ -266,8 +270,8 @@ module "scale_set_group" {
   marketplace_image         = var.marketplace_image
 
   # We still depend on the backends, since we are not sure if the VMs inside the VMSS have been
-  # "updated" to the new version (note: this is the update in Azure which "refreshes" the NICs and not 
+  # "updated" to the new version (note: this is the update in Azure which "refreshes" the NICs and not
-  # our Constellation update). 
+  # our Constellation update).
   # TODO(@3u13r): Remove this dependency after v2.18.0 has been released.
   depends_on = [module.loadbalancer_backend_worker, azurerm_lb_backend_address_pool.all]
 }

terraform/infrastructure/azure/modules/load_balancer_backend/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.111.0"
+      version = "4.1.0"
     }
   }
 }

terraform/infrastructure/azure/modules/scale_set/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.111.0"
+      version = "4.1.0"
     }
     random = {
       source  = "hashicorp/random"
@@ -45,6 +45,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "scale_set" {
   provision_vm_agent              = false
   vtpm_enabled                    = true
   disable_password_authentication = false
+  extension_operations_enabled    = false
   upgrade_mode                    = "Manual"
   secure_boot_enabled             = var.secure_boot
   # specify the image id only if a non-marketplace image is used

terraform/infrastructure/azure/variables.tf

@@ -46,6 +46,12 @@ variable "internal_load_balancer" {
 
 # Azure-specific variables
 
+variable "subscription_id" {
+  type        = string
+  description = "Azure subscription ID. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#subscription_id"
+  default     = ""
+}
+
 variable "location" {
   type        = string
   description = "Azure location to deploy the cluster in."

terraform/infrastructure/iam/azure/.terraform.lock.hcl

@@ -32,31 +32,25 @@ provider "registry.terraform.io/hashicorp/azuread" {
 }
 
 provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "3.111.0"
+  version     = "4.1.0"
-  constraints = "3.111.0"
+  constraints = "4.1.0"
   hashes = [
-    "h1:06sKYI5V2anZnr7t3lOpzO3DSd3AVTGO+53a4OauwoI=",
+    "h1:K2OLOYxwF/onOegr+Y6Sfu/DjEjDLobQBBrLBF3i9TI=",
-    "h1:1gVEyHY/I1EMev2vbb6C6o0fAR+pEZrwGDeqRCDOhvE=",
+    "h1:cwtEEnEESVOgcxtXGz0A2wXCiNZIzm3dC2xHmYuxg9M=",
-    "h1:6mCR0XyitRMsVfvPVpaTGsyNvc44vGeyr5c1O8kryno=",
+    "h1:dKXFrVrjv579ax6iX4wc6lmEAVFsr3iTDjErnPHIjH4=",
-    "h1:8r1THxkuezf0Hys/wnVlPibEB7BeXd6FBahH+xWnmeI=",
+    "h1:iqN6KxIOGYv0N1p5xfNTgsjvDHpE3bZM8s5vIAEgfnQ=",
-    "h1:Q7QmdpMoWo5yQilXPzHjErBe58RVEbGDtM8XB4uGtnw=",
+    "h1:qDmSr5+vMVdWmfBEaIwqSLo5ZLyYk7KYoJo5flny6lk=",
-    "h1:WkapXDimZe5CzZpq3hIrz3RJ5MqIwF0rbL2i3HcPtGw=",
+    "zh:3f332bca3a8b7dc982e428e09c73862d1afda34c2ad7803e70d8ba7b9e2445fd",
-    "h1:ipFQShK0j3mtJeSgSBQDR985KzwC19913+0GkiF8Sfo=",
+    "zh:66b7e4a7a4fd06e0a5a3a22b4f76bda48e50ed3dd26c388738d9cc882b801bce",
-    "h1:oX22BXo+EthR6z90Yuu7EopfeSyG5dxehOrSWbsE+jk=",
+    "zh:6a271175d6e079241f24129f5026e0b16f04e7a548807f115600003d615e0ec3",
-    "h1:oy2sT6XGlo+axoqFYGd6JceoqJTlWOaVKS0rJB0hRus=",
+    "zh:7a6abc7e2ae8d1041d0446bbe87156e0436639676ee1fad40321e8ee6759a454",
-    "h1:uuThLccbeEWYo2wpwDmlZ+TGfm7zCrwaJdw91TA3azg=",
+    "zh:903f6e7f03e5952347ce6ee589d58c829179f2f22220f25cf52ae4efecd7053c",
-    "h1:vgrdy5JWGAK5N44/V75etoHIAMvXKNlMrIHTaWApehA=",
+    "zh:a572b9834cf3b51799c82c5009705c59309d947a6ecdb7e17729868c55e7d0e0",
-    "zh:0db8afb9278993df7e74796bdd125153b07a7045e5ca1756783a8b8cfec564f4",
+    "zh:a7fca14338f0cfb82b17ce085400c210cbc986a87086702e3a11efcb4e53d6e4",
-    "zh:22c424fcfda13dc720caa289248c1b71b2ad20e329fd4a52cc6be7e45f795a4a",
+    "zh:af36c7004702b0a273794914a17a77af1eb972caaad64e0068739e55c1488845",
-    "zh:471a2c1d7353bc21ef28963f006d2cf5276e7885b423fc0b73f2d8ce6cde72dd",
+    "zh:b36f308db1cdc02dee659e3e518186d7dec970d88b6149be3f6b3f8d544e4282",
-    "zh:68bf81cb353c755d48792e881b6405919daa041e35de1d510209237d90d6c21f",
+    "zh:bedf6d13cf4bccc128d8cbb0703a3a8b547629674439ffda5e73563ab775d0f7",
-    "zh:841d8664955bbc77f12095c9b1a4b3923362564a790fd945337759e9bc95d07e",
+    "zh:d1df286a2e5d4a5f6a7f4d29700a25588167ccffa31c686550ef617503df3254",
-    "zh:86e92f959056c573bf4b2be1d6cfa838dab06d3e5a944f371a1131e4c6477d88",
-    "zh:95a096ced57616659687970b5d618c2ce3cd54fa0311b7a7569435cacf39f26f",
-    "zh:c5656a11253ffdaee973e7292dd3c10a1db81f1fc9ee2d3041ae1182f7d25379",
-    "zh:cd6a1049de69280f339d6f83f30a9006bbe003a840a39eb7b5900990c5aadbb0",
-    "zh:e7b3d96f0c9ea47261dbd015f1f64fdb43c8ccb196afda862c0865e30d88245c",
-    "zh:f1ec7da6ab5526845274bff77e023b9faec71c2cf38bd18587274932b2aa2e89",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
   ]
 }

terraform/infrastructure/iam/azure/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.111.0"
+      version = "4.1.0"
     }
     azuread = {
       source  = "hashicorp/azuread"
@@ -18,6 +18,10 @@ provider "azurerm" {
       prevent_deletion_if_contains_resources = false
     }
   }
+  subscription_id = var.subscription_id
+  # This enables all resource providers.
+  # In the future, we might want to use `resource_providers_to_register` to registers just the ones we need.
+  resource_provider_registrations = "all"
 }
 
 # Configure Azure active directory provider

terraform/infrastructure/iam/azure/variables.tf

@@ -1,3 +1,9 @@
+variable "subscription_id" {
+  type        = string
+  description = "Azure subscription ID. This can also be sourced from the ARM_SUBSCRIPTION_ID environment variable: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#subscription_id"
+  default     = ""
+}
+
 variable "resource_group_name" {
   type        = string
   description = "Name for the resource group the cluster should reside in."