The inclusion of client_id and client_secret as required inputs seemed kind of strange to me when looking at where its used.
root module
└─ module.cloudguard_ha (CheckPointSW/cloudguard-network-security v1.2.3)
└─ high-availability/versions.tf ← **defines provider blocks with credentials**
└─ module.common.module.regions[0] (Azure/avm-utl-regions v0.5.1)
└─ data.azapi_resource_action.locations ← **uses the provider context**
The problem is in high-availability/versions.tf defines provider blocks inside a child module and passes client_id/client_secret directly into them.
When client_id is a non-empty string, both azapi and azurerm providers skip the ChainedTokenCredential (CLI → MSI → env vars) and go straight to ClientSecretCredential.
The azapi_resource_action.locations call (in avm-utl-regions) is simply querying:
GET /subscriptions/{id}/locations?api-version=2023-07-01
Any token with reader-level access to the subscription is sufficient for this, meaning If client_id were absent from the provider block, both providers would fall through to ARM_* environment variables / Managed Identity / Azure CLI auth - The ChainedTokenCredential requires zero extra config and works transparently.
All that needs to change is modules/high-availability/variables.tf and versions.tf
variables.tf - make client_id and client_secret optional by setting default = null
versions.tf - remove credentials from provider blocks (omit client_id/client_secret)
The inclusion of client_id and client_secret as required inputs seemed kind of strange to me when looking at where its used.
The problem is in high-availability/versions.tf defines provider blocks inside a child module and passes client_id/client_secret directly into them.
When client_id is a non-empty string, both azapi and azurerm providers skip the ChainedTokenCredential (CLI → MSI → env vars) and go straight to ClientSecretCredential.
The azapi_resource_action.locations call (in avm-utl-regions) is simply querying:
Any token with reader-level access to the subscription is sufficient for this, meaning If client_id were absent from the provider block, both providers would fall through to ARM_* environment variables / Managed Identity / Azure CLI auth - The ChainedTokenCredential requires zero extra config and works transparently.
All that needs to change is
modules/high-availability/variables.tfandversions.tfvariables.tf- make client_id and client_secret optional by setting default = nullversions.tf- remove credentials from provider blocks (omit client_id/client_secret)