Azure · jaredfholgate · Jan 23, 2025 · Jan 23, 2025 · Jan 23, 2025 · Jan 23, 2025
diff --git a/src/ALZ/Private/Deploy-Accelerator-Helpers/Invoke-Terraform.ps1 b/src/ALZ/Private/Deploy-Accelerator-Helpers/Invoke-Terraform.ps1
@@ -25,6 +25,7 @@ function Invoke-Terraform {
 
     if ($PSCmdlet.ShouldProcess("Apply Terraform", "modify")) {
         # Check and Set Subscription ID
+        $removeSubscriptionId = $false
         if($null -eq $env:ARM_SUBSCRIPTION_ID -or $env:ARM_SUBSCRIPTION_ID -eq "") {
             Write-Verbose "Setting environment variable ARM_SUBSCRIPTION_ID"
             $subscriptionId = $(az account show --query id -o tsv)
@@ -33,6 +34,7 @@ function Invoke-Terraform {
                 return
             }
             $env:ARM_SUBSCRIPTION_ID = $subscriptionId
+            $removeSubscriptionId = $true
             Write-Verbose "Environment variable ARM_SUBSCRIPTION_ID set to $subscriptionId"
         }
 
@@ -144,6 +146,11 @@ function Invoke-Terraform {
             $exitCode = $LASTEXITCODE
         }
 
+        if($removeSubscriptionId) {
+            Write-Verbose "Removing environment variable ARM_SUBSCRIPTION_ID that was set prior to this run"
+            Remove-Item $env:ARM_SUBSCRIPTION_ID = $null
+        }
+
         # Stop and display timer
         $StopWatch.Stop()
         if(!$silent) {

diff --git a/src/ALZ/Private/Tools/Test-Tooling.ps1 b/src/ALZ/Private/Tools/Test-Tooling.ps1
@@ -41,36 +41,112 @@ function Test-Tooling {
         $hasFailure = $true
     }
 
-    # Check if Azure CLI is installed
-    Write-Verbose "Checking Azure CLI installation"
-    $azCliPath = Get-Command az -ErrorAction SilentlyContinue
-    if ($azCliPath) {
-        $checkResults += @{
-            message = "Azure CLI is installed."
-            result  = "Success"
+    # Check if using Service Principal Auth
+    Write-Verbose "Checking Azure environment variables"
+    $nonAzCliEnvVars = @(
+        "ARM_CLIENT_ID",
+        "ARM_SUBSCRIPTION_ID",
+        "ARM_TENANT_ID"
+    )
+
+    $envVarsSet = $true
+    $envVarValid = $true
+    $envVarUnique = $true
+    $envVarAtLeastOneSet = $false
+    $envVarsWithValue = @()
+    $checkedEnvVars = @()
+    foreach($envVar in $nonAzCliEnvVars) {
+        $envVarValue = [System.Environment]::GetEnvironmentVariable($envVar)
+        if($envVarValue -eq $null -or $envVarValue -eq "" ) {
+            $envVarsSet = $false
+            continue
         }
-    } else {
-        $checkResults += @{
-            message = "Azure CLI is not installed. Follow the instructions here: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli"
-            result  = "Failure"
+        $envVarAtLeastOneSet = $true
+        $envVarsWithValue += $envVar
+        if($envVarValue -notmatch("^(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}$")) {
+            $envVarValid = $false
+            continue
         }
-        $hasFailure = $true
+        if($checkedEnvVars -contains $envVarValue) {
+            $envVarUnique = $false
+            continue
+        }
+        $checkedEnvVars += $envVarValue
     }
 
-    # Check if Azure CLI is logged in
-    Write-Verbose "Checking Azure CLI login status"
-    $azCliAccount = $(az account show -o json) | ConvertFrom-Json
-    if ($azCliAccount) {
-        $checkResults += @{
-            message = "Azure CLI is logged in. Tenant ID: $($azCliAccount.tenantId), Subscription: $($azCliAccount.name) ($($azCliAccount.id))"
-            result  = "Success"
+    if($envVarsSet) {
+        Write-Verbose "Using Service Principal Authentication, skipping Azure CLI checks"
+        if($envVarValid -and $envVarUnique) {
+            $checkResults += @{
+                message = "Azure environment variables are set and are valid unique GUIDs."
+                result  = "Success"
+            }
+        }
+
+        if(-not $envVarValid) {
+            $checkResults += @{
+                message = "Azure environment variables are set, but are not all valid GUIDs."
+                result  = "Failure"
+            }
+            $hasFailure = $true
+        }
+
+        if (-not $envVarUnique) {
+            $envVarValidationOutput = ""
+            foreach($envVar in $nonAzCliEnvVars) {
+                $envVarValue = [System.Environment]::GetEnvironmentVariable($envVar)
+                $envVarValidationOutput += " $envVar ($envVarValue)"
+            }
+            $checkResults += @{
+                message = "Azure environment variables are set, but are not unique GUIDs. There is at least one duplicate:$envVarValidationOutput."
+                result  = "Failure"
+            }
+            $hasFailure = $true
         }
     } else {
-        $checkResults += @{
-            message = "Azure CLI is not logged in. Please login to Azure CLI using 'az login -t `"00000000-0000-0000-0000-000000000000}`"', replacing the empty GUID with your tenant ID."
-            result  = "Failure"
+        if($envVarAtLeastOneSet) {
+            $envVarValidationOutput = ""
+            foreach($envVar in $envVarsWithValue) {
+                $envVarValue = [System.Environment]::GetEnvironmentVariable($envVar)
+                $envVarValidationOutput += " $envVar ($envVarValue)"
+            }
+            $checkResults += @{
+                message = "At least one environment variable is set, but the other expected environment variables are not set. This could cause Terraform to fail in unexpected ways. Set environment variables:$envVarValidationOutput."
+                result  = "Warning"
+            }
+        }
+
+        # Check if Azure CLI is installed
+        Write-Verbose "Checking Azure CLI installation"
+        $azCliPath = Get-Command az -ErrorAction SilentlyContinue
+        if ($azCliPath) {
+            $checkResults += @{
+                message = "Azure CLI is installed."
+                result  = "Success"
+            }
+        } else {
+            $checkResults += @{
+                message = "Azure CLI is not installed. Follow the instructions here: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli"
+                result  = "Failure"
+            }
+            $hasFailure = $true
+        }
+
+        # Check if Azure CLI is logged in
+        Write-Verbose "Checking Azure CLI login status"
+        $azCliAccount = $(az account show -o json) | ConvertFrom-Json
+        if ($azCliAccount) {
+            $checkResults += @{
+                message = "Azure CLI is logged in. Tenant ID: $($azCliAccount.tenantId), Subscription: $($azCliAccount.name) ($($azCliAccount.id))"
+                result  = "Success"
+            }
+        } else {
+            $checkResults += @{
+                message = "Azure CLI is not logged in. Please login to Azure CLI using 'az login -t `"00000000-0000-0000-0000-000000000000}`"', replacing the empty GUID with your tenant ID."
+                result  = "Failure"
+            }
+            $hasFailure = $true
         }
-        $hasFailure = $true
     }
 
     # Check if latest ALZ module is installed
@@ -96,6 +172,7 @@ function Test-Tooling {
             switch ($_.result) {
                 'Success' { $color = "92"; break }
                 'Failure' { $color = "91"; break }
+                'Warning' { $color = "93"; break }
                 default { $color = "0" }
             }
             $e = [char]27