Terraform step with Azure backend not substituting account subscription


We have just upgraded from 2021.1.7316 to 2021.3.8275 and have found our terraform steps have stopped working when getting the workspaces.
Details of configuration:
Azure account is bound to a variable populated based on tenant and environment. Using variable preview I have confirmed the correct account is being populated.
A workspace variable is also provided via a variable.
When the step runs, init seems to be ok, but when it attempts to get the workspace, it seems to not substitute the subscriptionId value:

Error: Failed to get existing workspaces: Error retrieving keys for Storage Account "[redacted]": azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/%23%7BOctopus.Action.Azure.SubscriptionId%7D/resourceGroups/[redacted]/providers/Microsoft.Storage/storageAccounts/[redacted]/listKeys?api-version=2021-01-01: StatusCode=200 -- Original Error: adal: Failed to unmarshal the service principal token during refresh. Error = 'invalid character '<' looking for beginning of value' JSON = ' 

Followed by HTML for azure sign-in page.

I have redacted the storage account name and resource group, but the value where the subscription id should be is as-is from octo. It appears to be the URL encoded value of #{Octopus.Action.Azure.SubscriptionId}.

I can confirm that the subscription ID is present in the azure account and the account has been tested through Octo to show it works. It also was working before the upgrade (albeit not run for a couple of weeks before, so open to the idea that the upgrade timing is just coincidental)

Does anyone have any thoughts on what could be the issue?

Hi @adam.eastbury,

Thank you for contacting Octopus Support.

I tested this on my end in 2021.3.8275 and was unable to replicate the issue. As a troubleshooting step, could you create a new service principal and try this again against it?

If that doesn’t work, could you provide the raw task log and a copy of the Process JSON from the most recent attempt?

Secure Upload Link

I look forward to hearing back from you.

Best Regards,

Thanks for the reply.

After digging through the verbose logging we managed to track the issue down to the fact the account variable from octo azure accounts is SubscriptionNumber and not SubscriptionId. Once we updated our terraform to have that variable name everything sprang into life.

Thanks again,

Hi @adam.eastbury,

Thank you for getting back to me. I’m glad to hear you were able to get it sorted.

If we can assist with anything else, please don’t hesitate to reach out.

Best Regards,