Skip to content

Azure/terraform-azurerm-avm-ptn-monitoring-amba-alz: Child modules do not inherit providers passed to parent module, causing resources to deploy in wrong subscription #32

Open
#38
Open
Azure/terraform-azurerm-avm-ptn-monitoring-amba-alz: Child modules do not inherit providers passed to parent module, causing resources to deploy in wrong subscription#32
#38
@simone-bennett

Description

@simone-bennett
simone-bennett
opened on Feb 9, 2026

Bug Report: Child modules do not inherit providers passed to parent module

Description

When using the AMBA module with the Azure Landing Zone Terraform Accelerator (ALZ), passing aliased providers to the module via the providers block does not work as expected. Child modules within the AMBA module do not inherit these providers and instead fall back to the root module's default provider, causing resources to be created in the wrong subscription.

Context

The ALZ accelerator configures multiple Azure subscriptions (management, connectivity, identity) with aliased providers. AMBA resources should be deployed to the management subscription, but when the default provider targets connectivity, the resources incorrectly deploy there.

Environment

  • Module Version: 0.1.1
  • Terraform Version: 1.12.x
  • Provider Versions:
    • azurerm ~> 4.0
    • azapi ~> 2.0

Steps to Reproduce

  1. Set up ALZ accelerator with provider configuration:
# Default provider (used by hub networking)
provider "azurerm" {
  subscription_id = "connectivity-subscription-id"
  features {}
}

# Aliased provider for management resources
provider "azurerm" {
  alias           = "management"
  subscription_id = "management-subscription-id"
  features {}
}
  1. Call the AMBA module with explicit provider mapping:
module "amba" {
  source  = "Azure/avm-ptn-monitoring-amba-alz/azurerm"
  version = "0.1.1"

  providers = {
    azurerm = azurerm.management
    azapi   = azapi.management
  }

  resource_group_name                   = "rg-amba-australiaeast"
  resource_group_location               = "australiaeast"
  user_assigned_managed_identity_name   = "uami-mgmt-amba-australiaeast"
  # ... other configuration
}

Expected Behavior

All resources should deploy to the management subscription as specified by azurerm.management.

Actual Behavior

Resources deploy to the connectivity subscription (default provider) instead.

Root Cause

Child modules within the AMBA module don't have providers blocks to pass through aliased providers from the parent.

Suggested Fix

In child module calls, add explicit provider passthrough. For example, if there's an internal module call like:

# Current (broken)
module "resource_group" {
  source = "./modules/resource_group"
  # ...
}

Change to:

# Fixed
module "resource_group" {
  source = "./modules/resource_group"
  
  providers = {
    azurerm = azurerm
  }
  
  # ...
}

This ensures the provider passed to the parent AMBA module is propagated to all child modules.

Current Workaround

Create AMBA resources directly with explicit provider attributes instead of using the module:

resource "azurerm_resource_group" "amba" {
  provider = azurerm.management
  name     = "rg-amba-australiaeast"
  location = "australiaeast"
}

resource "azurerm_user_assigned_identity" "amba" {
  provider            = azurerm.management
  name                = "uami-mgmt-amba-australiaeast"
  resource_group_name = azurerm_resource_group.amba.name
  location            = azurerm_resource_group.amba.location
}

resource "azapi_resource" "amba_role_assignment" {
  provider  = azapi.management
  type      = "Microsoft.Authorization/roleAssignments@2022-04-01"
  # ...
}

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions