Comments (15)
taking a look at this.
from azure-pipelines-terraform.
from azure-pipelines-terraform.
Hi @theo-albers, I did have an issue in my setup and thought it was related, but my issue was I had two types of service connections. when I switched them to same type (Service Principal) it worked.. this is my setup:
- task: TerraformTaskV4@4
displayName: 'terraform init'
inputs:
provider: 'azurerm'
command: 'init'
backendServiceArm: 'spMSDN2'
backendAzureRmResourceGroupName: 'terraform'
backendAzureRmStorageAccountName: 'solstatestore2'
backendAzureRmContainerName: 'state'
backendAzureRmKey: 'state.tfstate'
- task: TerraformTaskV4@4
name: plan
displayName: 'terraform plan'
inputs:
commandOptions: '-out=tfplan -detailed-exitcode'
provider: 'azurerm'
command: 'plan'
environmentServiceNameAzureRM: 'TerraformSP'
parts of debug log
for the init
....
##[debug]found: '/opt/hostedtoolcache/terraform/1.5.7/x64/terraform'
##[debug]which '/opt/hostedtoolcache/terraform/1.5.7/x64/terraform'
##[debug]found: '/opt/hostedtoolcache/terraform/1.5.7/x64/terraform'
##[debug]/opt/hostedtoolcache/terraform/1.5.7/x64/terraform arg: init
##[debug]backendServiceArm=5cd4e6b5-xxxx-479e-beed-xxxxxxxxx
##[debug]backendServiceArm=5cd4e6b5-xxxx-479e-beed-xxxxxxxxx
##[debug]5cd4e6b5-xxxx-479e-beed-xxxxxxxxx auth scheme = ServicePrincipal
##[debug]Setting up backend for authorization scheme: serviceprincipal.
##[debug]backendAzureRmStorageAccountName=solstatestore2
##[debug]backendAzureRmContainerName=state
##[debug]backendAzureRmKey=state.tfstate
##[debug]backendAzureRmResourceGroupName=terraform
.....
for the plan
....
##[debug]environmentServiceNameAzureRM=1c2ad8ed-xxxx-4d31-91b1-xxxxxxxxx
##[debug]1c2ad8ed-xxxx-4d31-91b1-xxxxxxxxx auth scheme = ServicePrincipal
##[debug]Setting up provider for authorization scheme: serviceprincipal.
...
...
##[debug]1c2ad8ed-xxxx-4d31-91b1-xxxxxxxxx auth param serviceprincipalid = ***
##[debug]1c2ad8ed-xxxx-4d31-91b1-xxxxxxxxx auth param serviceprincipalkey = ***
##[debug]Finished up provider for authorization scheme: serviceprincipal.
##[debug]exec tool: /opt/hostedtoolcache/terraform/1.5.7/x64/terraform
##[debug]arguments:
##[debug] plan
##[debug] -out=tfplan
##[debug] -var
##[debug] test=test
##[debug] -detailed-exitcode
As a test can you hardcode the names of your service connections so you can rule out any variable configuration?
from azure-pipelines-terraform.
Hi @theo-albers, I did have an issue in my setup and thought it was related, but my issue was I had two types of service connections. when I switched them to same type (Service Principal) it worked.. this is my setup:
- task: TerraformTaskV4@4 displayName: 'terraform init' inputs: provider: 'azurerm' command: 'init' backendServiceArm: 'spMSDN2' backendAzureRmResourceGroupName: 'terraform' backendAzureRmStorageAccountName: 'solstatestore2' backendAzureRmContainerName: 'state' backendAzureRmKey: 'state.tfstate' - task: TerraformTaskV4@4 name: plan displayName: 'terraform plan' inputs: commandOptions: '-out=tfplan -detailed-exitcode' provider: 'azurerm' command: 'plan' environmentServiceNameAzureRM: 'TerraformSP'parts of debug log
for the init .... ##[debug]found: '/opt/hostedtoolcache/terraform/1.5.7/x64/terraform' ##[debug]which '/opt/hostedtoolcache/terraform/1.5.7/x64/terraform' ##[debug]found: '/opt/hostedtoolcache/terraform/1.5.7/x64/terraform' ##[debug]/opt/hostedtoolcache/terraform/1.5.7/x64/terraform arg: init ##[debug]backendServiceArm=5cd4e6b5-xxxx-479e-beed-xxxxxxxxx ##[debug]backendServiceArm=5cd4e6b5-xxxx-479e-beed-xxxxxxxxx ##[debug]5cd4e6b5-xxxx-479e-beed-xxxxxxxxx auth scheme = ServicePrincipal ##[debug]Setting up backend for authorization scheme: serviceprincipal. ##[debug]backendAzureRmStorageAccountName=solstatestore2 ##[debug]backendAzureRmContainerName=state ##[debug]backendAzureRmKey=state.tfstate ##[debug]backendAzureRmResourceGroupName=terraform ..... for the plan .... ##[debug]environmentServiceNameAzureRM=1c2ad8ed-xxxx-4d31-91b1-xxxxxxxxx ##[debug]1c2ad8ed-xxxx-4d31-91b1-xxxxxxxxx auth scheme = ServicePrincipal ##[debug]Setting up provider for authorization scheme: serviceprincipal. ... ... ##[debug]1c2ad8ed-xxxx-4d31-91b1-xxxxxxxxx auth param serviceprincipalid = *** ##[debug]1c2ad8ed-xxxx-4d31-91b1-xxxxxxxxx auth param serviceprincipalkey = *** ##[debug]Finished up provider for authorization scheme: serviceprincipal. ##[debug]exec tool: /opt/hostedtoolcache/terraform/1.5.7/x64/terraform ##[debug]arguments: ##[debug] plan ##[debug] -out=tfplan ##[debug] -var ##[debug] test=test ##[debug] -detailed-exitcode
As a test can you hardcode the names of your service connections so you can rule out any variable configuration?
I already verified the variable replacement via a temp debug pipeline. All variables were replaced properly and the service connections worked fine as well using an Azure Powershell task as test. Both service connections are Azure Resource Manager automatic connections with only the subscription filled in.
from azure-pipelines-terraform.
I have a Powershell script where I call terraform directly, locally. I added a secret to both App Registrations the service connections point to. When I do this, my Powershell script calling terraform init and plan works fine. For init I set the background SP and for plan the deployment SP. This confirms to me the issue is related to the pipeline task.
terraform init `
-var-file="$($TerraformVariablesFile)" `
-backend-config="tenant_id=$($WorkspaceCredentials.TenantId)" `
-backend-config="subscription_id=$($WorkspaceCredentials.SubscriptionId)" `
-backend-config="client_id=$($WorkspaceCredentials.ClientId)" `
-backend-config="client_secret=$($WorkspaceCredentials.ClientSecret)" `
-backend-config="resource_group_name=$($TerraformResourceGroupName)" `
-backend-config="storage_account_name=$($TerraformStorageAccountName)" `
-backend-config="container_name=$($TerraformContainerName)" `
-backend-config="key=$($TerraformStateFile)"
$env:ARM_TENANT_ID = $DeploymentCredentials.TenantId
$env:ARM_SUBSCRIPTION_ID = $DeploymentCredentials.SubscriptionId
$env:ARM_CLIENT_ID = $DeploymentCredentials.ClientId
$env:ARM_CLIENT_SECRET = $DeploymentCredentials.ClientSecret
terraform plan -var-file="$($TerraformVariablesFile)" -out="$($TerraformPlanFile)" -detailed-exitcode *>&1 | Out-Host
from azure-pipelines-terraform.
I cannot replicate the issue you are seeing with the same id for both backend and environment service connections.
I will see if I can replicate your setup better. you have two subscriptions with the same tenant, correct?
br
Manuel
from azure-pipelines-terraform.
I cannot replicate the issue you are seeing with the same id for both backend and environment service connections.
I will see if I can replicate your setup better. you have two subscriptions with the same tenant, correct?
br Manuel
Correct. The setup:
- Azure DevOps is tenant A
- Terraform backend service connection
- tenant B, subscription A
- Deployment service connection
- tenant B, subscription B
- I'm invited as guest in tenant B, belonging to tenant A
I don't see in this repo where the environment principal is resolved. I only see that it uses the property to detect the authentication schema. I don't see it actually uses the environment service connection to resolve the client/secret, but maybe I'm wrong. I also see no sign in log for this service connection in Azure DevOps under the service connection.
We are using a yaml pipeline, not a classic pipeline. Maybe your tests assume variables to be set by the pipeline infrastructure and maybe that's not the case with the yaml pipeline. Could there be a difference between classic and yaml pipeline?
from azure-pipelines-terraform.
Hi, Unfortunately I can not replicate your setup as I do not have a way to create two subs in my tenants. (one is Visual studio subscription and the other I do not have high enough rights to create a new subscription)
I also use YAML pipelines. the two differences I see in my setup: 1. I have two tenants with one subscription in each. 2. I don't use variables for service connection names.
backendServiceArm: 'spMSDN2' and environmentServiceNameAzureRM: 'TerraformSP'
from azure-pipelines-terraform.
For me it's no longer an issue. I took the easy way out and I am targeting a single subscription.
from azure-pipelines-terraform.
Hi there!
I was seeing a similar problem on a separate thread. I would really like to target a separate subscription. It is important for my organization to have our sensitive information (the tf state) on a different subscription that we can really limit access to.
I've taken the easy way out as a stopgap, but this is still an issue I'd love to see resolved.
from azure-pipelines-terraform.
Hi, Unfortunately I can not replicate your setup as I do not have a way to create two subs in my tenants. (one is Visual studio subscription and the other I do not have high enough rights to create a new subscription)
I also use YAML pipelines. the two differences I see in my setup: 1. I have two tenants with one subscription in each. 2. I don't use variables for service connection names.
backendServiceArm: 'spMSDN2' and environmentServiceNameAzureRM: 'TerraformSP'
When I look at the source code in this repo I don't see that the subscription and tenant id is being set based on environmentServiceNameAzureRM. Can you at least verify this, just by debugging the task? Where does it take the connection information from environmentServiceNameAzureRM?
from azure-pipelines-terraform.
We can confirm that the issue occurs when you have two subscriptions in a single tenant. Tenant A with subscription A for state and subscription B for deployment fails. It works when you have tenant A with subscription A for state and tenant B with subscription B for deployment.
We have a pipeline with the scenario that fails and one with the scenario that succeeds. Both pipelines use the same tasks. The failing pipeline succeeds for the stage where state and deployment use the same subscription.
from azure-pipelines-terraform.
Hi, Unfortunately I can not replicate your setup as I do not have a way to create two subs in my tenants. (one is Visual studio subscription and the other I do not have high enough rights to create a new subscription)
I also use YAML pipelines. the two differences I see in my setup: 1. I have two tenants with one subscription in each. 2. I don't use variables for service connection names.
backendServiceArm: 'spMSDN2' and environmentServiceNameAzureRM: 'TerraformSP'When I look at the source code in this repo I don't see that the subscription and tenant id is being set based on environmentServiceNameAzureRM. Can you at least verify this, just by debugging the task? Where does it take the connection information from environmentServiceNameAzureRM?
from azure-pipelines-terraform.
Yes, when I follow the flow, it should indeed work as intended. Strange....
How do you debug pipeline tasks? When I read this https://learn.microsoft.com/en-us/azure/devops/extend/develop/add-build-task?view=azure-devops I guess you are basically left with the mocha tests.
from azure-pipelines-terraform.
Hi, it is pretty complex to debug but possible, however I have not been successful. I use console.log() a lot in the not public dev version of the task.
from the MS Learn docs
https://learn.microsoft.com/en-us/azure/devops/extend/develop/add-build-task?view=azure-devops#run-the-task
docs from azure-pipelines-tasks
https://github.com/microsoft/azure-pipelines-tasks/blob/master/docs/debugging.md#debugging-typescript-tasks-in-vs-code
not sure below works for bulid extensions, but should work for UI stuff.
using hot reload
https://github.com/microsoft/azure-devops-extension-hot-reload-and-debug
from azure-pipelines-terraform.
Related Issues (20)
- Warning!!! TerraformTaskV4@4 shows oidc_token as plain Text HOT 4
- Undocumented fileName parameter and -out requirement for plan command HOT 1
- Terraform Init is not compatible with Azure ARM Federated Identity service connection. HOT 6
- TerraformInstaller@1 fails on Azure pipelines with image ubuntu-latest HOT 14
- Can we Authenticate using Service principle and Certificate instead of service connection in terraform task HOT 1
- Terraform apply fails with clientCredentialsToken already expired. HOT 13
- How to enable task.debug? HOT 2
- link to Marketplace listing HOT 1
- TerraformInstaller@1 fails with ambiguous identifier HOT 4
- state command not working HOT 9
- Terraform init failure on Azure Devops Pipeline HOT 6
- Azure DevOps pipeline Terraform init fails when using service connection that is linked to an Azure AD app registration that is using workload identity federation instead of client secret HOT 3
- Error installing extension from marketplace HOT 2
- Terraform apply fails when deploying tfplan from artifactory in release pipeline HOT 2
- Terraform output failing, but not recorded as failed HOT 3
- Terraform: Unable to get latest version: using 1.1.6 HOT 2
- Azure SQL database management using Workload Identity Federation service connection in Azure DevOps HOT 4
- Allow Option to Override Subscription ID
- WIF token usage HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-pipelines-terraform.