Comments (9)
The extension does not currently support having the state file in another subscription. Looking into what it would take to fix it
from azure-pipelines-terraform.
for me this is not a valid solution, we should be able of using the same service principal, to store tfstate in different subscription, at least, if we could replace the backend data with container id, for example
from azure-pipelines-terraform.
@slawchod Are you able to detail the workaround you have in place? I am having a similar issue, would be good to see what options there are.
from azure-pipelines-terraform.
Hi @cuzza0,
No problem. So in Azure DevOps within terraform init you are specifying all terraform backend details. Previously it was sufficient for terraform plan/apply, so in code it was like that:
terraform {
backend "azurerm" {}
}
Now, when terraform backend settings from Azure DevOps are not taken fully from init to plan/apply I've changed code to include subscription details in backend config in the code as well:
terraform {
backend "azurerm" {
subscription_id = "#{tfbeSubscriptionId}#"
}
}
You might have a static value for subscirption_id, but I prefer to have it as variable and perform replace token task as the fist step in the stage.
I hope it will help :)
Cheers!
from azure-pipelines-terraform.
Hi
I recently faced the same issue "Terraform: Allow state files to be stored in a different subscription" microsoft/azure-pipelines-extensions#707
I'm trying to deploy Azure resources and states in different subscriptions too :
- 1 Central Subscription to store tfstates
- "n" subscriptions to deploy Azure resources
I had the same 404 issue before, thanks @slawchod :1
terraform { backend "azurerm" { subscription_id = "#{tfbeSubscriptionId}#" } }
Now I'm getting a 403 Error on my "tsfate" storage container
Error: Error loading state: Error retrieving keys for Storage Account "XXXXXX": storage.AccountsClient#ListKeys: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxxxxxxxxxxxxxxxxxxx' with object id 'xxxxxxxxxxxxxxxxxxxx does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/ssssssssssssssssssssssssss/resourceGroups/My-Central-States-123/providers/Microsoft.Storage/storageAccounts/centralstorageblabla' or the scope is invalid. If access was recently granted, please refresh your credentials."
Azure Pipeline YML (Terraform Extension) : Despite using the parameter "backendServiceArm" (The Service Connection used for my TFStates Subscription & RG) Terraform is still using the parameter "environmentServiceNameAzureRM" (The Azure Environnement to deploy resource. This SP should not have the privileges to the TFSates Sub/RG)
Find below my Azure Pipeline Task yml (Terraform extension)
- task: TerraformTaskV1@0
displayName: 'Terraform Plan'
name: terraformPlan
inputs:
provider: 'azurerm'
command: 'plan'
environmentServiceNameAzureRM: '#### SP used to deploy Azure Resources in my dev subscription**'
backendServiceArm: '#### SP used to centralize Tfstates in my backend subscription'
backendAzureRmResourceGroupName: 'My-Central-States-123'
backendAzureRmStorageAccountName: 'mycentralstorage'
backendAzureRmContainerName: 'mycentral-container-states'
backendAzureRmKey: 'terraform.tfstate'
workingDirectory: .......................
I tried several configurations... Do you have an idea?
Thanks
from azure-pipelines-terraform.
Trying to use a different subscription for the backend on TerraformTaskV3@3 with commandOptions gets ignored/duplicated as it inserts subscription_id at the end using the default subscription of the SPN. Is there any other way to specify the subscription_id for the backend?
commandOptions: "-backend-config=subscription_id=$(backendAzureRmSubscriptionId)"
this same approach works if I set use_azure_ad to true on the backend and assign the Storage Blob Contributor to the SPN. Why can't I do the same with the default graph?
from azure-pipelines-terraform.
The extension does not currently support having the state file in another subscription. Looking into what it would take to fix it
I've checked the azurerm handler source code and it always injects the backend-config value subscription_id from the service connection's, I believe adding another non-required value for the subscriptionId would be enough to handle it, if said parameter is null, assume the one from the service connection, otherwise, just use the supplied one.
the handling of the subscription_id can be observed here:
As a workaround I'm using custom to run init and supply the values myself. It does seem to introduce a weird issue with terraform providers running before terraform plan in the plan command task. but I managed to have it running nonetheless.
from azure-pipelines-terraform.
So after a bit of tinkering I manage to have two different service connections for separate subscriptions.
Just as the original comment I have the 'init' command on one service connection where I have my state files. backendServiceArm: 'myStatesSPN'
And on my 'plan' and 'apply' commands I set environmentServiceNameAzureRM: 'myProdSPN'
This way I have states and environments separated. The two different service connections are backed by totally different Azure Subs with separate AAD.
I would think you need one service connection for each subscription you wish to deploy towards. I only have two so I can't test deploy to multiple subs.
example:
- task: TerraformTaskV3@3
displayName: 'terraform init'
inputs:
provider: 'azurerm'
command: 'init'
backendServiceArm: 'myStatesSPN'
backendAzureRmResourceGroupName: 'terraform'
backendAzureRmStorageAccountName: 'statestore'
backendAzureRmContainerName: 'state'
backendAzureRmKey: 'state.tfstate'
- task: TerraformTaskV3@3
name: plan
displayName: 'terraform plan'
inputs:
provider: 'azurerm'
command: 'plan'
commandOptions: '-out=tfplan'
environmentServiceNameAzureRM: 'myProdSPN'
from azure-pipelines-terraform.
I agree that MS fixed that in TerraformTaskV3@3
from azure-pipelines-terraform.
Related Issues (20)
- Terraform apply fails with clientCredentialsToken already expired. HOT 13
- How to enable task.debug? HOT 2
- link to Marketplace listing HOT 1
- TerraformInstaller@1 fails with ambiguous identifier HOT 4
- state command not working HOT 9
- Terraform init failure on Azure Devops Pipeline HOT 11
- Azure DevOps pipeline Terraform init fails when using service connection that is linked to an Azure AD app registration that is using workload identity federation instead of client secret HOT 3
- Error installing extension from marketplace HOT 2
- Terraform apply fails when deploying tfplan from artifactory in release pipeline HOT 2
- Terraform output failing, but not recorded as failed HOT 4
- Terraform: Unable to get latest version: using 1.1.6 HOT 3
- Azure SQL database management using Workload Identity Federation service connection in Azure DevOps HOT 4
- Allow Option to Override Subscription ID
- WIF token usage HOT 2
- Using WIF for Terraform State broken in 0.1.25 HOT 8
- Upgrade Node10 executor to Node16 HOT 2
- Allow for More Nuanced Terraform Versioning HOT 1
- Build agents still have mismatched Terraform versions HOT 4
- Support for passing in a backend config file in init command
- Move -detailed-exitcode flag or add option to disable it from automatically being added to the end of a plan task
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-pipelines-terraform.