Open jaredfholgate opened 1 year ago
crw
commented
1 year ago Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions. Thanks again!
Noel-Jones
commented
3 months ago Is there likely to be a resolution for this? I've ended up here having spent a fair while trying to reasearch why my CI/CD pipelines fail to apply changes if I don't complete the manual validation within 10 minutes. After this time applying the plan file fails with the error "AADSTS700024: Client assertion is not within its valid time range". All this became an issue after I switched to the "recommended" use of Workload Identites. I arrived here via https://github.com/microsoft/azure-pipelines-terraform/issues/201 and https://github.com/microsoft/azure-pipelines-terraform/issues/89
It does not appear to be clear in the initial use case / description just how much of an issue this appears to be for many people. 33 people have upvoted this but I believe a lot more would if they found their way here.
I have seen a few references to workarounds but with no clear examples of quite what to do. If anyone can advise a workaround then I would be grateful if they could post details.
crw
commented
3 months ago @Noel-Jones it is possible this could be addressed, but difficult to say how likely or when. Thanks for the additional use case!
magodo
commented
3 months ago Related: https://github.com/hashicorp/terraform/pull/35381 (though closed)
jaredfholgate
commented
3 months ago I think it is worth re-visiting this and adding some clarity as there are a few overlapping issues at play here:
Hopefully that helps in some way or I may have caused extra confusion...
jpomfret
commented
1 month ago Hey folks, Just here to ask for any updates on this, or if there is a suggested workaround - I've had a read through some issues but it's not clear whether there is a suitable workaround.
I am in the same situation as @Noel-Jones - in that I have a pipeline that does init, plan, then a manual approval step - then the apply stage is next - if the gap between init and apply is > 10 mins I get the following error:
AADSTS700024: Client assertion is not within its valid time range. I'm using TerraformCLI@1 tasks - would changing to use AzureCLI@2 tasks work here? or is the problem not in the task, but in the terraform calls themselves?
Cheers
gbordier
commented
1 month ago Hey folks, it looks like we had a solution for this in #35381 that conflicted with a change @manicminer wanted to do on the azure backend. do we have any more news on this ?
Nullh
commented
3 weeks ago @jpomfret Did you have a go with AzureCli@2 task? I've got a similar issue and unpicking all the submodules to give it a go is a bit daunting if it doesn't help :D
Terraform Version
Use Cases
I want to use
azCLI service principal authentication in my CI / CD pipelines. I am able to do that with the upgraded authentication in the provider forplanandapply, butinitdoes not support it for theazurermbackend.I'd like to have a consistent authentication experience across all commands.
The original driver for this is running
terraform testwith OIDC auth. Since the Azure DevOps ID Token is only valid for 10 minutes and each test configures a new provider for each time it times out if there are a few tests in there.Attempted Solutions
There is no solution other than using the existing mechanism to supply service principal credentials.
Proposal
Update the
azurermbackend authentication code to match the provider code.References
For clarity, this is the line in v0.43.0 of the target library that explicitly breaks SP auth with CLI: https://github.com/hashicorp/go-azure-helpers/blob/202cb910fbce8b8a78fe6e40177569b6ad59e885/authentication/auth_method_azure_cli_token.go#L72
The target library has significantly changed since that version and that code no longer exists in there.
No response