search

jason-johnson / azure-pipelines-tasks-terraform

Azure Pipelines extension for Terraform
MIT License
124 stars 52 forks source link

Cannot use TerraformCLI@0 with service connexion that uses client certificate #270

Open charlesb87 opened 2 years ago

charlesb87 commented 2 years ago

Describe the bug I'm trying to authenticate to Azure using TerraformCLI@0 and a service connexion with a client certificate (And not a password).

To Reproduce

          - task: TerraformCLI@0
            inputs:
                command: "init"
                backendType: "azurerm"
                backendServiceArm: "myServiceConnexion"
                ensureBackend: true
                backendAzureRmResourceGroupName: "myResourceGroup"
                backendAzureRmResourceGroupLocation: francecentral
                backendAzureRmStorageAccountName: "myStorageAccount"
                backendAzureRmContainerName: terraform
                backendAzureRmKey: "my.terraform.tstate"
            displayName: "Run terraform init"

Expected behavior We caan authenticate to Azure using a service connexion that use a client certifiante instead of a password.

Pipeline Logs

2022-05-14T07:39:18.8655405Z ##[section]Starting: terraform init
2022-05-14T07:39:18.8665175Z ==============================================================================
2022-05-14T07:39:18.8665544Z Task         : Terraform
2022-05-14T07:39:18.8666244Z Description  : Execute terraform commands to manage resources on AzureRM, Amazon Web Services(AWS) and Google Cloud Platform(GCP)
2022-05-14T07:39:18.8666671Z Version      : 2.203.0
2022-05-14T07:39:18.8666939Z Author       : Microsoft Corporation
2022-05-14T07:39:18.8667266Z Help         : [Learn more about this task](https://aka.ms/AAf0uqr)
2022-05-14T07:39:18.8667654Z ==============================================================================
2022-05-14T07:39:19.2254174Z [command]/opt/hostedtoolcache/terraform/1.1.7/x64/terraform init -backend-config=storage_account_name=sssss -backend-config=container_name=terraform -backend-config=key=sssss.tfstate -backend-config=resource_group_name=ssss -backend-config=subscription_id=ssss -backend-config=tenant_id=ssss -backend-config=use_msi=true
2022-05-14T07:39:19.2255617Z 
2022-05-14T07:39:19.2256321Z Initializing the backend...
2022-05-14T07:39:19.2256864Z ╷
2022-05-14T07:39:19.2260449Z │ Error: Failed to get existing workspaces: Error retrieving keys for Storage Account "ssss": azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/sssss/resourceGroups/sss/providers/Microsoft.Storage/storageAccounts/sssss/listKeys?api-version=2021-01-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F
2022-05-14T07:39:19.2262769Z │ 
2022-05-14T07:39:19.2265036Z │ 
2022-05-14T07:39:19.2265667Z ╵
2022-05-14T07:39:19.2266519Z 
2022-05-14T07:39:19.2303858Z ##[error]Error: The process '/opt/hostedtoolcache/terraform/1.1.7/x64/terraform' failed with exit code 1
2022-05-14T07:39:19.2318122Z ##[section]Finishing: terraform init

Agent Configuration

voroniys commented 2 years ago

I have the same issue, but the pipeline output is different - mine is failing on executing az login:

/usr/bin/az login --service-principal -t xxxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxx -u *** -p
ERROR: argument --password/-p: expected one argument

Service connection I'm using is for the principal which is using a certificate