Closed tcostantini closed 9 months ago
@jaredfholgate is this related to your new feature or something else?
@jaredfholgate is this related to your new feature or something else?
I am unsure. Will need to try to replicate and report back.
I get the same issue, but not seeing this call in the code. I suspect this is something on the Azure DevOps side that has changed or may be a temporary issue as has been working until recently.
I see there were a lot of reports of this issue back in May: https://github.com/search?q=TypeError%3A+Cannot+read+property+%27retrieveSecret%27+of+undefined&type=issues&p=1
I will continue to take a look as time allows and report back if I find anything.
The Microsoft DevLabs task is working fine, so may be related to dependency versions or similar.
I have narrowed it down to being this getEndpointAuthorization
function call:
This is only called for Workload identity federation.
It is called via the function getSystemAccessToken
: https://github.com/microsoft/azure-pipelines-tasks-common-packages/blob/71eaf44f46088bc6cfe11686f7a90024a377c740/common-npm-packages/artifacts-common/webapi.ts#L25C21-L25C45
The getSystemAccessToken
function is called from getFederatedToken
: https://github.com/microsoft/azure-pipelines-tasks-common-packages/blob/71eaf44f46088bc6cfe11686f7a90024a377c740/common-npm-packages/artifacts-common/webapi.ts#L44
This function getFederatedToken
is called from here in the task: https://github.com/jason-johnson/azure-pipelines-tasks-terraform/blob/7763c7f8ffcff72e4b6f02361523b722040ccba3/tasks/terraform-cli/src/context/azdo-task-context.ts#L267C57-L267C57
The DevLabs task is referencing version 4.1.0 of azure-pipelines-task-lib
.
This task is referencing version 3.4.0 of azure-pipelines-task-lib
.
They both have the same version of azure-pipelines-tasks-artifacts-common
, which is 2.225.0.
I'm wondering if updating that npm package may help to resolve it.
Both tasks are calling the same method. I am testing with the exact same pipeline with the same project, service connection, etc, just replacing the code for the task.
The relevant section of the debug logs for the DevLabs task look like this
##[debug]System.TeamProjectId=55876c40-f2c8-44ca-9144-68e109f5640e
##[debug]System.HostType=build
##[debug]System.PlanId=4a285b39-8ac7-4191-8db7-e253f115c822
##[debug]System.JobId=eaf0d931-b258-5b12-bfe1-109b8eae4e7a
##[debug]System.CollectionUri=https://dev.azure.com/jared-holgate-microsoft-demos/
##[debug]Getting credentials for local feeds
##[debug]SYSTEMVSSCONNECTION exists true
##[debug]Got auth token
##[debug]Got OIDC token
The equivalent debug logs for this task look like this
##[debug]System.TeamProjectId=55876c40-f2c8-44ca-9144-68e109f5640e
##[debug]System.HostType=build
##[debug]System.PlanId=4a2e5842-8ac7-4191-8db7-e253f115c822
##[debug]System.JobId=eaf0d931-b258-5b12-bfe1-109b8eae4e7a
##[debug]System.CollectionUri=https://dev.azure.com/jared-holgate-microsoft-demos/
##[debug]Getting credentials for local feeds
##[debug]allowTelemetryCollection=true
##[error]TypeError: Cannot read property 'retrieveSecret' of undefined
It is odd that the Vault object would be missing that function altogether, but JavaScript...
I think updating the npm package should be the first port of call and then dig deeper from there.
Ok, that sounds good. How hard would it be to set up a test for this functionality? I have some of the tests turned off because the subscription I am using wouldn't be able to set up the necessary infrastructure (e.g. multiple subscriptions, management groups, etc.)
Ok, that sounds good. How hard would it be to set up a test for this functionality? I have some of the tests turned off because the subscription I am using wouldn't be able to set up the necessary infrastructure (e.g. multiple subscriptions, management groups, etc.)
Hi. I have built a new version and tested. It is working with the updated dependency.
In terms of adding a test, we can definitely do that. Will raise a separate PR for it an discuss getting access etc.
I think we should merge and release this PR ASAP in the meantime to get the functionality working .
@tcostantini Just a quick update. We have a fix for this and it has been merged, we are in the process of promoting and testing. Once it is live, I will send you another update and you can confirm that it is resolved for you. Thanks
@tcostantini The fix is now rolled out in version 1.0.3. I will close this issue for now, but please test and let me know.
@jaredfholgate thanks, I've tested it now, and with version 1.0.3 I'm not getting that error anymore, and it seems to go past a few steps.
However when it starts initializing the backend, I get a new error:
The backend configuration argument "oidc_token" given on the command line is not expected for the selected backend type.
, but I'm not passing the oidc_token argument.
This is the screenshot:
This is the command line that the logs show (with some details redacted):
/agent/_work/_tool/terraform/1.2.7/x64/terraform init -backend-config=storage_account_name=<redacted> -backend-config=container_name=terraformstate -backend-config=key=dm/infra_environment_dev_oms_/001_Resource_Groups.tfstate -backend-config=resource_group_name=shared-nonprod-dm-uks-shared-rg-001 -backend-config=subscription_id=<redacted> -backend-config=tenant_id=<redacted> -backend-config=client_id=*** -backend-config=oidc_token=<redacted> -backend-config=use_oidc=true
Please note also that the token appears in plain text in that command.
I'm not sure if I'm missing something, but the pipeline and its parameters are the same as the ones I attached previously, except for the change of the task version from 1.0.2 to 1.0.3.
@jaredfholgate thanks, I've tested it now, and with version 1.0.3 I'm not getting that error anymore, and it seems to go past a few steps.
However when it starts initializing the backend, I get a new error:
The backend configuration argument "oidc_token" given on the command line is not expected for the selected backend type.
, but I'm not passing the oidc_token argument.
This is the screenshot:
This is the command line that the logs show (with some details redacted):
/agent/_work/_tool/terraform/1.2.7/x64/terraform init -backend-config=storage_account_name=<redacted> -backend-config=container_name=terraformstate -backend-config=key=dm/infra_environment_dev_oms_/001_Resource_Groups.tfstate -backend-config=resource_group_name=shared-nonprod-dm-uks-shared-rg-001 -backend-config=subscription_id=<redacted> -backend-config=tenant_id=<redacted> -backend-config=client_id=*** -backend-config=oidc_token=<redacted> -backend-config=use_oidc=true
Please note also that the token appears in plain text in that command.
I'm not sure if I'm missing something, but the pipeline and its parameters are the same as the ones I attached previously, except for the change of the task version from 1.0.2 to 1.0.3.
Which version of the azurerm provider are you using? Does it support OIDC?
Looks like it was introduced in 1.3.4.
Hi @jaredfholgate , you're right. I was using an older version of terraform 1.2.7 (not the azurerm provider). Testing it with version 1.5.7 it worked just fine. Thanks a lot for all your help with this!
Hi @jaredfholgate Jared Holgate FTE , you're right. I was using an older version of terraform 1.2.7 (not the azurerm provider). Testing it with version 1.5.7 it worked just fine. Thanks a lot for all your help with this!
Great, thanks for letting us know. Glad it is working for you now.
Describe the bug Error in terraform init, while using workload identity federation in Azure DevOps. TypeError: "Cannot read property 'retrieveSecret' of undefined". Version of the TerraformCLI task, 1.0.2. Cloud provider, Azure.
To Reproduce Steps to reproduce the behavior:
Expected behavior The init step should run without errors using the service connection
Actual behavior The init step errors out with "##[error]TypeError: Cannot read property 'retrieveSecret' of undefined". Using the usual clientid + secret service connection, the init step works (even using the same app registration).
Screenshots Error in devops:
Pipeline Logs logs_81148-redacted.zip
Agent Configuration
Additional context Add any other context about the problem here.