search

jason-johnson / azure-pipelines-tasks-terraform

Azure Pipelines extension for Terraform
MIT License
124 stars 52 forks source link

Terraform backend initialization for AzureRM only support service principal authorization #388

Closed woutkonings closed 11 months ago

woutkonings commented 11 months ago

Describe the bug

Azure DevOps Service Connection authentication stopped working. Current way of authenticating using a service principal keeps giving me the same error:

##[error]Terraform backend initialization for AzureRM only support service principal authorization

To Reproduce

Before I had the current setup:

pipeline:

- task: TerraformCLI@0
        displayName: 'Terraform Init'
        inputs:
          command: 'init'
          workingDirectory: '$(Build.SourcesDirectory)/$(terraformFolder)'
          backendType: 'azurerm'
          backendServiceArm: $(terraformStateServiceConnection)
          backendAzureRmResourceGroupName: 'rg-terraform'
          backendAzureRmStorageAccountName: $(stateStorageAccName)
          backendAzureRmContainerName: 'tfstate'
          backendAzureRmKey: 'terraform.tfstate'

with main.tf:

terraform {
  backend "azurerm" {
    resource_group_name  = "rg-terraform"
    storage_account_name = var.state_storage_account_name
    container_name       = "tfstate"
    key                  = "terraform.tfstate"
  }
}

provider "azurerm" {
  skip_provider_registration = "true"
  features {}
}

Which threw the error: ##[error]Terraform backend initialization for AzureRM only support service principal authorization

This I have now changed to:

pipeline:

      - task: TerraformCLI@0
        displayName: 'Terraform Init'
        inputs:
          command: 'init'
          workingDirectory: '$(Build.SourcesDirectory)/$(terraformFolder)'
          backendType: 'azurerm'
          backendAzureRmResourceGroupName: 'rg-terraform'
          backendAzureRmStorageAccountName: $(stateStorageAccName)
          backendAzureRmContainerName: 'tfstate'
          backendAzureRmKey: 'terraform.tfstate'
        env:
          TF_VAR_ARM_CLIENT_ID: $(sp-terraform-clientid)
          TF_VAR_ARM_CLIENT_SECRET: $(sp-terraform-secret)
          TF_VAR_ARM_SUBSCRIPTION_ID: $(sp-terraform-subscriptionid)
          TF_VAR_ARM_TENANT_ID: $(sp-terraform-tenantid)

main.tf:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.0.0"
    }
  }
}

provider "azurerm" {
  features {}

  client_id       = var.ARM_CLIENT_ID
  client_secret   = var.ARM_CLIENT_SECRET
  tenant_id       = var.ARM_TENANT_ID
  subscription_id = var.ARM_SUBSCRIPTION_ID
}

as per the latest terraform documentation

Expected behavior

Should be working like this. Getting limited logging form the pipeline task.

Pipeline Logs ##[error]Terraform backend initialization for AzureRM only support service principal authorization

Agent Configuration

jason-johnson commented 11 months ago

As documented here, we only support service connections for the azurerm backendType. To do what you're trying to do the backendType needs to be self-configured.

jason-johnson commented 11 months ago

Closing. Functions as documented. If there is some issue with self-configured, feel free to re-open.