Open dvmorris opened 4 years ago
Hi,
I am having the same problem. I am using multistage pipelines and the second time I run init it fails.
Terraform init works in my validate step. When I try run init again in the plan step it fails with the same errors.
/usr/local/bin/terraform init -backend-config=bucket=terraform_state -backend-config=prefix=dev -backend-config=credentials=/home/vsts/work/1/s/credentials-cfa5ddfd-8e2c-40bc-80b2-905615f69578.json Initializing modules...
Initializing the backend... Backend configuration changed!
Terraform has detected that the configuration specified for the backend has changed. Terraform will now check for existing state in the backends.
Error: Error parsing credentials '/home/vsts/work/1/s/credentials-cfa5ddfd-8e2c-40bc-80b2-905615f69578..json': invalid character '/' looking for beginning of value
Finishing: Terraform initialize `
This is the structure of the pipeline.
` trigger: batch: true branches: include:
stages:
stage: Validate displayName: Validate Terraform variables:
name: templatePath value: src/terraform/resources
name: artifacts value: SC-Infrastructure-artifacts jobs:
job: Validate pool: vm: ubuntu-latest workspace: clean: all steps:
template: pipelines/terraform-action.yaml
parameters:
environment: dev
region: aae
action: validate
workingDirectory: $(templatePath)
publish: src/terraform artifact: $(artifacts)
template: pipelines/terraform-plan.yaml parameters: name: Plan_DEV_AAE displayName: Plan DEV AAE dependsOn: Validate environment: dev region: aae `
So the step/action validate works. But when the subpipeline gets called (terraform-plan.yaml), it fails.
` parameters:
stages:
stage: ${{ parameters.name }} displayName: ${{ parameters.displayName }} dependsOn: ${{ parameters.dependsOn }} jobs:
job: Plan pool: vm: ubuntu-latest workspace: clean: all steps:
download: current artifact: ${{ parameters.artifact }}
template: terraform-action.yaml
parameters:
environment: ${{ parameters.environment }}
region: ${{ parameters.region }}
action: plan
workingDirectory: ${{ parameters.workingDirectory }}
`
terraform-action.yaml ` parameters:
steps:
task: ms-devlabs.custom-terraform-tasks.custom-terraform-release-task.TerraformTaskV1@0
displayName: 'Terraform initialize'
inputs:
provider: gcp
backendServiceGCP: 'gcp-dev-rom'
backendGCPBucketName: 'terraform_state'
backendGCPPrefix: '${{ parameters.environment }}'
workingDirectory: "${{ parameters.workingDirectory }}"
bash: | chmod -R 755 '${{ parameters.workingDirectory }}' displayName: fix file permissions
task: ms-devlabs.custom-terraform-tasks.custom-terraform-release-task.TerraformTaskV1@0 displayName: "Terraform ${{ parameters.action }}" inputs: provider: gcp
command: ${{ parameters.action }}
${{ if or(eq(parameters.action, 'plan'), eq(parameters.action, 'apply'), eq(parameters.action, 'destroy')) }}:
environmentServiceNameGCP: 'gcp-${{ parameters.environment }}-rom'
backendServiceGCP: 'gcp-${{ parameters.environment }}-rom'
backendGCPBucketName: 'rom_terraform_state'
backendGCPPrefix: '${{ parameters.environment }}'
workingDirectory: "${{ parameters.workingDirectory }}"
${{ if not(eq(parameters.action, 'validate')) }}:
commandOptions: '-var-file="${{ parameters.environment }}.tfvars" -var "region=${{ parameters.region }}"'
`
I can get it working if I remove multi-stage pipelines. Is it possible you can check if this extension is compatible with multistage pipelines? I think when you run multiple terraform inits, the terraform detects a backend change and wants to reinit and then cannot read the credential file.
So multistage pipelines seems to cause this.
I am able to use TerraformTaskV1 with a GCP Service Connection successfully, but when I also have a set of gcloud commands in my pipeline that also establishes an authenticated connection to GCP, the TerraformTaskV1 no longer authenticates in subsequent build tasks.
Download Secure File (GCP Service Account JSON Key File)
bash Task Step
Terraform Task Output
To reiterate, the TerraformTaskV1 works fine when I don't have any bash scripts that called
gcloud auth activate-service-account ...
, and it only stops working when I add in this step before the TerraformTaskV1 task.Somehow the service account key file that is generated in this code: https://github.com/microsoft/azure-pipelines-extensions/blob/master/Extensions/Terraform/Src/Tasks/TerraformTaskV1/src/gcp-terraform-command-handler.ts#L23-L24
is corrupted somehow by the introduction of this gcloud authentication step.