mericstam
commented
1 year ago Hi, I will take a look at this.
Closed almir0 closed 8 months ago
mericstam
commented
1 year ago Hi, I will take a look at this.
mericstam
commented
1 year ago After some investigating, I am not sure this will work as the extension only supports Authenticating with Service Principal.
almir0
commented
1 year ago After some investigating, I am not sure this will work as the extension only supports Authenticating with Service Principal.
Thanks for looking into this. Would it be possible to implement support for AzureAD auth support?
loopyd
commented
1 year ago AzureAD is being deprecated, this isn't wise to implement. Please see: https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview , as MSA1 will become the standard soon.
Please use subscription scoped RBAC, choose "auto" mode, then move over to your tenant and add the SP to the subscription as "Contributor" -- Though I recommend you define a custom role (best practice) instead of Contributor, to scope down permissions, this gets it working.
⛔ Please do NOT give an app "Contributor" and leave it this way in production. Scope down the SP's role in your subscription accordingly.
Tolbin400
commented
1 year ago AzureAD is being deprecated, this isn't wise to implement. Please see: https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview , as MSA1 will become the standard soon.
Please use subscription scoped RBAC, choose "auto" mode, then move over to your tenant and add the SP to the subscription as "Contributor" -- Though I recommend you define a custom role (best practice) instead of Contributor, to scope down permissions, this gets it working.
⛔ Please do NOT give an app "Contributor" and leave it this way in production. Scope down the SP's role in your subscription accordingly.
Hi AzureAD isn't being deprecated just the legacy AzureAD Graph API in favor of the new Microsoft Graph API which also uses AzureAD
The support for the use of Azure AD within the terraform init command when using azure storage for the backend is vital if you want to disable the use of shared keys on the target storage account as recommended by Microsoft.
Tunderwood93
commented
1 year ago @almir0 What you're trying to do can be accomplished by configuring your backend.tf file like so.
terraform {
backend "azurerm" {
storage_account_name = "StorageAccountNameHere"
container_name = "StorageAccountContainerNameHere"
key = "NameOfStateFileHere"
use_azuread_auth = true
}
}Subsequently your ADO Pipeline Task will look like this
- task: TerraformTaskV4@4
displayName: "Terraform init"
inputs:
command: 'init'
backendServiceArm: ${{ parameters.bkServiceArm }}
backendAzureRmStorageAccountName: ${{ parameters.bkStorageAccountName }}
backendAzureRmResourceGroupName: ${{ parameters.bkResourceGroup }}
backendAzureRmContainerName: ${{ parameters.bkStorageContainer }}
backendAzureRmKey: ${{ parameters.bkKey }}Thanks @Tunderwood93 I have missed version 4 of terraform task. Just tested and it works like a charm!
mericstam
commented
8 months ago closing this as resolved
I want to disable authentication with shared keys to storage account that I use for terraform backend, and terraform supports this by adding
use_azuread_authas described here: https://developer.hashicorp.com/terraform/language/settings/backends/azurerm#use_azuread_authTerraformTask should also support that