search

microsoft / azure-pipelines-terraform

Azure Pipelines tasks for installing Terraform and running Terraform commands in a build or release pipeline.
MIT License
95 stars 59 forks source link

Terraform apply fails with clientCredentialsToken already expired. #201

Open futojin opened 7 months ago

futojin commented 7 months ago

I have a pretty strange issue. Initially it was failed randomly, now it's failing consistently. It appears the issue is a token was valid 2 hours ago before it was requested?! 

2023-12-06T00:09:01.5213760Z ... Original Error: clientCredentialsToken: received HTTP status 401 with response: {
    "error": "invalid_client",
    "error_description": "AADSTS700024: Client assertion is not within its valid time range. Current time: 2023-12-06T00:05:01.4821348Z, assertion valid from 2023-12-04T22:36:40.0000000Z, expiry time of assertion 2023-12-04T22:41:40.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials . Trace ID: 883fdc44-ecca-43a1-b06a-814700b29800 Correlation ID: a0e44aa3-ef9a-4c5f-a199-3472dfd6b988 Timestamp: 2023-12-06 00:05:01Z",
    "error_codes": [700024],
    "timestamp": "2023-12-06 00:05:01Z",
    "trace_id": "883fdc44-ecca-43a1-b06a-814700b29800",
    "correlation_id": "a0e44aa3-ef9a-4c5f-a199-3472dfd6b988",
    "error_uri": "https://login.microsoftonline.com/error?code=700024"
}

The pipeline is running under Azure Container Instance, and I have checked the log timestamp is matching with my local machine (give or take 10 seconds)

Strangely the first auth token negotiation earlier in the code seems to be successful. See timestamp 2023-12-06T00:01:25.5091505Z vs 2023-12-06T00:01:31.0398817Z

Which leads me to another question whether the entire thing was attempted twice?

Full debug trace:

2023-12-06T00:01:19.8537115Z ##[section]Starting: Terraform apply
2023-12-06T00:01:19.8560363Z ==============================================================================
2023-12-06T00:01:19.8560793Z Task         : Terraform
2023-12-06T00:01:19.8561278Z Description  : Execute terraform commands to manage resources on AzureRM, Amazon Web Services(AWS) and Google Cloud Platform(GCP)
2023-12-06T00:01:19.8561762Z Version      : 4.227.24
2023-12-06T00:01:19.8562033Z Author       : Microsoft Corporation
2023-12-06T00:01:19.8562427Z Help         : [Learn more about this task](https://aka.ms/AAf0uqr)
2023-12-06T00:01:19.8562856Z ==============================================================================
2023-12-06T00:01:20.9658456Z [command]/azp/_work/_tool/terraform/1.6.3/x64/terraform providers
2023-12-06T00:01:25.4979252Z 2023-12-06T00:01:21.445Z [INFO]  Terraform version: 1.6.3
2023-12-06T00:01:25.4979658Z 
2023-12-06T00:01:25.4981474Z 2023-12-06T00:01:21.445Z [DEBUG] using github.com/hashicorp/go-tfe v1.36.0
2023-12-06T00:01:25.4982178Z Providers required by configuration:
2023-12-06T00:01:25.4983379Z 2023-12-06T00:01:21.445Z [DEBUG] using github.com/hashicorp/hcl/v2 v2.19.1
2023-12-06T00:01:25.4983821Z .
2023-12-06T00:01:25.5006396Z 2023-12-06T00:01:21.445Z [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.1
2023-12-06T00:01:25.5009358Z 2023-12-06T00:01:21.445Z [DEBUG] using github.com/zclconf/go-cty v1.14.1
2023-12-06T00:01:25.5010323Z 2023-12-06T00:01:21.445Z [INFO]  Go runtime version: go1.21.3
2023-12-06T00:01:25.5011269Z 2023-12-06T00:01:21.446Z [INFO]  CLI args: []string{"/azp/_work/_tool/terraform/1.6.3/x64/terraform", "providers"}
2023-12-06T00:01:25.5022714Z 2023-12-06T00:01:21.446Z [DEBUG] Attempting to open CLI config file: /root/.terraformrc
2023-12-06T00:01:25.5023701Z 2023-12-06T00:01:21.446Z [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2023-12-06T00:01:25.5024991Z 2023-12-06T00:01:21.446Z [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2023-12-06T00:01:25.5026037Z 2023-12-06T00:01:21.446Z [DEBUG] ignoring non-existing provider search directory /root/.terraform.d/plugins
2023-12-06T00:01:25.5027118Z 2023-12-06T00:01:21.446Z [DEBUG] ignoring non-existing provider search directory /root/.local/share/terraform/plugins
2023-12-06T00:01:25.5028175Z 2023-12-06T00:01:21.446Z [DEBUG] ignoring non-existing provider search directory /usr/local/share/terraform/plugins
2023-12-06T00:01:25.5029226Z 2023-12-06T00:01:21.446Z [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins
2023-12-06T00:01:25.5030126Z 2023-12-06T00:01:21.446Z [INFO]  CLI command args: []string{"providers"}
2023-12-06T00:01:25.5031110Z 2023-12-06T00:01:21.495Z [INFO]  Testing if Service Principal / Client Certificate is applicable for Authentication..
2023-12-06T00:01:25.5032358Z 2023-12-06T00:01:21.495Z [INFO]  Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
2023-12-06T00:01:25.5033447Z 2023-12-06T00:01:21.495Z [INFO]  Testing if Service Principal / Client Secret is applicable for Authentication..
2023-12-06T00:01:25.5082425Z 2023-12-06T00:01:21.495Z [INFO]  Testing if OIDC is applicable for Authentication..
2023-12-06T00:01:25.5083438Z 2023-12-06T00:01:21.495Z [INFO]  Using OIDC for Authentication
2023-12-06T00:01:25.5087464Z 2023-12-06T00:01:21.495Z [INFO]  Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant e3c***73c
2023-12-06T00:01:25.5088692Z 2023-12-06T00:01:21.495Z [DEBUG] Obtaining an MSAL / Microsoft Graph token for Resource Manager..
2023-12-06T00:01:25.5089579Z 2023-12-06T00:01:24.536Z [DEBUG] checking for provisioner in "."
2023-12-06T00:01:25.5090478Z 2023-12-06T00:01:24.536Z [DEBUG] checking for provisioner in "/azp/_work/_tool/terraform/1.6.3/x64"
2023-12-06T00:01:25.5091505Z 2023-12-06T00:01:24.536Z [DEBUG] Building the Blob Client from an Access Token (using user credentials)
2023-12-06T00:01:25.5092364Z 2023-12-06T00:01:24.695Z [DEBUG] Azure Backend Request: 
2023-12-06T00:01:25.5104681Z POST /subscriptions/2d0***43e/resourceGroups/itsi-***-rg/providers/Microsoft.Storage/storageAccounts/itsi***ops/listKeys?api-version=2021-01-01 HTTP/1.1
2023-12-06T00:01:25.5105667Z Host: management.azure.com
2023-12-06T00:01:25.5106816Z User-Agent: HashiCorp Terraform/1.6.3 (+https://www.terraform.io) VSTS_e1c450d9-5476-4946-a244-d4470a6409ac_Release__2866_12648_9
2023-12-06T00:01:25.5107603Z Content-Length: 0
2023-12-06T00:01:25.5108173Z X-Ms-Authorization-Auxiliary: 
2023-12-06T00:01:25.5108713Z Accept-Encoding: gzip
2023-12-06T00:01:25.5110172Z 2023-12-06T00:01:25.416Z [DEBUG] Azure Backend Response for https://management.azure.com/subscriptions/2d0***43e/resourceGroups/itsi-***-rg/providers/Microsoft.Storage/storageAccounts/itsi***ops/listKeys?api-version=2021-01-01: 
2023-12-06T00:01:25.5111439Z HTTP/2.0 200 OK
2023-12-06T00:01:25.5111978Z Content-Length: 288
2023-12-06T00:01:25.5112501Z Cache-Control: no-cache
2023-12-06T00:01:25.5113087Z Content-Type: application/json
2023-12-06T00:01:25.5113503Z Date: Wed, 06 Dec 2023 00:01:25 GMT
2023-12-06T00:01:25.5124805Z Expires: -1
2023-12-06T00:01:25.5125526Z Pragma: no-cache
2023-12-06T00:01:25.5126239Z Strict-Transport-Security: max-age=31536000; includeSubDomains
2023-12-06T00:01:25.5126890Z X-Cache: CONFIG_NOCACHE
2023-12-06T00:01:25.5127453Z X-Content-Type-Options: nosniff
2023-12-06T00:01:25.5128185Z X-Ms-Correlation-Request-Id: 3806b7a0-be08-49c6-af58-f285ddcea7e7
2023-12-06T00:01:25.5128961Z X-Ms-Ratelimit-Remaining-Subscription-Resource-Requests: 11999
2023-12-06T00:01:25.5129728Z X-Ms-Request-Id: 221bc474-2cad-4d3f-8ec3-d74e221ef906
2023-12-06T00:01:25.5130629Z X-Ms-Routing-Request-Id: WESTEUROPE:20231206T000125Z:3806b7a0-be08-49c6-af58-f285ddcea7e7
2023-12-06T00:01:25.5131668Z X-Msedge-Ref: Ref A: 5D22AE16D9B44265979E815FF78724F4 Ref B: AMS231032607017 Ref C: 2023-12-06T00:01:24Z
2023-12-06T00:01:25.5132058Z 
2023-12-06T00:01:25.5132947Z {"keys":[{"keyName":"key1","value":"Mw***g==","permissions":"FULL"},{"keyName":"key2","value":"SLB***w==","permissions":"FULL"}]}
2023-12-06T00:01:25.5145025Z 2023-12-06T00:01:25.418Z [DEBUG] Azure Backend Request: 
2023-12-06T00:01:25.5145647Z GET /devops/tfstateenv%3Adev_canon HTTP/1.1
2023-12-06T00:01:25.5146151Z Host: itsi***ops.blob.core.windows.net
2023-12-06T00:01:25.5147228Z User-Agent: HashiCorp Terraform/1.6.3 (+https://www.terraform.io) VSTS_e1c450d9-5476-4946-a244-d4470a6409ac_Release__2866_12648_9
2023-12-06T00:01:25.5148151Z X-Ms-Date: Wed, 06 Dec 2023 00:01:25 GMT
2023-12-06T00:01:25.5148788Z X-Ms-Version: 2018-11-09
2023-12-06T00:01:25.5149322Z Accept-Encoding: gzip
2023-12-06T00:01:25.5150285Z 2023-12-06T00:01:25.470Z [DEBUG] Azure Backend Response for https://itsi***ops.blob.core.windows.net/devops/tfstateenv%3Adev_canon: 
2023-12-06T00:01:25.5150928Z HTTP/1.1 200 OK
2023-12-06T00:01:25.5151430Z Content-Length: 25915
2023-12-06T00:01:25.5151961Z Accept-Ranges: bytes
2023-12-06T00:01:25.5152532Z Content-Md5: qdKhSwT7nJ2h+kNw/m42Sg==
2023-12-06T00:01:25.5153136Z Content-Type: application/json
2023-12-06T00:01:25.5153564Z Date: Wed, 06 Dec 2023 00:01:25 GMT
2023-12-06T00:01:25.5153956Z Etag: "0x8DBF51991D2C9B5"
2023-12-06T00:01:25.5191550Z Last-Modified: Mon, 04 Dec 2023 22:37:17 GMT
2023-12-06T00:01:25.5192285Z Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
2023-12-06T00:01:25.5192919Z X-Ms-Blob-Type: BlockBlob
2023-12-06T00:01:25.5193579Z X-Ms-Creation-Time: Mon, 27 Nov 2023 04:44:43 GMT
2023-12-06T00:01:25.5194535Z X-Ms-Lease-State: available
2023-12-06T00:01:25.5195123Z X-Ms-Lease-Status: unlocked
2023-12-06T00:01:25.5311662Z X-Ms-Request-Id: ff4ccb0e-b01e-0064-19d7-271b36000000
2023-12-06T00:01:25.5312510Z X-Ms-Server-Encrypted: true
2023-12-06T00:01:25.5313094Z X-Ms-Version: 2018-11-09
2023-12-06T00:01:25.5313280Z 
2023-12-06T00:01:25.5314286Z { ... tfstate content ... }
2023-12-06T00:01:25.7426386Z 2023-12-06T00:01:25.479Z [DEBUG] Azure Backend Request: 
2023-12-06T00:01:25.7426900Z GET /devops/tfstateenv%3Adev_canon HTTP/1.1
2023-12-06T00:01:25.7427358Z Host: itsi***ops.blob.core.windows.net
2023-12-06T00:01:25.7428379Z User-Agent: HashiCorp Terraform/1.6.3 (+https://www.terraform.io) VSTS_e1c450d9-5476-4946-a244-d4470a6409ac_Release__2866_12648_9
2023-12-06T00:01:25.7429267Z X-Ms-Date: Wed, 06 Dec 2023 00:01:25 GMT
2023-12-06T00:01:25.7429865Z X-Ms-Version: 2018-11-09
2023-12-06T00:01:25.7430417Z Accept-Encoding: gzip
2023-12-06T00:01:25.7431363Z 2023-12-06T00:01:25.491Z [DEBUG] Azure Backend Response for https://itsi***ops.blob.core.windows.net/devops/tfstateenv%3Adev_canon: 
2023-12-06T00:01:25.7432002Z HTTP/1.1 200 OK
2023-12-06T00:01:25.7432521Z Content-Length: 25915
2023-12-06T00:01:25.7433040Z Accept-Ranges: bytes
2023-12-06T00:01:25.7433676Z Content-Md5: qdKhSwT7nJ2h+kNw/m42Sg==
2023-12-06T00:01:25.7434579Z Content-Type: application/json
2023-12-06T00:01:25.7435021Z Date: Wed, 06 Dec 2023 00:01:25 GMT
2023-12-06T00:01:25.7435421Z Etag: "0x8DBF51991D2C9B5"
2023-12-06T00:01:25.7436065Z Last-Modified: Mon, 04 Dec 2023 22:37:17 GMT
2023-12-06T00:01:25.7436778Z Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
2023-12-06T00:01:25.7437392Z X-Ms-Blob-Type: BlockBlob
2023-12-06T00:01:25.7438053Z X-Ms-Creation-Time: Mon, 27 Nov 2023 04:44:43 GMT
2023-12-06T00:01:25.7438669Z X-Ms-Lease-State: available
2023-12-06T00:01:25.7439236Z X-Ms-Lease-Status: unlocked
2023-12-06T00:01:25.7439912Z X-Ms-Request-Id: ff4ccb43-b01e-0064-4bd7-271b36000000
2023-12-06T00:01:25.7440531Z X-Ms-Server-Encrypted: true
2023-12-06T00:01:25.7441098Z X-Ms-Version: 2018-11-09
2023-12-06T00:01:25.7441283Z 
2023-12-06T00:01:25.7441550Z { ... tfstate content ... }
2023-12-06T00:01:25.9678396Z ├── provider[registry.terraform.io/hashicorp/azurerm] 3.77.0
2023-12-06T00:01:25.9679059Z └── module.itsi-clients-instance
2023-12-06T00:01:25.9679711Z     └── provider[registry.terraform.io/hashicorp/azurerm]
2023-12-06T00:01:25.9679970Z 
2023-12-06T00:01:25.9680280Z Providers required by state:
2023-12-06T00:01:25.9680461Z 
2023-12-06T00:01:25.9680989Z     provider[registry.terraform.io/hashicorp/azurerm]
2023-12-06T00:01:25.9681237Z 
2023-12-06T00:01:28.3182800Z [command]/azp/_work/_tool/terraform/1.6.3/x64/terraform apply -auto-approve -no-color dev.tfplan
2023-12-06T00:01:28.3729789Z 2023-12-06T00:01:28.372Z [INFO]  Terraform version: 1.6.3
2023-12-06T00:01:28.3736987Z 2023-12-06T00:01:28.373Z [DEBUG] using github.com/hashicorp/go-tfe v1.36.0
2023-12-06T00:01:28.3743755Z 2023-12-06T00:01:28.374Z [DEBUG] using github.com/hashicorp/hcl/v2 v2.19.1
2023-12-06T00:01:28.3749566Z 2023-12-06T00:01:28.374Z [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.1
2023-12-06T00:01:28.3752576Z 2023-12-06T00:01:28.375Z [DEBUG] using github.com/zclconf/go-cty v1.14.1
2023-12-06T00:01:28.3757010Z 2023-12-06T00:01:28.375Z [INFO]  Go runtime version: go1.21.3
2023-12-06T00:01:28.3761825Z 2023-12-06T00:01:28.375Z [INFO]  CLI args: []string{"/azp/_work/_tool/terraform/1.6.3/x64/terraform", "apply", "-auto-approve", "-no-color", "dev.tfplan"}
2023-12-06T00:01:28.3767972Z 2023-12-06T00:01:28.376Z [DEBUG] Attempting to open CLI config file: /root/.terraformrc
2023-12-06T00:01:28.3827333Z 2023-12-06T00:01:28.382Z [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2023-12-06T00:01:28.3836064Z 2023-12-06T00:01:28.383Z [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2023-12-06T00:01:28.3843243Z 2023-12-06T00:01:28.383Z [DEBUG] ignoring non-existing provider search directory /root/.terraform.d/plugins
2023-12-06T00:01:28.3849430Z 2023-12-06T00:01:28.384Z [DEBUG] ignoring non-existing provider search directory /root/.local/share/terraform/plugins
2023-12-06T00:01:28.3855014Z 2023-12-06T00:01:28.385Z [DEBUG] ignoring non-existing provider search directory /usr/local/share/terraform/plugins
2023-12-06T00:01:28.3862171Z 2023-12-06T00:01:28.385Z [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins
2023-12-06T00:01:28.3870380Z 2023-12-06T00:01:28.386Z [INFO]  CLI command args: []string{"apply", "-auto-approve", "-no-color", "dev.tfplan"}
2023-12-06T00:01:28.4399422Z 2023-12-06T00:01:28.439Z [INFO]  Testing if Service Principal / Client Certificate is applicable for Authentication..
2023-12-06T00:01:28.4405177Z 2023-12-06T00:01:28.440Z [INFO]  Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
2023-12-06T00:01:28.4409470Z 2023-12-06T00:01:28.440Z [INFO]  Testing if Service Principal / Client Secret is applicable for Authentication..
2023-12-06T00:01:28.4414909Z 2023-12-06T00:01:28.441Z [INFO]  Testing if OIDC is applicable for Authentication..
2023-12-06T00:01:28.4419667Z 2023-12-06T00:01:28.441Z [INFO]  Using OIDC for Authentication
2023-12-06T00:01:28.4424821Z 2023-12-06T00:01:28.442Z [INFO]  Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant e3c***73c
2023-12-06T00:01:28.4429990Z 2023-12-06T00:01:28.442Z [DEBUG] Obtaining an MSAL / Microsoft Graph token for Resource Manager..
2023-12-06T00:01:30.9746131Z 2023-12-06T00:01:30.973Z [DEBUG] checking for provisioner in "."
2023-12-06T00:01:30.9753691Z 2023-12-06T00:01:30.974Z [DEBUG] checking for provisioner in "/azp/_work/_tool/terraform/1.6.3/x64"
2023-12-06T00:01:31.0389911Z 2023-12-06T00:01:31.038Z [INFO]  backend/local: starting Apply operation
2023-12-06T00:01:31.0398817Z 2023-12-06T00:01:31.039Z [DEBUG] Building the Blob Client from an Access Token (using user credentials)
2023-12-06T00:09:01.5206578Z 
2023-12-06T00:09:01.5213760Z Error: error loading state: Error retrieving keys for Storage Account "itsi***ops": autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700024: Client assertion is not within its valid time range. Current time: 2023-12-06T00:05:01.4821348Z, assertion valid from 2023-12-04T22:36:40.0000000Z, expiry time of assertion 2023-12-04T22:41:40.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials . Trace ID: 883fdc44-ecca-43a1-b06a-814700b29800 Correlation ID: a0e44aa3-ef9a-4c5f-a199-3472dfd6b988 Timestamp: 2023-12-06 00:05:01Z","error_codes":[700024],"timestamp":"2023-12-06 00:05:01Z","trace_id":"883fdc44-ecca-43a1-b06a-814700b29800","correlation_id":"a0e44aa3-ef9a-4c5f-a199-3472dfd6b988","error_uri":"https://login.microsoftonline.com/error?code=700024"}
2023-12-06T00:09:01.5222157Z 
2023-12-06T00:09:01.5334485Z ##[error]Error: The process '/azp/_work/_tool/terraform/1.6.3/x64/terraform' failed with exit code 1
2023-12-06T00:09:01.5410436Z ##[section]Finishing: Terraform apply

Terraform Apply task v4 definition:

steps:
- task: ms-devlabs.custom-terraform-tasks.custom-terraform-release-task.TerraformTaskV4@4
  displayName: 'Terraform apply'
  inputs:
    command: apply
    workingDirectory: '$(System.DefaultWorkingDirectory)/environments/$(prefix)/$(project_name)/$(client_name)'
    commandOptions: '-no-color $(project_name).tfplan'
    environmentServiceNameAzureRM: '$(azure_service)'
jaredfholgate commented 6 months ago

Hi. Are you able to provide more context of your pipeline? Is there an init step and is that successful? Have you tried setting the ARM_USE_AZUREAD env var?

futojin commented 6 months ago

@jaredfholgate Thank you for quick reply. Terraform init, successfully getting the keys. Given init was succesful, do I still need ARM_USE_AZUREAD? What does it do?

2023-12-06T00:00:45.0414761Z ##[section]Starting: Terraform init
2023-12-06T00:00:45.0423026Z ==============================================================================
2023-12-06T00:00:45.0423385Z Task         : Terraform
2023-12-06T00:00:45.0423860Z Description  : Execute terraform commands to manage resources on AzureRM, Amazon Web Services(AWS) and Google Cloud Platform(GCP)
2023-12-06T00:00:45.0424808Z Version      : 4.227.24
2023-12-06T00:00:45.0425065Z Author       : Microsoft Corporation
2023-12-06T00:00:45.0425496Z Help         : [Learn more about this task](https://aka.ms/AAf0uqr)
2023-12-06T00:00:45.0425919Z ==============================================================================
2023-12-06T00:00:48.5503512Z [command]/azp/_work/_tool/terraform/1.6.3/x64/terraform init -backend-config=storage_account_name=its**ops -backend-config=container_name=devops -backend-config=key=tfstate -backend-config=resource_group_name=its***-rg -backend-config=subscription_id=2d0***43e -backend-config=tenant_id=e3c***73c -backend-config=client_id=*** -backend-config=oidc_token=*** -backend-config=use_oidc=true
2023-12-06T00:00:48.6599966Z 2023-12-06T00:00:48.659Z [INFO]  Terraform version: 1.6.3
2023-12-06T00:00:48.6605890Z 2023-12-06T00:00:48.660Z [DEBUG] using github.com/hashicorp/go-tfe v1.36.0
2023-12-06T00:00:48.6610593Z 2023-12-06T00:00:48.660Z [DEBUG] using github.com/hashicorp/hcl/v2 v2.19.1
2023-12-06T00:00:48.6616267Z 2023-12-06T00:00:48.661Z [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.1
2023-12-06T00:00:48.6619432Z 2023-12-06T00:00:48.661Z [DEBUG] using github.com/zclconf/go-cty v1.14.1
2023-12-06T00:00:48.6623357Z 2023-12-06T00:00:48.662Z [INFO]  Go runtime version: go1.21.3
2023-12-06T00:00:48.6634906Z 2023-12-06T00:00:48.662Z [INFO]  CLI args: []string{"/azp/_work/_tool/terraform/1.6.3/x64/terraform", "init", "-backend-config=storage_account_name=its**ops", "-backend-config=container_name=devops", "-backend-config=key=tfstate", "-backend-config=resource_group_name=its***-rg", "-backend-config=subscription_id=2d0***43e", "-backend-config=tenant_id=e3c***73c", "-backend-config=client_id=***", "-backend-config=oidc_token=***", "-backend-config=use_oidc=true"}
2023-12-06T00:00:48.6641777Z 2023-12-06T00:00:48.663Z [DEBUG] Attempting to open CLI config file: /root/.terraformrc
2023-12-06T00:00:48.6646426Z 2023-12-06T00:00:48.664Z [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2023-12-06T00:00:48.6662600Z 2023-12-06T00:00:48.665Z [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2023-12-06T00:00:48.6668196Z 2023-12-06T00:00:48.666Z [DEBUG] ignoring non-existing provider search directory /root/.terraform.d/plugins
2023-12-06T00:00:48.6673044Z 2023-12-06T00:00:48.666Z [DEBUG] ignoring non-existing provider search directory /root/.local/share/terraform/plugins
2023-12-06T00:00:48.6678446Z 2023-12-06T00:00:48.667Z [DEBUG] ignoring non-existing provider search directory /usr/local/share/terraform/plugins
2023-12-06T00:00:48.6682460Z 2023-12-06T00:00:48.667Z [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins
2023-12-06T00:00:48.6723665Z 2023-12-06T00:00:48.668Z [INFO]  CLI command args: []string{"init", "-backend-config=storage_account_name=its**ops", "-backend-config=container_name=devops", "-backend-config=key=tfstate", "-backend-config=resource_group_name=its***-rg", "-backend-config=subscription_id=2d0***43e", "-backend-config=tenant_id=e3c***73c", "-backend-config=client_id=***", "-backend-config=oidc_token=***", "-backend-config=use_oidc=true"}
2023-12-06T00:00:48.6725802Z 
2023-12-06T00:00:48.6726475Z Initializing the backend...
2023-12-06T00:00:48.6727348Z 2023-12-06T00:00:48.671Z [DEBUG] New state was assigned lineage "7299d98f-e8d1-6427-a3a6-df1183f8aa2d"
2023-12-06T00:00:48.6728252Z 2023-12-06T00:00:48.671Z [DEBUG] checking for provisioner in "."
2023-12-06T00:00:48.6729429Z 2023-12-06T00:00:48.671Z [DEBUG] checking for provisioner in "/azp/_work/_tool/terraform/1.6.3/x64"
2023-12-06T00:00:48.6749029Z 2023-12-06T00:00:48.673Z [INFO]  Testing if Service Principal / Client Certificate is applicable for Authentication..
2023-12-06T00:00:48.6750213Z 2023-12-06T00:00:48.673Z [INFO]  Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
2023-12-06T00:00:48.6751303Z 2023-12-06T00:00:48.673Z [INFO]  Testing if Service Principal / Client Secret is applicable for Authentication..
2023-12-06T00:00:48.6752268Z 2023-12-06T00:00:48.673Z [INFO]  Testing if OIDC is applicable for Authentication..
2023-12-06T00:00:48.6753103Z 2023-12-06T00:00:48.673Z [INFO]  Using OIDC for Authentication
2023-12-06T00:00:48.7358774Z 2023-12-06T00:00:48.673Z [INFO]  Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant e3c***73c
2023-12-06T00:00:48.7364776Z 2023-12-06T00:00:48.673Z [DEBUG] Obtaining an MSAL / Microsoft Graph token for Resource Manager..
2023-12-06T00:00:48.7370139Z 2023-12-06T00:00:48.675Z [DEBUG] New state was assigned lineage "6355516b-7ffe-91a0-289f-380acc44dc79"
2023-12-06T00:00:48.7382286Z 2023-12-06T00:00:48.676Z [DEBUG] Building the Container Client from an Access Token (using user credentials)
2023-12-06T00:00:48.9731411Z 2023-12-06T00:00:48.971Z [DEBUG] Azure Backend Request: 
2023-12-06T00:00:48.9736285Z POST /subscriptions/2d0***43e/resourceGroups/its***-rg/providers/Microsoft.Storage/storageAccounts/its**ops/listKeys?api-version=2021-01-01 HTTP/1.1
2023-12-06T00:00:48.9750866Z Host: management.azure.com
2023-12-06T00:00:48.9758646Z User-Agent: HashiCorp Terraform/1.6.3 (+https://www.terraform.io) VSTS_e1c450d9-5476-4946-a244-d4470a6409ac_Release__2866_12648_9
2023-12-06T00:00:48.9763708Z Content-Length: 0
2023-12-06T00:00:48.9768285Z X-Ms-Authorization-Auxiliary: 
2023-12-06T00:00:48.9775090Z Accept-Encoding: gzip
2023-12-06T00:00:49.2397720Z 2023-12-06T00:00:49.238Z [DEBUG] Azure Backend Response for https://management.azure.com/subscriptions/2d0***43e/resourceGroups/its***-rg/providers/Microsoft.Storage/storageAccounts/its**ops/listKeys?api-version=2021-01-01: 
2023-12-06T00:00:49.2401831Z HTTP/2.0 200 OK
2023-12-06T00:00:49.2404580Z Content-Length: 288
2023-12-06T00:00:49.2405931Z Cache-Control: no-cache
2023-12-06T00:00:49.2407429Z Content-Type: application/json
2023-12-06T00:00:49.2408475Z Date: Wed, 06 Dec 2023 00:00:48 GMT
2023-12-06T00:00:49.2409681Z Expires: -1
2023-12-06T00:00:49.2410706Z Pragma: no-cache
2023-12-06T00:00:49.2412132Z Strict-Transport-Security: max-age=31536000; includeSubDomains
2023-12-06T00:00:49.2413539Z X-Cache: CONFIG_NOCACHE
2023-12-06T00:00:49.2415321Z X-Content-Type-Options: nosniff
2023-12-06T00:00:49.2416887Z X-Ms-Correlation-Request-Id: 8dfa5cb0-cc05-477d-a879-922d4c248c8e
2023-12-06T00:00:49.2418454Z X-Ms-Ratelimit-Remaining-Subscription-Resource-Requests: 11999
2023-12-06T00:00:49.2420781Z X-Ms-Request-Id: 08d5c2be-62e9-4e1f-81f7-83ca605cfc1b
2023-12-06T00:00:49.2422427Z X-Ms-Routing-Request-Id: WESTEUROPE:20231206T000049Z:8dfa5cb0-cc05-477d-a879-922d4c248c8e
2023-12-06T00:00:49.2424812Z X-Msedge-Ref: Ref A: 54DA004950EE405990DFF7799A22693F Ref B: AMS231020614037 Ref C: 2023-12-06T00:00:49Z
2023-12-06T00:00:49.2425467Z 
2023-12-06T00:00:49.2427012Z {"keys":[{"keyName":"key1","value":"Mwe***g==","permissions":"FULL"},{"keyName":"key2","value":"SLB***w==","permissions":"FULL"}]}
2023-12-06T00:00:49.2449570Z 2023-12-06T00:00:49.244Z [DEBUG] Azure Backend Request: 
2023-12-06T00:00:49.2450344Z GET /devops?comp=list&prefix=tfstateenv%3A&restype=container HTTP/1.1
2023-12-06T00:00:49.2451000Z Host: its**ops.blob.core.windows.net
2023-12-06T00:00:49.2452323Z User-Agent: HashiCorp Terraform/1.6.3 (+https://www.terraform.io) VSTS_e1c450d9-5476-4946-a244-d4470a6409ac_Release__2866_12648_9
2023-12-06T00:00:49.2453259Z Content-Type: application/xml; charset=utf-8
2023-12-06T00:00:49.2453920Z X-Ms-Date: Wed, 06 Dec 2023 00:00:49 GMT
2023-12-06T00:00:49.2454908Z X-Ms-Version: 2018-11-09
2023-12-06T00:00:49.2455953Z Accept-Encoding: gzip
2023-12-06T00:00:49.2841252Z 2023-12-06T00:00:49.283Z [DEBUG] Azure Backend Response for https://its**ops.blob.core.windows.net/devops?comp=list&prefix=tfstateenv%3A&restype=container: 
2023-12-06T00:00:49.2843567Z HTTP/1.1 200 OK
2023-12-06T00:00:49.2845197Z Transfer-Encoding: chunked
2023-12-06T00:00:49.2846076Z Content-Type: application/xml
2023-12-06T00:00:49.2846762Z Date: Wed, 06 Dec 2023 00:00:48 GMT
2023-12-06T00:00:49.2847649Z Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
2023-12-06T00:00:49.2848671Z X-Ms-Request-Id: 2eeb0484-501e-007c-37d7-27c451000000
2023-12-06T00:00:49.2849594Z X-Ms-Version: 2018-11-09
2023-12-06T00:00:49.2849966Z 
2023-12-06T00:00:49.2850452Z 5ed
2023-12-06T00:00:49.2856426Z <?xml version="1.0" encoding="utf-8"?><EnumerationResults ServiceEndpoint="https://its**ops.blob.core.windows.net/" ContainerName="devops"><Prefix>tfstateenv:</Prefix><Blobs><Blob><Name>tfstateenv:dev</Name><Properties><Creation-Time>Wed, 25 Oct 2023 06:29:47 GMT</Creation-Time><Last-Modified>Mon, 27 Nov 2023 03:35:33 GMT</Last-Modified><Etag>0x8DBEEF9E94E8E62</Etag><Content-Length>33933</Content-Length><Content-Type>application/json</Content-Type><Content-Encoding /><Content-Language /><Content-MD5>4dWL4TwTwIchXXe1+RpjGA==</Content-MD5><Cache-Control /><Content-Disposition /><BlobType>BlockBlob</BlobType><AccessTier>Hot</AccessTier><AccessTierInferred>true</AccessTierInferred><LeaseStatus>unlocked</LeaseStatus><LeaseState>available</LeaseState><ServerEncrypted>true</ServerEncrypted></Properties></Blob><Blob><Name>tfstateenv:dev_canon</Name><Properties><Creation-Time>Mon, 27 Nov 2023 04:44:43 GMT</Creation-Time><Last-Modified>Mon, 04 Dec 2023 22:37:17 GMT</Last-Modified><Etag>0x8DBF51991D2C9B5</Etag><Content-Length>25915</Content-Length><Content-Type>application/json</Content-Type><Content-Encoding /><Content-Language /><Content-MD5>qdKhSwT7nJ2h+kNw/m42Sg==</Content-MD5><Cache-Control /><Content-Disposition /><BlobType>BlockBlob</BlobType><AccessTier>Hot</AccessTier><AccessTierInferred>true</AccessTierInferred><LeaseStatus>unlocked</LeaseStatus><LeaseState>available</LeaseState><ServerEncrypted>true</ServerEncrypted></Properties></Blob></Blobs><NextMarker /></EnumerationResults>
2023-12-06T00:00:49.2862013Z 0
2023-12-06T00:00:49.3439698Z 
2023-12-06T00:00:49.3442122Z Successfully configured the backend "azurerm"! Terraform will automatically
2023-12-06T00:00:49.3449136Z use this backend unless the backend configuration changes.
2023-12-06T00:00:49.3475922Z 2023-12-06T00:00:49.347Z [DEBUG] checking for provisioner in "."
2023-12-06T00:00:49.3481784Z 2023-12-06T00:00:49.347Z [DEBUG] checking for provisioner in "/azp/_work/_tool/terraform/1.6.3/x64"
2023-12-06T00:00:49.3488597Z 2023-12-06T00:00:49.348Z [DEBUG] Building the Blob Client from an Access Token (using user credentials)
2023-12-06T00:00:49.3497804Z 2023-12-06T00:00:49.349Z [DEBUG] Azure Backend Request: 
2023-12-06T00:00:49.3500297Z POST /subscriptions/2d0***43e/resourceGroups/its***-rg/providers/Microsoft.Storage/storageAccounts/its**ops/listKeys?api-version=2021-01-01 HTTP/1.1
2023-12-06T00:00:49.3501901Z Host: management.azure.com
2023-12-06T00:00:49.3503093Z User-Agent: HashiCorp Terraform/1.6.3 (+https://www.terraform.io) VSTS_e1c450d9-5476-4946-a244-d4470a6409ac_Release__2866_12648_9
2023-12-06T00:00:49.3504908Z Content-Length: 0
2023-12-06T00:00:49.3505685Z X-Ms-Authorization-Auxiliary: 
2023-12-06T00:00:49.3506239Z Accept-Encoding: gzip
2023-12-06T00:00:49.4352695Z 2023-12-06T00:00:49.433Z [DEBUG] Azure Backend Response for https://management.azure.com/subscriptions/2d0***43e/resourceGroups/its***-rg/providers/Microsoft.Storage/storageAccounts/its**ops/listKeys?api-version=2021-01-01: 
2023-12-06T00:00:49.4357118Z HTTP/2.0 200 OK
2023-12-06T00:00:49.4358055Z Content-Length: 288
2023-12-06T00:00:49.4358991Z Cache-Control: no-cache
2023-12-06T00:00:49.4359823Z Content-Type: application/json
2023-12-06T00:00:49.4360531Z Date: Wed, 06 Dec 2023 00:00:48 GMT
2023-12-06T00:00:49.4361332Z Expires: -1
2023-12-06T00:00:49.4362164Z Pragma: no-cache
2023-12-06T00:00:49.4363220Z Strict-Transport-Security: max-age=31536000; includeSubDomains
2023-12-06T00:00:49.4364579Z X-Cache: CONFIG_NOCACHE
2023-12-06T00:00:49.4365710Z X-Content-Type-Options: nosniff
2023-12-06T00:00:49.4366771Z X-Ms-Correlation-Request-Id: 777e3898-050b-4796-96bf-68a02af35578
2023-12-06T00:00:49.4421321Z X-Ms-Ratelimit-Remaining-Subscription-Resource-Requests: 11999
2023-12-06T00:00:49.4422513Z X-Ms-Request-Id: 368ab18c-89b6-4cbe-a39f-9a30b80046be
2023-12-06T00:00:49.4423455Z X-Ms-Routing-Request-Id: WESTEUROPE:20231206T000049Z:777e3898-050b-4796-96bf-68a02af35578
2023-12-06T00:00:49.4425027Z X-Msedge-Ref: Ref A: 072AEFEB36F645F69938B95E40E14498 Ref B: AMS231020614037 Ref C: 2023-12-06T00:00:49Z
2023-12-06T00:00:49.4425430Z 
2023-12-06T00:00:49.4426328Z {"keys":[{"keyName":"key1","value":"Mwe***g==","permissions":"FULL"},{"keyName":"key2","value":"SLB***w==","permissions":"FULL"}]}
2023-12-06T00:00:49.4427599Z 2023-12-06T00:00:49.433Z [DEBUG] Azure Backend Request: 
2023-12-06T00:00:49.4428061Z GET /devops/tfstate HTTP/1.1
2023-12-06T00:00:49.4428478Z Host: its**ops.blob.core.windows.net
2023-12-06T00:00:49.4429462Z User-Agent: HashiCorp Terraform/1.6.3 (+https://www.terraform.io) VSTS_e1c450d9-5476-4946-a244-d4470a6409ac_Release__2866_12648_9
2023-12-06T00:00:49.4430326Z X-Ms-Date: Wed, 06 Dec 2023 00:00:49 GMT
2023-12-06T00:00:49.4430933Z X-Ms-Version: 2018-11-09
2023-12-06T00:00:49.4431469Z Accept-Encoding: gzip
2023-12-06T00:00:49.4793281Z 2023-12-06T00:00:49.478Z [DEBUG] Azure Backend Response for https://its**ops.blob.core.windows.net/devops/tfstate: 
2023-12-06T00:00:49.4795068Z HTTP/1.1 200 OK
2023-12-06T00:00:49.4796285Z Content-Length: 180
2023-12-06T00:00:49.4797246Z Accept-Ranges: bytes
2023-12-06T00:00:49.4797975Z Content-Md5: toOp7nxVek/6KbzqsH4DTA==
2023-12-06T00:00:49.4798735Z Content-Type: application/json
2023-12-06T00:00:49.4799269Z Date: Wed, 06 Dec 2023 00:00:48 GMT
2023-12-06T00:00:49.4799757Z Etag: "0x8DBEF07A62527FF"
2023-12-06T00:00:49.4800499Z Last-Modified: Mon, 27 Nov 2023 05:13:53 GMT
2023-12-06T00:00:49.4801325Z Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
2023-12-06T00:00:49.4802055Z X-Ms-Blob-Type: BlockBlob
2023-12-06T00:00:49.4802829Z X-Ms-Creation-Time: Wed, 25 Oct 2023 06:28:47 GMT
2023-12-06T00:00:49.4803571Z X-Ms-Lease-State: available
2023-12-06T00:00:49.4804613Z X-Ms-Lease-Status: unlocked
2023-12-06T00:00:49.4805438Z X-Ms-Request-Id: 92b65151-a01e-0047-5ad7-2781f5000000
2023-12-06T00:00:49.4806189Z X-Ms-Server-Encrypted: true
2023-12-06T00:00:49.4806869Z X-Ms-Version: 2018-11-09
2023-12-06T00:00:49.4807153Z 
2023-12-06T00:00:49.4807494Z {
2023-12-06T00:00:49.4807880Z   "version": 4,
2023-12-06T00:00:49.4808307Z   "terraform_version": "1.4.6",
2023-12-06T00:00:49.4808730Z   "serial": 1,
2023-12-06T00:00:49.4809446Z   "lineage": "4264af3c-0104-1542-e025-23e7959b70b3",
2023-12-06T00:00:49.4810265Z   "outputs": {},
2023-12-06T00:00:49.4810666Z   "resources": [],
2023-12-06T00:00:49.4811082Z   "check_results": null
2023-12-06T00:00:49.4811464Z }
2023-12-06T00:00:49.4823158Z 2023-12-06T00:00:49.481Z [DEBUG] Azure Backend Request: 
2023-12-06T00:00:49.4824475Z GET /devops/tfstate HTTP/1.1
2023-12-06T00:00:49.4825158Z Host: its**ops.blob.core.windows.net
2023-12-06T00:00:49.4826330Z User-Agent: HashiCorp Terraform/1.6.3 (+https://www.terraform.io) VSTS_e1c450d9-5476-4946-a244-d4470a6409ac_Release__2866_12648_9
2023-12-06T00:00:49.4827635Z X-Ms-Date: Wed, 06 Dec 2023 00:00:49 GMT
2023-12-06T00:00:49.4828358Z X-Ms-Version: 2018-11-09
2023-12-06T00:00:49.4829025Z Accept-Encoding: gzip
2023-12-06T00:00:49.4902535Z 2023-12-06T00:00:49.488Z [DEBUG] Azure Backend Response for https://its**ops.blob.core.windows.net/devops/tfstate: 
2023-12-06T00:00:49.4903848Z HTTP/1.1 200 OK
2023-12-06T00:00:49.4905260Z Content-Length: 180
2023-12-06T00:00:49.4906288Z Accept-Ranges: bytes
2023-12-06T00:00:49.4907336Z Content-Md5: toOp7nxVek/6KbzqsH4DTA==
2023-12-06T00:00:49.4908788Z Content-Type: application/json
2023-12-06T00:00:49.4909253Z Date: Wed, 06 Dec 2023 00:00:48 GMT
2023-12-06T00:00:49.4910064Z Etag: "0x8DBEF07A62527FF"
2023-12-06T00:00:49.4911138Z Last-Modified: Mon, 27 Nov 2023 05:13:53 GMT
2023-12-06T00:00:49.4912700Z Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
2023-12-06T00:00:49.4914892Z X-Ms-Blob-Type: BlockBlob
2023-12-06T00:00:49.4916912Z X-Ms-Creation-Time: Wed, 25 Oct 2023 06:28:47 GMT
2023-12-06T00:00:49.4918396Z X-Ms-Lease-State: available
2023-12-06T00:00:49.4919443Z X-Ms-Lease-Status: unlocked
2023-12-06T00:00:49.4920612Z X-Ms-Request-Id: 92b65174-a01e-0047-78d7-2781f5000000
2023-12-06T00:00:49.4921697Z X-Ms-Server-Encrypted: true
2023-12-06T00:00:49.4922722Z X-Ms-Version: 2018-11-09
2023-12-06T00:00:49.4923354Z 
2023-12-06T00:00:49.4923635Z {
2023-12-06T00:00:49.4924479Z   "version": 4,
2023-12-06T00:00:49.4924851Z   "terraform_version": "1.4.6",
2023-12-06T00:00:49.4925623Z   "serial": 1,
2023-12-06T00:00:49.4926679Z   "lineage": "4264af3c-0104-1542-e025-23e7959b70b3",
2023-12-06T00:00:49.4928659Z   "outputs": {},
2023-12-06T00:00:49.4930356Z   "resources": [],
2023-12-06T00:00:49.4930721Z   "check_results": null
2023-12-06T00:00:49.4932354Z }
2023-12-06T00:00:49.4935949Z 2023-12-06T00:00:49.489Z [DEBUG] Module installer: begin itsi-clients-instance
2023-12-06T00:00:49.4940548Z Initializing modules...
2023-12-06T00:00:49.4977777Z 2023-12-06T00:00:49.497Z [DEBUG] Module installer: itsi-clients-instance installed at ../../../../modules/itsi-clients-instance
2023-12-06T00:00:49.4984271Z - itsi-clients-instance in ../../../../modules/itsi-clients-instance
2023-12-06T00:00:49.5008579Z 
2023-12-06T00:00:49.5013674Z Initializing provider plugins...
2023-12-06T00:00:49.5021852Z - Finding hashicorp/azurerm versions matching "3.77.0"...
2023-12-06T00:00:49.5027763Z 2023-12-06T00:00:49.502Z [DEBUG] Service discovery for registry.terraform.io at https://registry.terraform.io/.well-known/terraform.json
2023-12-06T00:00:49.5359915Z 2023-12-06T00:00:49.535Z [DEBUG] GET https://registry.terraform.io/v1/providers/hashicorp/azurerm/versions
2023-12-06T00:00:49.5870393Z 2023-12-06T00:00:49.586Z [DEBUG] GET https://registry.terraform.io/v1/providers/hashicorp/azurerm/3.77.0/download/linux/amd64
2023-12-06T00:00:49.6213391Z 2023-12-06T00:00:49.620Z [DEBUG] GET https://releases.hashicorp.com/terraform-provider-azurerm/3.77.0/terraform-provider-azurerm_3.77.0_SHA256SUMS
2023-12-06T00:00:49.6570892Z 2023-12-06T00:00:49.656Z [DEBUG] GET https://releases.hashicorp.com/terraform-provider-azurerm/3.77.0/terraform-provider-azurerm_3.77.0_SHA256SUMS.72D7468F.sig
2023-12-06T00:00:49.6636492Z - Installing hashicorp/azurerm v3.77.0...
2023-12-06T00:00:51.9530361Z 2023-12-06T00:00:51.952Z [DEBUG] Provider signed by 34365D9472D7468F HashiCorp Security (hashicorp.com/security) <security@hashicorp.com>
2023-12-06T00:00:59.6416632Z - Installed hashicorp/azurerm v3.77.0 (signed by HashiCorp)
2023-12-06T00:00:59.6423022Z 
2023-12-06T00:00:59.6427355Z Terraform has created a lock file .terraform.lock.hcl to record the provider
2023-12-06T00:00:59.6428175Z selections it made above. Include this file in your version control repository
2023-12-06T00:00:59.6428781Z so that Terraform can guarantee to make the same selections by default when
2023-12-06T00:00:59.6433327Z you run "terraform init" in the future.
2023-12-06T00:00:59.6439541Z 
2023-12-06T00:00:59.6453329Z Terraform has been successfully initialized!
2023-12-06T00:00:59.6459133Z 
2023-12-06T00:00:59.6459630Z You may now begin working with Terraform. Try running "terraform plan" to see
2023-12-06T00:00:59.6460209Z any changes that are required for your infrastructure. All Terraform commands
2023-12-06T00:00:59.6460671Z should now work.
2023-12-06T00:00:59.6460822Z 
2023-12-06T00:00:59.6461234Z If you ever set or change modules or backend configuration for Terraform,
2023-12-06T00:00:59.6461835Z rerun this command to reinitialize your working directory. If you forget, other
2023-12-06T00:00:59.6465836Z commands will detect it and remind you to do so if necessary.
2023-12-06T00:00:59.6638602Z ##[section]Finishing: Terraform init
jaredfholgate commented 6 months ago

Hi. ARM_USE_AZUREAD uses Entra ID authentication to access the storage account rather than the default method of generating an shared access token and using that to access the storage account. Details here: https://developer.hashicorp.com/terraform/language/settings/backends/azurerm#use_azuread_auth

I'm not suggesting that is what you must always do to use WIF, but thought it might help in your context given the error message you got. It could be due to your storage account perms, computer clock or something else.

hbuckle commented 6 months ago

Could be related to https://github.com/microsoft/azure-pipelines-terraform/issues/89#issuecomment-1838462580

If you are using workload identity and waiting more than an hour between plan and apply then it fails because the token is stored in the tfplan file

futojin commented 6 months ago

@jaredfholgate Thanks for the suggestion. Not sure if this lies in the actual terraform or the pipeline implementation. After few tries, it looks like the auth process fails if there's nothing to be applied.

xelossan commented 4 months ago

Could be related to #89 (comment)

If you are using workload identity and waiting more than an hour between plan and apply then it fails because the token is stored in the tfplan file

Are there any workarounds for this? We'd like to introduce approval step between creating terraform plan and applying it, but everytime there's more than like 10 minutes (not an hour) between plan and apply, the token stored within the plan is already expired. There seems to be no way to force using fresh token instead the one stored within the plan.

hbuckle commented 4 months ago

I just switched to the Azure CLI task to be honest

  - task: AzureCLI@2
    displayName: terraform plan
    inputs:
      azureSubscription: ${{ parameters.service_connections.azure }}
      addSpnToEnvironment: true
      scriptType: pscore
      scriptLocation: inlineScript
      inlineScript: |
        $env:ARM_USE_AZUREAD = 'true'
        $env:ARM_SUBSCRIPTION_ID = & az account show --query id --output tsv
        $env:ARM_TENANT_ID = $env:tenantId
        $env:ARM_CLIENT_ID = $env:servicePrincipalId
        $env:ARM_USE_OIDC = 'true'
        $env:ARM_OIDC_TOKEN = $env:idToken
        & terraform plan -out plan.tfplan
thegooddalton commented 4 months ago

@hbuckle

I just switched to the Azure CLI task to be honest

How does that solve the problem?

hbuckle commented 4 months ago

Then you can configure the backend using environment variables, which avoids the time limited token being stored in the plan file. TerraformTaskV4 uses the -backend-config command line flags, which I am pretty sure is what is causing the problem.

Bouke commented 4 months ago

I'm running into the same issue.

I don't want to manage my service connections by hand; that's why I'm using this task. Handling token expiry is something I expect this task to handle.

jaredfholgate commented 4 months ago

Some example tasks you can use until someone has time to fix this task to support WIF plan output: https://github.com/Azure/alz-terraform-accelerator/tree/main/templates/ci_cd/azuredevops/templates/helpers

User7845 commented 3 months ago

Having expired token issues with workload identity in both tasks: TerraformTaskV4 and AzureCLI. When you enable addSpnToEnvironment the token is only valid for 10 minutes.

src: https://learn.microsoft.com/en-us/azure/devops/pipelines/release/troubleshoot-workload-identity?view=azure-devops#error-messages

jaredfholgate commented 3 months ago

Having expired token issues with workload identity in both tasks: TerraformTaskV4 and AzureCLI. When you enable addSpnToEnvironment the token is only valid for 10 minutes.

  • You're using an AzureCLI task with addSpnToEnvironment set to true to consume the idToken environment variable. The idToken environment variable expires after 10 minutes.

src: https://learn.microsoft.com/en-us/azure/devops/pipelines/release/troubleshoot-workload-identity?view=azure-devops#error-messages

To be clear. This is really a limitation of the Terraform backend auth implementation as opposed to these tasks. We are trying our best work around this limitation in the tasks, but at the end of the day, the Terraform backend (and providers) are responsible for token management. If the backend supported Azure CLI auth like the providers, then it would be much easier to work around these timeout problems. As such, I suggest you upvote this issue: https://github.com/hashicorp/terraform/issues/34322

Also, the backend and providers request a new access token for certain operations rather than using a cached one. If there was a way to supply an access token directly to the provider / backend or tell it to cache an access token, then these timeout problems would go away. For other methods (MSI and Client Secret) we don't see the same problem since the source creds do not have a timeout or have a long time out. But behind the scenes they are doing the same thing and getting a new access token. The access token timeout is much longer than the id token, but we see these timeout issues because the provider / backend keeps requesting new tokens throughout the run. This is not something that can be handled by the task since it is the inner working of the provider / Terraform CLI which the task has no control over. For Azure CLI, it is responsible for caching the access token, so that solves the problem, because the provider / backend just asks it for the token rather than trying to generate a new one each time.