Open futojin opened 7 months ago
Hi. Are you able to provide more context of your pipeline? Is there an init
step and is that successful? Have you tried setting the ARM_USE_AZUREAD
env var?
@jaredfholgate Thank you for quick reply. Terraform init, successfully getting the keys. Given init was succesful, do I still need ARM_USE_AZUREAD
? What does it do?
2023-12-06T00:00:45.0414761Z ##[section]Starting: Terraform init
2023-12-06T00:00:45.0423026Z ==============================================================================
2023-12-06T00:00:45.0423385Z Task : Terraform
2023-12-06T00:00:45.0423860Z Description : Execute terraform commands to manage resources on AzureRM, Amazon Web Services(AWS) and Google Cloud Platform(GCP)
2023-12-06T00:00:45.0424808Z Version : 4.227.24
2023-12-06T00:00:45.0425065Z Author : Microsoft Corporation
2023-12-06T00:00:45.0425496Z Help : [Learn more about this task](https://aka.ms/AAf0uqr)
2023-12-06T00:00:45.0425919Z ==============================================================================
2023-12-06T00:00:48.5503512Z [command]/azp/_work/_tool/terraform/1.6.3/x64/terraform init -backend-config=storage_account_name=its**ops -backend-config=container_name=devops -backend-config=key=tfstate -backend-config=resource_group_name=its***-rg -backend-config=subscription_id=2d0***43e -backend-config=tenant_id=e3c***73c -backend-config=client_id=*** -backend-config=oidc_token=*** -backend-config=use_oidc=true
2023-12-06T00:00:48.6599966Z 2023-12-06T00:00:48.659Z [INFO] Terraform version: 1.6.3
2023-12-06T00:00:48.6605890Z 2023-12-06T00:00:48.660Z [DEBUG] using github.com/hashicorp/go-tfe v1.36.0
2023-12-06T00:00:48.6610593Z 2023-12-06T00:00:48.660Z [DEBUG] using github.com/hashicorp/hcl/v2 v2.19.1
2023-12-06T00:00:48.6616267Z 2023-12-06T00:00:48.661Z [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.1
2023-12-06T00:00:48.6619432Z 2023-12-06T00:00:48.661Z [DEBUG] using github.com/zclconf/go-cty v1.14.1
2023-12-06T00:00:48.6623357Z 2023-12-06T00:00:48.662Z [INFO] Go runtime version: go1.21.3
2023-12-06T00:00:48.6634906Z 2023-12-06T00:00:48.662Z [INFO] CLI args: []string{"/azp/_work/_tool/terraform/1.6.3/x64/terraform", "init", "-backend-config=storage_account_name=its**ops", "-backend-config=container_name=devops", "-backend-config=key=tfstate", "-backend-config=resource_group_name=its***-rg", "-backend-config=subscription_id=2d0***43e", "-backend-config=tenant_id=e3c***73c", "-backend-config=client_id=***", "-backend-config=oidc_token=***", "-backend-config=use_oidc=true"}
2023-12-06T00:00:48.6641777Z 2023-12-06T00:00:48.663Z [DEBUG] Attempting to open CLI config file: /root/.terraformrc
2023-12-06T00:00:48.6646426Z 2023-12-06T00:00:48.664Z [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2023-12-06T00:00:48.6662600Z 2023-12-06T00:00:48.665Z [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2023-12-06T00:00:48.6668196Z 2023-12-06T00:00:48.666Z [DEBUG] ignoring non-existing provider search directory /root/.terraform.d/plugins
2023-12-06T00:00:48.6673044Z 2023-12-06T00:00:48.666Z [DEBUG] ignoring non-existing provider search directory /root/.local/share/terraform/plugins
2023-12-06T00:00:48.6678446Z 2023-12-06T00:00:48.667Z [DEBUG] ignoring non-existing provider search directory /usr/local/share/terraform/plugins
2023-12-06T00:00:48.6682460Z 2023-12-06T00:00:48.667Z [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins
2023-12-06T00:00:48.6723665Z 2023-12-06T00:00:48.668Z [INFO] CLI command args: []string{"init", "-backend-config=storage_account_name=its**ops", "-backend-config=container_name=devops", "-backend-config=key=tfstate", "-backend-config=resource_group_name=its***-rg", "-backend-config=subscription_id=2d0***43e", "-backend-config=tenant_id=e3c***73c", "-backend-config=client_id=***", "-backend-config=oidc_token=***", "-backend-config=use_oidc=true"}
2023-12-06T00:00:48.6725802Z
2023-12-06T00:00:48.6726475Z [0m[1mInitializing the backend...[0m
2023-12-06T00:00:48.6727348Z 2023-12-06T00:00:48.671Z [DEBUG] New state was assigned lineage "7299d98f-e8d1-6427-a3a6-df1183f8aa2d"
2023-12-06T00:00:48.6728252Z 2023-12-06T00:00:48.671Z [DEBUG] checking for provisioner in "."
2023-12-06T00:00:48.6729429Z 2023-12-06T00:00:48.671Z [DEBUG] checking for provisioner in "/azp/_work/_tool/terraform/1.6.3/x64"
2023-12-06T00:00:48.6749029Z 2023-12-06T00:00:48.673Z [INFO] Testing if Service Principal / Client Certificate is applicable for Authentication..
2023-12-06T00:00:48.6750213Z 2023-12-06T00:00:48.673Z [INFO] Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
2023-12-06T00:00:48.6751303Z 2023-12-06T00:00:48.673Z [INFO] Testing if Service Principal / Client Secret is applicable for Authentication..
2023-12-06T00:00:48.6752268Z 2023-12-06T00:00:48.673Z [INFO] Testing if OIDC is applicable for Authentication..
2023-12-06T00:00:48.6753103Z 2023-12-06T00:00:48.673Z [INFO] Using OIDC for Authentication
2023-12-06T00:00:48.7358774Z 2023-12-06T00:00:48.673Z [INFO] Getting OAuth config for endpoint https://login.microsoftonline.com/ with tenant e3c***73c
2023-12-06T00:00:48.7364776Z 2023-12-06T00:00:48.673Z [DEBUG] Obtaining an MSAL / Microsoft Graph token for Resource Manager..
2023-12-06T00:00:48.7370139Z 2023-12-06T00:00:48.675Z [DEBUG] New state was assigned lineage "6355516b-7ffe-91a0-289f-380acc44dc79"
2023-12-06T00:00:48.7382286Z 2023-12-06T00:00:48.676Z [DEBUG] Building the Container Client from an Access Token (using user credentials)
2023-12-06T00:00:48.9731411Z 2023-12-06T00:00:48.971Z [DEBUG] Azure Backend Request:
2023-12-06T00:00:48.9736285Z POST /subscriptions/2d0***43e/resourceGroups/its***-rg/providers/Microsoft.Storage/storageAccounts/its**ops/listKeys?api-version=2021-01-01 HTTP/1.1
2023-12-06T00:00:48.9750866Z Host: management.azure.com
2023-12-06T00:00:48.9758646Z User-Agent: HashiCorp Terraform/1.6.3 (+https://www.terraform.io) VSTS_e1c450d9-5476-4946-a244-d4470a6409ac_Release__2866_12648_9
2023-12-06T00:00:48.9763708Z Content-Length: 0
2023-12-06T00:00:48.9768285Z X-Ms-Authorization-Auxiliary:
2023-12-06T00:00:48.9775090Z Accept-Encoding: gzip
2023-12-06T00:00:49.2397720Z 2023-12-06T00:00:49.238Z [DEBUG] Azure Backend Response for https://management.azure.com/subscriptions/2d0***43e/resourceGroups/its***-rg/providers/Microsoft.Storage/storageAccounts/its**ops/listKeys?api-version=2021-01-01:
2023-12-06T00:00:49.2401831Z HTTP/2.0 200 OK
2023-12-06T00:00:49.2404580Z Content-Length: 288
2023-12-06T00:00:49.2405931Z Cache-Control: no-cache
2023-12-06T00:00:49.2407429Z Content-Type: application/json
2023-12-06T00:00:49.2408475Z Date: Wed, 06 Dec 2023 00:00:48 GMT
2023-12-06T00:00:49.2409681Z Expires: -1
2023-12-06T00:00:49.2410706Z Pragma: no-cache
2023-12-06T00:00:49.2412132Z Strict-Transport-Security: max-age=31536000; includeSubDomains
2023-12-06T00:00:49.2413539Z X-Cache: CONFIG_NOCACHE
2023-12-06T00:00:49.2415321Z X-Content-Type-Options: nosniff
2023-12-06T00:00:49.2416887Z X-Ms-Correlation-Request-Id: 8dfa5cb0-cc05-477d-a879-922d4c248c8e
2023-12-06T00:00:49.2418454Z X-Ms-Ratelimit-Remaining-Subscription-Resource-Requests: 11999
2023-12-06T00:00:49.2420781Z X-Ms-Request-Id: 08d5c2be-62e9-4e1f-81f7-83ca605cfc1b
2023-12-06T00:00:49.2422427Z X-Ms-Routing-Request-Id: WESTEUROPE:20231206T000049Z:8dfa5cb0-cc05-477d-a879-922d4c248c8e
2023-12-06T00:00:49.2424812Z X-Msedge-Ref: Ref A: 54DA004950EE405990DFF7799A22693F Ref B: AMS231020614037 Ref C: 2023-12-06T00:00:49Z
2023-12-06T00:00:49.2425467Z
2023-12-06T00:00:49.2427012Z {"keys":[{"keyName":"key1","value":"Mwe***g==","permissions":"FULL"},{"keyName":"key2","value":"SLB***w==","permissions":"FULL"}]}
2023-12-06T00:00:49.2449570Z 2023-12-06T00:00:49.244Z [DEBUG] Azure Backend Request:
2023-12-06T00:00:49.2450344Z GET /devops?comp=list&prefix=tfstateenv%3A&restype=container HTTP/1.1
2023-12-06T00:00:49.2451000Z Host: its**ops.blob.core.windows.net
2023-12-06T00:00:49.2452323Z User-Agent: HashiCorp Terraform/1.6.3 (+https://www.terraform.io) VSTS_e1c450d9-5476-4946-a244-d4470a6409ac_Release__2866_12648_9
2023-12-06T00:00:49.2453259Z Content-Type: application/xml; charset=utf-8
2023-12-06T00:00:49.2453920Z X-Ms-Date: Wed, 06 Dec 2023 00:00:49 GMT
2023-12-06T00:00:49.2454908Z X-Ms-Version: 2018-11-09
2023-12-06T00:00:49.2455953Z Accept-Encoding: gzip
2023-12-06T00:00:49.2841252Z 2023-12-06T00:00:49.283Z [DEBUG] Azure Backend Response for https://its**ops.blob.core.windows.net/devops?comp=list&prefix=tfstateenv%3A&restype=container:
2023-12-06T00:00:49.2843567Z HTTP/1.1 200 OK
2023-12-06T00:00:49.2845197Z Transfer-Encoding: chunked
2023-12-06T00:00:49.2846076Z Content-Type: application/xml
2023-12-06T00:00:49.2846762Z Date: Wed, 06 Dec 2023 00:00:48 GMT
2023-12-06T00:00:49.2847649Z Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
2023-12-06T00:00:49.2848671Z X-Ms-Request-Id: 2eeb0484-501e-007c-37d7-27c451000000
2023-12-06T00:00:49.2849594Z X-Ms-Version: 2018-11-09
2023-12-06T00:00:49.2849966Z
2023-12-06T00:00:49.2850452Z 5ed
2023-12-06T00:00:49.2856426Z <?xml version="1.0" encoding="utf-8"?><EnumerationResults ServiceEndpoint="https://its**ops.blob.core.windows.net/" ContainerName="devops"><Prefix>tfstateenv:</Prefix><Blobs><Blob><Name>tfstateenv:dev</Name><Properties><Creation-Time>Wed, 25 Oct 2023 06:29:47 GMT</Creation-Time><Last-Modified>Mon, 27 Nov 2023 03:35:33 GMT</Last-Modified><Etag>0x8DBEEF9E94E8E62</Etag><Content-Length>33933</Content-Length><Content-Type>application/json</Content-Type><Content-Encoding /><Content-Language /><Content-MD5>4dWL4TwTwIchXXe1+RpjGA==</Content-MD5><Cache-Control /><Content-Disposition /><BlobType>BlockBlob</BlobType><AccessTier>Hot</AccessTier><AccessTierInferred>true</AccessTierInferred><LeaseStatus>unlocked</LeaseStatus><LeaseState>available</LeaseState><ServerEncrypted>true</ServerEncrypted></Properties></Blob><Blob><Name>tfstateenv:dev_canon</Name><Properties><Creation-Time>Mon, 27 Nov 2023 04:44:43 GMT</Creation-Time><Last-Modified>Mon, 04 Dec 2023 22:37:17 GMT</Last-Modified><Etag>0x8DBF51991D2C9B5</Etag><Content-Length>25915</Content-Length><Content-Type>application/json</Content-Type><Content-Encoding /><Content-Language /><Content-MD5>qdKhSwT7nJ2h+kNw/m42Sg==</Content-MD5><Cache-Control /><Content-Disposition /><BlobType>BlockBlob</BlobType><AccessTier>Hot</AccessTier><AccessTierInferred>true</AccessTierInferred><LeaseStatus>unlocked</LeaseStatus><LeaseState>available</LeaseState><ServerEncrypted>true</ServerEncrypted></Properties></Blob></Blobs><NextMarker /></EnumerationResults>
2023-12-06T00:00:49.2862013Z 0
2023-12-06T00:00:49.3439698Z [0m[32m
2023-12-06T00:00:49.3442122Z Successfully configured the backend "azurerm"! Terraform will automatically
2023-12-06T00:00:49.3449136Z use this backend unless the backend configuration changes.[0m
2023-12-06T00:00:49.3475922Z 2023-12-06T00:00:49.347Z [DEBUG] checking for provisioner in "."
2023-12-06T00:00:49.3481784Z 2023-12-06T00:00:49.347Z [DEBUG] checking for provisioner in "/azp/_work/_tool/terraform/1.6.3/x64"
2023-12-06T00:00:49.3488597Z 2023-12-06T00:00:49.348Z [DEBUG] Building the Blob Client from an Access Token (using user credentials)
2023-12-06T00:00:49.3497804Z 2023-12-06T00:00:49.349Z [DEBUG] Azure Backend Request:
2023-12-06T00:00:49.3500297Z POST /subscriptions/2d0***43e/resourceGroups/its***-rg/providers/Microsoft.Storage/storageAccounts/its**ops/listKeys?api-version=2021-01-01 HTTP/1.1
2023-12-06T00:00:49.3501901Z Host: management.azure.com
2023-12-06T00:00:49.3503093Z User-Agent: HashiCorp Terraform/1.6.3 (+https://www.terraform.io) VSTS_e1c450d9-5476-4946-a244-d4470a6409ac_Release__2866_12648_9
2023-12-06T00:00:49.3504908Z Content-Length: 0
2023-12-06T00:00:49.3505685Z X-Ms-Authorization-Auxiliary:
2023-12-06T00:00:49.3506239Z Accept-Encoding: gzip
2023-12-06T00:00:49.4352695Z 2023-12-06T00:00:49.433Z [DEBUG] Azure Backend Response for https://management.azure.com/subscriptions/2d0***43e/resourceGroups/its***-rg/providers/Microsoft.Storage/storageAccounts/its**ops/listKeys?api-version=2021-01-01:
2023-12-06T00:00:49.4357118Z HTTP/2.0 200 OK
2023-12-06T00:00:49.4358055Z Content-Length: 288
2023-12-06T00:00:49.4358991Z Cache-Control: no-cache
2023-12-06T00:00:49.4359823Z Content-Type: application/json
2023-12-06T00:00:49.4360531Z Date: Wed, 06 Dec 2023 00:00:48 GMT
2023-12-06T00:00:49.4361332Z Expires: -1
2023-12-06T00:00:49.4362164Z Pragma: no-cache
2023-12-06T00:00:49.4363220Z Strict-Transport-Security: max-age=31536000; includeSubDomains
2023-12-06T00:00:49.4364579Z X-Cache: CONFIG_NOCACHE
2023-12-06T00:00:49.4365710Z X-Content-Type-Options: nosniff
2023-12-06T00:00:49.4366771Z X-Ms-Correlation-Request-Id: 777e3898-050b-4796-96bf-68a02af35578
2023-12-06T00:00:49.4421321Z X-Ms-Ratelimit-Remaining-Subscription-Resource-Requests: 11999
2023-12-06T00:00:49.4422513Z X-Ms-Request-Id: 368ab18c-89b6-4cbe-a39f-9a30b80046be
2023-12-06T00:00:49.4423455Z X-Ms-Routing-Request-Id: WESTEUROPE:20231206T000049Z:777e3898-050b-4796-96bf-68a02af35578
2023-12-06T00:00:49.4425027Z X-Msedge-Ref: Ref A: 072AEFEB36F645F69938B95E40E14498 Ref B: AMS231020614037 Ref C: 2023-12-06T00:00:49Z
2023-12-06T00:00:49.4425430Z
2023-12-06T00:00:49.4426328Z {"keys":[{"keyName":"key1","value":"Mwe***g==","permissions":"FULL"},{"keyName":"key2","value":"SLB***w==","permissions":"FULL"}]}
2023-12-06T00:00:49.4427599Z 2023-12-06T00:00:49.433Z [DEBUG] Azure Backend Request:
2023-12-06T00:00:49.4428061Z GET /devops/tfstate HTTP/1.1
2023-12-06T00:00:49.4428478Z Host: its**ops.blob.core.windows.net
2023-12-06T00:00:49.4429462Z User-Agent: HashiCorp Terraform/1.6.3 (+https://www.terraform.io) VSTS_e1c450d9-5476-4946-a244-d4470a6409ac_Release__2866_12648_9
2023-12-06T00:00:49.4430326Z X-Ms-Date: Wed, 06 Dec 2023 00:00:49 GMT
2023-12-06T00:00:49.4430933Z X-Ms-Version: 2018-11-09
2023-12-06T00:00:49.4431469Z Accept-Encoding: gzip
2023-12-06T00:00:49.4793281Z 2023-12-06T00:00:49.478Z [DEBUG] Azure Backend Response for https://its**ops.blob.core.windows.net/devops/tfstate:
2023-12-06T00:00:49.4795068Z HTTP/1.1 200 OK
2023-12-06T00:00:49.4796285Z Content-Length: 180
2023-12-06T00:00:49.4797246Z Accept-Ranges: bytes
2023-12-06T00:00:49.4797975Z Content-Md5: toOp7nxVek/6KbzqsH4DTA==
2023-12-06T00:00:49.4798735Z Content-Type: application/json
2023-12-06T00:00:49.4799269Z Date: Wed, 06 Dec 2023 00:00:48 GMT
2023-12-06T00:00:49.4799757Z Etag: "0x8DBEF07A62527FF"
2023-12-06T00:00:49.4800499Z Last-Modified: Mon, 27 Nov 2023 05:13:53 GMT
2023-12-06T00:00:49.4801325Z Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
2023-12-06T00:00:49.4802055Z X-Ms-Blob-Type: BlockBlob
2023-12-06T00:00:49.4802829Z X-Ms-Creation-Time: Wed, 25 Oct 2023 06:28:47 GMT
2023-12-06T00:00:49.4803571Z X-Ms-Lease-State: available
2023-12-06T00:00:49.4804613Z X-Ms-Lease-Status: unlocked
2023-12-06T00:00:49.4805438Z X-Ms-Request-Id: 92b65151-a01e-0047-5ad7-2781f5000000
2023-12-06T00:00:49.4806189Z X-Ms-Server-Encrypted: true
2023-12-06T00:00:49.4806869Z X-Ms-Version: 2018-11-09
2023-12-06T00:00:49.4807153Z
2023-12-06T00:00:49.4807494Z {
2023-12-06T00:00:49.4807880Z "version": 4,
2023-12-06T00:00:49.4808307Z "terraform_version": "1.4.6",
2023-12-06T00:00:49.4808730Z "serial": 1,
2023-12-06T00:00:49.4809446Z "lineage": "4264af3c-0104-1542-e025-23e7959b70b3",
2023-12-06T00:00:49.4810265Z "outputs": {},
2023-12-06T00:00:49.4810666Z "resources": [],
2023-12-06T00:00:49.4811082Z "check_results": null
2023-12-06T00:00:49.4811464Z }
2023-12-06T00:00:49.4823158Z 2023-12-06T00:00:49.481Z [DEBUG] Azure Backend Request:
2023-12-06T00:00:49.4824475Z GET /devops/tfstate HTTP/1.1
2023-12-06T00:00:49.4825158Z Host: its**ops.blob.core.windows.net
2023-12-06T00:00:49.4826330Z User-Agent: HashiCorp Terraform/1.6.3 (+https://www.terraform.io) VSTS_e1c450d9-5476-4946-a244-d4470a6409ac_Release__2866_12648_9
2023-12-06T00:00:49.4827635Z X-Ms-Date: Wed, 06 Dec 2023 00:00:49 GMT
2023-12-06T00:00:49.4828358Z X-Ms-Version: 2018-11-09
2023-12-06T00:00:49.4829025Z Accept-Encoding: gzip
2023-12-06T00:00:49.4902535Z 2023-12-06T00:00:49.488Z [DEBUG] Azure Backend Response for https://its**ops.blob.core.windows.net/devops/tfstate:
2023-12-06T00:00:49.4903848Z HTTP/1.1 200 OK
2023-12-06T00:00:49.4905260Z Content-Length: 180
2023-12-06T00:00:49.4906288Z Accept-Ranges: bytes
2023-12-06T00:00:49.4907336Z Content-Md5: toOp7nxVek/6KbzqsH4DTA==
2023-12-06T00:00:49.4908788Z Content-Type: application/json
2023-12-06T00:00:49.4909253Z Date: Wed, 06 Dec 2023 00:00:48 GMT
2023-12-06T00:00:49.4910064Z Etag: "0x8DBEF07A62527FF"
2023-12-06T00:00:49.4911138Z Last-Modified: Mon, 27 Nov 2023 05:13:53 GMT
2023-12-06T00:00:49.4912700Z Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
2023-12-06T00:00:49.4914892Z X-Ms-Blob-Type: BlockBlob
2023-12-06T00:00:49.4916912Z X-Ms-Creation-Time: Wed, 25 Oct 2023 06:28:47 GMT
2023-12-06T00:00:49.4918396Z X-Ms-Lease-State: available
2023-12-06T00:00:49.4919443Z X-Ms-Lease-Status: unlocked
2023-12-06T00:00:49.4920612Z X-Ms-Request-Id: 92b65174-a01e-0047-78d7-2781f5000000
2023-12-06T00:00:49.4921697Z X-Ms-Server-Encrypted: true
2023-12-06T00:00:49.4922722Z X-Ms-Version: 2018-11-09
2023-12-06T00:00:49.4923354Z
2023-12-06T00:00:49.4923635Z {
2023-12-06T00:00:49.4924479Z "version": 4,
2023-12-06T00:00:49.4924851Z "terraform_version": "1.4.6",
2023-12-06T00:00:49.4925623Z "serial": 1,
2023-12-06T00:00:49.4926679Z "lineage": "4264af3c-0104-1542-e025-23e7959b70b3",
2023-12-06T00:00:49.4928659Z "outputs": {},
2023-12-06T00:00:49.4930356Z "resources": [],
2023-12-06T00:00:49.4930721Z "check_results": null
2023-12-06T00:00:49.4932354Z }
2023-12-06T00:00:49.4935949Z 2023-12-06T00:00:49.489Z [DEBUG] Module installer: begin itsi-clients-instance
2023-12-06T00:00:49.4940548Z [0m[1mInitializing modules...[0m
2023-12-06T00:00:49.4977777Z 2023-12-06T00:00:49.497Z [DEBUG] Module installer: itsi-clients-instance installed at ../../../../modules/itsi-clients-instance
2023-12-06T00:00:49.4984271Z - itsi-clients-instance in ../../../../modules/itsi-clients-instance
2023-12-06T00:00:49.5008579Z
2023-12-06T00:00:49.5013674Z [0m[1mInitializing provider plugins...[0m
2023-12-06T00:00:49.5021852Z - Finding hashicorp/azurerm versions matching "3.77.0"...
2023-12-06T00:00:49.5027763Z 2023-12-06T00:00:49.502Z [DEBUG] Service discovery for registry.terraform.io at https://registry.terraform.io/.well-known/terraform.json
2023-12-06T00:00:49.5359915Z 2023-12-06T00:00:49.535Z [DEBUG] GET https://registry.terraform.io/v1/providers/hashicorp/azurerm/versions
2023-12-06T00:00:49.5870393Z 2023-12-06T00:00:49.586Z [DEBUG] GET https://registry.terraform.io/v1/providers/hashicorp/azurerm/3.77.0/download/linux/amd64
2023-12-06T00:00:49.6213391Z 2023-12-06T00:00:49.620Z [DEBUG] GET https://releases.hashicorp.com/terraform-provider-azurerm/3.77.0/terraform-provider-azurerm_3.77.0_SHA256SUMS
2023-12-06T00:00:49.6570892Z 2023-12-06T00:00:49.656Z [DEBUG] GET https://releases.hashicorp.com/terraform-provider-azurerm/3.77.0/terraform-provider-azurerm_3.77.0_SHA256SUMS.72D7468F.sig
2023-12-06T00:00:49.6636492Z - Installing hashicorp/azurerm v3.77.0...
2023-12-06T00:00:51.9530361Z 2023-12-06T00:00:51.952Z [DEBUG] Provider signed by 34365D9472D7468F HashiCorp Security (hashicorp.com/security) <security@hashicorp.com>
2023-12-06T00:00:59.6416632Z - Installed hashicorp/azurerm v3.77.0 (signed by HashiCorp)
2023-12-06T00:00:59.6423022Z
2023-12-06T00:00:59.6427355Z Terraform has created a lock file [1m.terraform.lock.hcl[0m to record the provider
2023-12-06T00:00:59.6428175Z selections it made above. Include this file in your version control repository
2023-12-06T00:00:59.6428781Z so that Terraform can guarantee to make the same selections by default when
2023-12-06T00:00:59.6433327Z you run "terraform init" in the future.[0m
2023-12-06T00:00:59.6439541Z
2023-12-06T00:00:59.6453329Z [0m[1m[32mTerraform has been successfully initialized![0m[32m[0m
2023-12-06T00:00:59.6459133Z [0m[32m
2023-12-06T00:00:59.6459630Z You may now begin working with Terraform. Try running "terraform plan" to see
2023-12-06T00:00:59.6460209Z any changes that are required for your infrastructure. All Terraform commands
2023-12-06T00:00:59.6460671Z should now work.
2023-12-06T00:00:59.6460822Z
2023-12-06T00:00:59.6461234Z If you ever set or change modules or backend configuration for Terraform,
2023-12-06T00:00:59.6461835Z rerun this command to reinitialize your working directory. If you forget, other
2023-12-06T00:00:59.6465836Z commands will detect it and remind you to do so if necessary.[0m
2023-12-06T00:00:59.6638602Z ##[section]Finishing: Terraform init
Hi. ARM_USE_AZUREAD
uses Entra ID authentication to access the storage account rather than the default method of generating an shared access token and using that to access the storage account. Details here: https://developer.hashicorp.com/terraform/language/settings/backends/azurerm#use_azuread_auth
I'm not suggesting that is what you must always do to use WIF, but thought it might help in your context given the error message you got. It could be due to your storage account perms, computer clock or something else.
Could be related to https://github.com/microsoft/azure-pipelines-terraform/issues/89#issuecomment-1838462580
If you are using workload identity and waiting more than an hour between plan and apply then it fails because the token is stored in the tfplan file
@jaredfholgate Thanks for the suggestion. Not sure if this lies in the actual terraform or the pipeline implementation. After few tries, it looks like the auth process fails if there's nothing to be applied.
Could be related to #89 (comment)
If you are using workload identity and waiting more than an hour between plan and apply then it fails because the token is stored in the tfplan file
Are there any workarounds for this? We'd like to introduce approval step between creating terraform plan and applying it, but everytime there's more than like 10 minutes (not an hour) between plan and apply, the token stored within the plan is already expired. There seems to be no way to force using fresh token instead the one stored within the plan.
I just switched to the Azure CLI task to be honest
- task: AzureCLI@2
displayName: terraform plan
inputs:
azureSubscription: ${{ parameters.service_connections.azure }}
addSpnToEnvironment: true
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
$env:ARM_USE_AZUREAD = 'true'
$env:ARM_SUBSCRIPTION_ID = & az account show --query id --output tsv
$env:ARM_TENANT_ID = $env:tenantId
$env:ARM_CLIENT_ID = $env:servicePrincipalId
$env:ARM_USE_OIDC = 'true'
$env:ARM_OIDC_TOKEN = $env:idToken
& terraform plan -out plan.tfplan
@hbuckle
I just switched to the Azure CLI task to be honest
How does that solve the problem?
Then you can configure the backend using environment variables, which avoids the time limited token being stored in the plan file. TerraformTaskV4
uses the -backend-config
command line flags, which I am pretty sure is what is causing the problem.
I'm running into the same issue.
I don't want to manage my service connections by hand; that's why I'm using this task. Handling token expiry is something I expect this task to handle.
Some example tasks you can use until someone has time to fix this task to support WIF plan output: https://github.com/Azure/alz-terraform-accelerator/tree/main/templates/ci_cd/azuredevops/templates/helpers
Having expired token issues with workload identity in both tasks: TerraformTaskV4 and AzureCLI. When you enable addSpnToEnvironment the token is only valid for 10 minutes.
Having expired token issues with workload identity in both tasks: TerraformTaskV4 and AzureCLI. When you enable addSpnToEnvironment the token is only valid for 10 minutes.
- You're using an AzureCLI task with addSpnToEnvironment set to true to consume the idToken environment variable. The idToken environment variable expires after 10 minutes.
To be clear. This is really a limitation of the Terraform backend auth implementation as opposed to these tasks. We are trying our best work around this limitation in the tasks, but at the end of the day, the Terraform backend (and providers) are responsible for token management. If the backend supported Azure CLI auth like the providers, then it would be much easier to work around these timeout problems. As such, I suggest you upvote this issue: https://github.com/hashicorp/terraform/issues/34322
Also, the backend and providers request a new access token for certain operations rather than using a cached one. If there was a way to supply an access token directly to the provider / backend or tell it to cache an access token, then these timeout problems would go away. For other methods (MSI and Client Secret) we don't see the same problem since the source creds do not have a timeout or have a long time out. But behind the scenes they are doing the same thing and getting a new access token. The access token timeout is much longer than the id token, but we see these timeout issues because the provider / backend keeps requesting new tokens throughout the run. This is not something that can be handled by the task since it is the inner working of the provider / Terraform CLI which the task has no control over. For Azure CLI, it is responsible for caching the access token, so that solves the problem, because the provider / backend just asks it for the token rather than trying to generate a new one each time.
I have a pretty strange issue. Initially it was failed randomly, now it's failing consistently. It appears the issue is a token was valid 2 hours ago before it was requested?!
The pipeline is running under Azure Container Instance, and I have checked the log timestamp is matching with my local machine (give or take 10 seconds)
Strangely the first auth token negotiation earlier in the code seems to be successful. See timestamp
2023-12-06T00:01:25.5091505Z
vs2023-12-06T00:01:31.0398817Z
Which leads me to another question whether the entire thing was attempted twice?
Full debug trace:
Terraform Apply task v4 definition: