search

microsoft / azure-pipelines-terraform

Azure Pipelines tasks for installing Terraform and running Terraform commands in a build or release pipeline.
MIT License
95 stars 59 forks source link

Azure SQL database management using Workload Identity Federation service connection in Azure DevOps #217

Open mkrieger2468 opened 2 months ago

mkrieger2468 commented 2 months ago

I am unable to manage a database using provider pgssoft/mssql with the Terraform task. I get the following error message when I use that provider. Everything else works when you set the environment variable ARM_USE_AZUREAD. I found if you follow Microsoft documentation and run the azureCLI command az account get-access-token, it will work.

Error message:

│ DefaultAzureCredential: failed to acquire a token.
│ Attempted credentials:
│   EnvironmentCredential: missing environment variable AZURE_CLIENT_ID
│   ManagedIdentityCredential: no default identity is assigned to this
│ resource
│   AzureCLICredential: ERROR: Please run 'az login' to setup account.

Terraform Task:

- task: TerraformTaskV4@4
  displayName: 'Terraform Plan'
  inputs:
    command: plan
    workingDirectory: '$(terraformWorkingDirectory)'
    commandOptions: -var-file="$(terraformWorkingDirectory)\tfvars\${{ parameters.Environment }}.tfvars" -out="$(Agent.TempDirectory)\tfplan"
    environmentServiceNameAzureRM: '$(ServiceConnectionName)'
  env:
    ARM_USE_AZUREAD: true

AzureCLI Task:

- task: AzureCLI@2
  displayName: Terraform Plan
  inputs:
    azureSubscription: $(ServiceConnectionName)
    scriptType: pscore
    scriptLocation: inlineScript
    scriptPath: $(terraformWorkingDirectory)
    inlineScript: |
      az account get-access-token | Out-Null
      $terraform = Get-Command terraform
      & $terraform -chdir="$(terraformWorkingDirectory)" plan -var-file="$(terraformWorkingDirectory)\tfvars\${{ parameters.Environment }}.tfvars" -out="$(Agent.TempDirectory)\tfplan"
  env:
    ARM_USE_AZUREAD: true
mericstam commented 2 months ago

@jaredfholgate is this releated to Workload Identity Federation?

jaredfholgate commented 2 months ago

@mkrieger2468 and @mericstam This appears to be related to usage of the https://registry.terraform.io/providers/PGSSoft/mssql/latest/docs provider. This provider is not supported by this task since it does not use the same authentication method as other Azure providers.

I'm unsure if we have a way to support this provider when using WIF (if that is the ask here?). For client secret, you can set the env vars. We don't currently support az cli login with this task.

You could speak to the provider owners about WIF support with env vars to match Azure providers. However given this provider has not been updated since December 2022, I would personally be looking for a supported option instead.

mkrieger2468 commented 2 months ago

The provider does support this type of authentication; however, it goes in an order. If the environment variables are not set, then it will move through the list. When it gets to the last one AzureCLICredentials it requires an access token that is generated with an azCLI command. Once that command is run in the task then the provider will manage the database.

jaredfholgate commented 2 months ago

The provider does support this type of authentication; however, it goes in an order. If the environment variables are not set, then it will move through the list. When it gets to the last one AzureCLICredentials it requires an access token that is generated with an azCLI command. Once that command is run in the task then the provider will manage the database.

Sorry, if I wasn't clear above, but we don't support az cli auth for any providers with this task. If you need to use that you'll need to go with an alternative such as the AzureCLI task per your example.

It is worth noting that although the providers support Azure CLI auth, the azurerm backend does not. See this issue for more details: https://github.com/hashicorp/terraform/issues/34322