Open andrewdmay opened 2 months ago
Full discussion: https://github.com/microsoft/azure-pipelines-terraform/pull/214
Starting this morning (4/30/2024) we have been getting this error when trying to run a Terraform plan or apply where the init was done with a Service Connection using Workload Identity Federation and using the
azurerm
backend.Failed to load state: blobs.Client#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.
In our Azure DevOps extensions it appears that the extension updated from
0.1.25
to0.1.24
last night andTerraformTaskV4@4
updated from4.227.24
to4.238.25
in the Azure DevOps logs.Terraform Version: 1.7.4.
We use a different Service connection for the Terraform state and the Terraform plan or apply.
There was an outage of WIF this morning, so I think that is what you were seeing here.
Starting this morning (4/30/2024) we have been getting this error when trying to run a Terraform plan or apply where the init was done with a Service Connection using Workload Identity Federation and using the
azurerm
backend.Failed to load state: blobs.Client#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.
In our Azure DevOps extensions it appears that the extension updated from
0.1.25
to0.1.24
last night andTerraformTaskV4@4
updated from4.227.24
to4.238.25
in the Azure DevOps logs.Terraform Version: 1.7.4.
We use a different Service connection for the Terraform state and the Terraform plan or apply.
There was an outage of WIF this morning, so I think that is what you were seeing here.
Apologies, it looks like the change did go live so likely the reason for this error. Will add a flag to revert to previous behaviour ASAP.
In the meantime you should be able to pin to the older version by specifying the full version as 4.227.24 per this article: https://blogs.blackmarble.co.uk/rfennell/pinning-specific-azure-devops-task-versions/?darkschemeovr=1
Thanks for digging into this. I've gone ahead and pinned to the 4.227.24
version and that seems to fix the pipelines that were broken (we'd switched most of the backend service connections to using a service principal secret as a work around).
Being able to use a plan that's more than 10 minutes old will be a big improvement, but we will need to reorganize our service connections in preparation for using the same one for backend and environment.
Issue seems to be be still open , resulting in failures of all of our pipelines. Tagging verison of task to 4.227.24. can be a temp fix
Hi, We have fix for the issue but we are having issues with the publisher authentication in the pipeline. As soon as that been resolved a new version will be published
Update: We are still struggling with solving the authentication changes. Hopefully by the end of next week our new environment will be up and running.
version 0.1.26 deployed
Starting this morning (4/30/2024) we have been getting this error when trying to run a Terraform plan or apply where the init was done with a Service Connection using Workload Identity Federation and using the
azurerm
backend.In our Azure DevOps extensions it appears that the extension updated from
0.1.25
to0.1.24
last night andTerraformTaskV4@4
updated from4.227.24
to4.238.25
in the Azure DevOps logs.Terraform Version: 1.7.4.
We use a different Service connection for the Terraform state and the Terraform plan or apply.