search

microsoft / azure-pipelines-terraform

Azure Pipelines tasks for installing Terraform and running Terraform commands in a build or release pipeline.
MIT License
107 stars 66 forks source link

Error: Endpoint data parameter not present: subscriptionid using management group scoped spn #81

Open ChrisTav424 opened 2 years ago

ChrisTav424 commented 2 years ago

We are using the Terraform@V3 task to deploy infrastructure at the management group level (Tenant Root Group). The following is the pipeline yaml. 

trigger:
- master

pool:
  vmImage: windows-latest

steps:
- task: TerraformInstaller@0
  inputs:
    terraformVersion: 'latest'
- task: TerraformTaskV3@3
  inputs:
    provider: 'azurerm'
    command: 'init'
    workingDirectory: '$(System.DefaultWorkingDirectory)\caf'
    backendServiceArm: 'devops (73e0699d-f086-4960-8b97-abad78a39916)'
    environmentServiceNameAzureRM: 'tf-connect-manual'
    backendAzureRmResourceGroupName: 'rg-storage-terraform'
    backendAzureRmStorageAccountName: 'terraform2319'
    backendAzureRmContainerName: 'terraform-state'
    backendAzureRmKey: '<secret removed>'

- task: TerraformTaskV3@3
  inputs:
    provider: 'azurerm'
    command: 'plan'
    workingDirectory: '$(System.DefaultWorkingDirectory)\caf'
    environmentServiceNameAzureRM: 'tf-connect-manual'
image

This is where we are setting the different service connection scopes

image

How do we get past this error?

ASHR4 commented 2 years ago

Hi @ChrisTav424,

My organisation are having the same issues, think it could be related to this:

https://github.com/microsoft/azure-pipelines-terraform/blob/0a9adf8e32365b8bfdb76740a4e300da643edcdc/Tasks/TerraformTask/TerraformTaskV3/src/azure-terraform-command-handler.ts#L20

It's trying to acquire the subscription_id from the service connection, to then workout where the remote backend is - as yours is a management group service connection it does not have this.

Could be worth having that as a default value but also have the option to pass the subscription ID to the task

jakan0 commented 2 years ago

Related issue #26

mericstam commented 2 years ago

Hi. I will take a look on how we can solve this.

ChrisTav424 commented 2 years ago

Thanks @mericstam

Is there a workaround until it's resolved?

JyrkiHei commented 2 years ago

Temporary workaround we have used is that we create the DevOps service connection against some subscription but manually give the service principal RBAC-permissions to the wanted management group in Azure also. After that Terraform can make changes based on the permissions inherited from MG level. We just point terraform to make changes in MG level or any other subscription under it.

mericstam commented 2 years ago

Hi, there is no quick fix for this, as for now the extension only supports subscription scoped spn. I will put this issue on our internal board for Product Owner to prioritize.
Please feel free to add the functionality if you want by forking this repo and issue a pull request.
Or follow @JyrkiHei's workaround.

Br Manuel

bmargula commented 2 years ago

Having the same problem @mericstam. Has there been any prioritization done on this and are you able to provide an ETA?

mericstam commented 1 year ago

Unfortunately there is no ETA for next feature adding release. I belong to Solidify a Microsoft partner and we are maintaining this extension + many more from MS DevLabs. The main goal is to keep them green i.e update security issues, update to later versions of dependencies. and if we have time left add features. MS DevLabs issued extensions do not have the same official status as the ordinary Microsoft publisher ones. At the moment we are prioritizing to move to node version 16. I have many things I would like to get into this extension but at the moment bandwidth is low for terraform extension features

loopyd commented 1 year ago

Please use subscription scoped Service Principal RBAC in "Managed Group (auto)" mode for Service Connection to start with, then go to your tenant portal to make a small tweak.

Click on "Azure Active Directory" and then IAMs.

Add the Service Principal to the Subscription IAM's as "Contributor" to test this fix. Select "Users or Groups" after clicking the "+ Add" button, then in the blade on the right, start typing the name of the service principal (should be your organization name) -- It will appear and then you can select it, and click apply, then move to Review, and commit the change.

Retry at this stage, it should work.

I recommend HIGHLY you define a custom role (best practice) instead of Contributor, to scope down permissions, this gets it working. I am able to use Managed Group mode now without this error and modify my storage accounts. You do not need to include subscription_id or reference to any secrets in your terraform (this is the goal!)

⛔ Please do NOT give an app "Contributor" and leave it this way in production. Scope down the SP's role in your subscription accordingly by spending a little time making a custom role that scopes out permissions your terraform needs to use. This recommendation is for testing purposes only.

stefanstranger commented 1 year ago

Hi @loopyd

Where can I find "Managed Group (auto)" mode for Service Connection?

image

tjrobinson commented 1 year ago

Where can I find "Managed Group (auto)" mode for Service Connection?

I'm guessing they mean this:

image