creating keyvault-linked variable group fails with Workload Federated Identity service connection (OIDC)

digorgonzola commented 5 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform v1.8.5 AzureDevops provider v1.1.1

Affected Resource(s)

azuredevops_variable_group

Terraform Configuration Files

resource "azuredevops_variable_group" "kv" {
  count        = var.enable_azdo && length(var.service_connections) > 0 ? 1 : 0
  project_id   = azuredevops_project.this[0].id
  name         = module.keyvault[0].resource.name
  description  = "Keyvault-linked variable group"
  allow_access = true

  key_vault {
    name                = module.keyvault[0].resource.name
    service_endpoint_id = azuredevops_serviceendpoint_azurerm.this[local.platform_spn].id
  }

  variable {
    name = "dummy-secret"
  }

  depends_on = [
    time_sleep.wait_for_rbac_before_variable_group_operations
  ]
}

resource "time_sleep" "wait_for_rbac_before_variable_group_operations" {
  count = var.enable_azdo && length(var.service_connections) > 0 ? 1 : 0

  create_duration = "2m"
  depends_on = [
    module.keyvault[0]
  ]
}

Debug Output

debug logs

Panic Output

Expected Behavior

The key vault linked variable is created

Actual Behavior

Terraform fails to create the resource with the following error:

 Error: Expanding variable group resource data: Failed to get the Azure Key value. Error: ( code: badRequest, messge: Failed to generate an OIDC token for service principal d404bcdc-3806-4a3a-8966-e15378a322f7 )

Steps to Reproduce

Clone repository to an Azure VM to uses a user-assigned managed identity.
terraform plan -out=tfplan
terraform apply tfplan

terraform apply

Important Factoids

Works perfectly fine if I use a PAT for the Azure Devops provider.

Provider config using managed identity:

provider "azuredevops" {
  org_service_url = var.org_service_url
  use_msi         = true
}

References

0000

gregbaleyy commented 4 months ago

I face the same issue. Creating the variable group by hand on AzureDevops portal doesn't seem to work either. @digorgonzola, is creating the very same variable group through the portal is working on your side?

FYI: I opened an issue on developer community as well

gregbaleyy commented 4 months ago

@digorgonzola, I made it work. The issue on my side was that my keyvault is behind private endpoint but Azure DevOps tries to list the secret from its public IP. I whitelisted Azure Devops public IP on keyvault firewall and it works like a charm!

ando--io commented 3 months ago

We do face the same issue in a similar configuration. The same error message is generated 'Failed to generate an OIDC token' while trying to update a variable group backed by a key vault. The error is generated when the devops provider uses a service principal secret authentication. It works and update the group if we switch to PAT authentication.

Creating a var group manually with the involved service connection works without any warning.

Our devops organization is not connected to the same tenant than our azure key vault. When using the service principal secret auth, the service principal belongs to the devops org's AD and has not permission on the target azure subscription.

digorgonzola commented 2 months ago

@digorgonzola, I made it work. The issue on my side was that my keyvault is behind private endpoint but Azure DevOps tries to list the secret from its public IP. I whitelisted Azure Devops public IP on keyvault firewall and it works like a charm!

I think this might be a red herring @gregbaleyy

We do not restrict access to the keyvault and it still fails...

microsoft / terraform-provider-azuredevops