Access Azure devops repository from gitops by terraform
I'm trying to figure out how to specify the password to Azure DevOps git repository in terraform resource, which means I'm deploying infrastructure by pipeline with inputs.azureSubscription and then deploying AKS cluster by terraform from this pipeline and adding GitOps configuration azurerm_kubernetes_flux_configuration but I cannot figure out how to set credentials for the git. It seems it is possible by setting TF_VAR_name from the Azure pipeline and set PAT from particular pipeline steps.task.env:[TF_VAR_my_git_access_token] $(ACCESS_TOKEN) but I'm sure this is best practice because I have to store it in KeyVault and then pick it up and the second one that I do not manage this PAT. Could you explain how to set azurerm_kubernetes_flux_configuration in the correct way? Maybe somehow through the CSI driver to KeyVault deploy it with federated identity or deploy it by helm charts after the secret is created through CSI. Thank you!
Based on your requirement, you are deploying infrastructure via Azure Pipeline and don't want to manage PAT.
I suggest that you can directly use the Predefined variable: $(system.accesstoken) in Azure Pipeline if the repo and Pipeline are in the same organization.
This variable will be valid during the running of the Pipeline, and it will use the Build Service Account to access the Azure Repo.
It automatically refreshes every time the build runs so you don't have to manage it.
You can refer to the following steps:
Step1: Grant the Repo Read Permission to the Build Service Accounts: YourProjectName Build Service(YourOrganme) and Project Collection Build Service(YourOrgName)
For example:
Note: When you using classic pipeline, you need to enable the otpion: Allow scripts to access the OAuth token
Step2.You can pass the variable with the environment.
variables:
TF_VAR_my_git_access_token: $(system.accesstoken)
steps:
- powershell: 'terraform apply'
displayName: 'PowerShell Script'
Or
- task: TerraformTaskV4@4
displayName: 'Terraform : azurerm'
inputs:
command: apply
commandOptions: '-var="my_git_access_token=$(system.accesstoken)"'
environmentServiceNameAzureRM: AzureSerivceConnection
Step3: User the variable in terraform file.
For example:
variable "my_git_access_token" {
type = string
}
resource "azurerm_kubernetes_flux_configuration" "example" {
name = "example-fc"
cluster_id = azurerm_kubernetes_cluster.test.id
namespace = "flux"
git_repository {
url = "repourl"
reference_type = "branch"
reference_value = "main"
https_key_base64 = base64encode(var.my_git_access_token)
}
kustomizations {
name = "kustomization-1"
}
depends_on = [
azurerm_kubernetes_cluster_extension.example
]
}
For more detailed info, you can refer to the docs: System.accesstoken and Access repositories, artifacts, and other resources
- Azure pipeline doesn't wait for function app to complete
- How to set the registry URL in a project-level .npmrc file from an environment variable in an Azure Pipeline
- Release Pipeline throws the following error: Unable to apply transformation for the given package - Changes are already present in the package
- How to run trivy image scan inside Azure DevOps
- How to disable self-hosted agent in AzureDevOps pool via command-line
- How to create Azure function App in Python without using Visual Code Studio
- Splitt git push to Azure DevOps
- Azure pipeline - Failed on Error NU1301 after upgrade Azure Function
- Passing Variable Between Stages in Azure DevOps Pipeline
- How to I checkout with recursive submodules in Azure DevOps in the same project but different repo
- Azure Self Hosted pipeline agent no longer starts when I boot my PC
- ARM deployment job in YAML
- How do I inject variables into a SQL script, in the Azure DevOps pipeline?
- Trigger on pipeline and with path filter
- How to install yarn@2 in azure devops pipeline agent
- Where to install software on azure pipeline agent?
- How do you properly deploy from Azure Artifact Feed
- In Azure Devops Yaml pipeline, how to programatically add a step to a deployment
- Azure Artifacts gives 401 error on publishing a nuget package
- Azure Function app down due to wrong routing template in http trigger binding of a functions
- Use multiple tags when creating Docker image using Spring Boot Maven Plugin
- dynamically using a Service Connection in an Azure DevOps pipeline based on the calling repository
- Creating Team Data Science Process in ADO
- Azure Devops pipeline schedule releases old releases
- Receiving the WhiteSource Task warning in the azure devops build pipeline
- Require explicit resource input in Azure pipeline
- Change Azure DevOps Parent Work Item status when all linked children work items meet certain condition?
- Moving npm packages from Azure Devops to Github
- Pull requests using the Azure DevOps plugin in JetBrains Rider
- Trouble Deploying FastAPI Project on Azure Functions or testing locally