Terraform tasks to deploy on azure cloud
i am trying to deploy azure resources through terraform and configured below task to run terraform init.
- task: TerraformTaskV4@4
inputs:
provider: 'azurerm'
command: 'init'
workingDirectory: '$(System.DefaultWorkingDirectory)/terraform'
commandOptions: '-migrate-state'
backendAzureRmUseEnvironmentVariablesForAuthentication: true
backendAzureRmUseEntraIdForAuthentication: true
backendServiceArm: 'xxxxxxxxxx'
backendAzureRmResourceGroupName: 'rg-terrstore-dev'
backendAzureRmStorageAccountName: 'saterrstordev'
backendAzureRmContainerName: 'terraformstates'
backendAzureRmKey: 'terraform-dev.tfstate'
when i run the pipeline it throwing the following error.
*Error building ARM Config: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account
the subscription has owner role on subscription and should be able to authenticate subscription. could someone suggest me what i am missing here.
Assuming your Azure Resource manager service connection is created with the underlying service principal (app registration not a managed identity), as far as I have tested to use the TerraformTaskV4@4 task to initialize terraform backend state in Azure storage account, we only need to make sure the underlying service principal (app registration) of the Azure Resource Manager service connection is assigned with the contributor role to the scope of the subscription.
Besides, please remove the options to use backendAzureRmUseEnvironmentVariablesForAuthenticationand backendAzureRmUseEntraIdForAuthentication, since the task will use the service principal information stored in the ARM service connection to authenticate access to Azure subscription and storage account.
- task: TerraformTaskV4@4
displayName: terraform init
inputs:
provider: 'azurerm'
command: 'init'
workingDirectory: '$(System.DefaultWorkingDirectory)/RGEmptyBackend'
# backendAzureRmUseEnvironmentVariablesForAuthentication: true
# backendAzureRmUseEntraIdForAuthentication: true
backendServiceArm: 'ARMSvcCnnWIFTerraform'
backendAzureRmResourceGroupName: '$(ARM_RESOURCE_GROUP_NAME)'
backendAzureRmStorageAccountName: '$(ARM_STORAGE_ACCOUNT_NAME)'
backendAzureRmContainerName: '$(ARM_CONTAINER_NAME)'
backendAzureRmKey: 'rg/rgemptybackend.tfstate'
You may follow the marks in the screenshots below to double check if the underlying service principal (app registration) is granted with sufficient permissions, redirecting from the ARM service connection in your Project Settings (ARMSvcCnnWIFTerraform in my case) that is referenced by this task. If your ARM service connection was created with service principal client id and secret rather than wiht workload identity federation authentication, you may also try to Edit and Verify the service connection.
If you happen to know the ARM_CLIENT_ID and ARM_CLIENT_SECRET etc. information of the service principle, you may consider using a simple script for terraform init as a possible workaround or as a method to double check principal permissions in your local environment or via pipelines. Here are the samples for your reference.
# Configure Terraform
variable "RGNAME" {
type = string
}
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.42.0"
}
azuread = {
source = "hashicorp/azuread"
version = "~> 2.0"
}
}
backend "azurerm" {}
}
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "rg" {
name = var.RGNAME
location = "Southeast Asia"
}
output "test" {
value = azurerm_resource_group.rg.id
}
variables:
- name: ARM_CLIENT_ID
value: 2d06022b-xxxxxx
- ARM_CLIENT_SECRET
value: xxxxxx
- ARM_SUBSCRIPTION_ID
value: xxxxxx
- ARM_TENANT_ID
value: xxxxxx
- name: ARM_RESOURCE_GROUP_NAME
value: rg-azstorageaccount
- name: ARM_STORAGE_ACCOUNT_NAME
value: azstorageaccountxxxxxx
- name: ARM_CONTAINER_NAME
value: containerxxxxxx
pool:
vmImage: ubuntu-latest
steps:
- task: TerraformInstaller@1
inputs:
terraformVersion: 'latest'
- script: |
terraform init -backend-config="resource_group_name=$(ARM_RESOURCE_GROUP_NAME)" -backend-config="storage_account_name=$(ARM_STORAGE_ACCOUNT_NAME)" -backend-config="container_name=$(ARM_CONTAINER_NAME)" -backend-config="key=rg/rg-sp-emptybackend.tfstate"
terraform apply -auto-approve -input=false -var "RGNAME=${{ parameters.TF_VAR_RGNAME }}-$(Build.BuildId)"
workingDirectory: '$(System.DefaultWorkingDirectory)/RGEmptyBackend'
env:
ARM_CLIENT_ID: $(ARM_CLIENT_ID)
ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
ARM_SUBSCRIPTION_ID: $(ARM_SUBSCRIPTION_ID)
ARM_TENANT_ID: $(ARM_TENANT_ID)
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?