i am trying to deploy azure resources through terraform and configured below task to run terraform init.
- task: TerraformTaskV4@4
inputs:
provider: 'azurerm'
command: 'init'
workingDirectory: '$(System.DefaultWorkingDirectory)/terraform'
commandOptions: '-migrate-state'
backendAzureRmUseEnvironmentVariablesForAuthentication: true
backendAzureRmUseEntraIdForAuthentication: true
backendServiceArm: 'xxxxxxxxxx'
backendAzureRmResourceGroupName: 'rg-terrstore-dev'
backendAzureRmStorageAccountName: 'saterrstordev'
backendAzureRmContainerName: 'terraformstates'
backendAzureRmKey: 'terraform-dev.tfstate'
when i run the pipeline it throwing the following error.
*Error building ARM Config: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account
the subscription has owner role on subscription and should be able to authenticate subscription. could someone suggest me what i am missing here.
Assuming your Azure Resource manager service connection is created with the underlying service principal (app registration not a managed identity), as far as I have tested to use the TerraformTaskV4@4
task to initialize terraform backend state in Azure storage account, we only need to make sure the underlying service principal (app registration) of the Azure Resource Manager service connection is assigned with the contributor role to the scope of the subscription.
Besides, please remove the options to use backendAzureRmUseEnvironmentVariablesForAuthentication
and backendAzureRmUseEntraIdForAuthentication
, since the task will use the service principal information stored in the ARM service connection to authenticate access to Azure subscription and storage account.
- task: TerraformTaskV4@4
displayName: terraform init
inputs:
provider: 'azurerm'
command: 'init'
workingDirectory: '$(System.DefaultWorkingDirectory)/RGEmptyBackend'
# backendAzureRmUseEnvironmentVariablesForAuthentication: true
# backendAzureRmUseEntraIdForAuthentication: true
backendServiceArm: 'ARMSvcCnnWIFTerraform'
backendAzureRmResourceGroupName: '$(ARM_RESOURCE_GROUP_NAME)'
backendAzureRmStorageAccountName: '$(ARM_STORAGE_ACCOUNT_NAME)'
backendAzureRmContainerName: '$(ARM_CONTAINER_NAME)'
backendAzureRmKey: 'rg/rgemptybackend.tfstate'
You may follow the marks in the screenshots below to double check if the underlying service principal (app registration) is granted with sufficient permissions, redirecting from the ARM service connection in your Project Settings (ARMSvcCnnWIFTerraform
in my case) that is referenced by this task. If your ARM service connection was created with service principal client id and secret rather than wiht workload identity federation authentication, you may also try to Edit and Verify the service connection.
If you happen to know the ARM_CLIENT_ID
and ARM_CLIENT_SECRET
etc. information of the service principle, you may consider using a simple script for terraform init
as a possible workaround or as a method to double check principal permissions in your local environment or via pipelines. Here are the samples for your reference.
# Configure Terraform
variable "RGNAME" {
type = string
}
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.42.0"
}
azuread = {
source = "hashicorp/azuread"
version = "~> 2.0"
}
}
backend "azurerm" {}
}
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "rg" {
name = var.RGNAME
location = "Southeast Asia"
}
output "test" {
value = azurerm_resource_group.rg.id
}
variables:
- name: ARM_CLIENT_ID
value: 2d06022b-xxxxxx
- ARM_CLIENT_SECRET
value: xxxxxx
- ARM_SUBSCRIPTION_ID
value: xxxxxx
- ARM_TENANT_ID
value: xxxxxx
- name: ARM_RESOURCE_GROUP_NAME
value: rg-azstorageaccount
- name: ARM_STORAGE_ACCOUNT_NAME
value: azstorageaccountxxxxxx
- name: ARM_CONTAINER_NAME
value: containerxxxxxx
pool:
vmImage: ubuntu-latest
steps:
- task: TerraformInstaller@1
inputs:
terraformVersion: 'latest'
- script: |
terraform init -backend-config="resource_group_name=$(ARM_RESOURCE_GROUP_NAME)" -backend-config="storage_account_name=$(ARM_STORAGE_ACCOUNT_NAME)" -backend-config="container_name=$(ARM_CONTAINER_NAME)" -backend-config="key=rg/rg-sp-emptybackend.tfstate"
terraform apply -auto-approve -input=false -var "RGNAME=${{ parameters.TF_VAR_RGNAME }}-$(Build.BuildId)"
workingDirectory: '$(System.DefaultWorkingDirectory)/RGEmptyBackend'
env:
ARM_CLIENT_ID: $(ARM_CLIENT_ID)
ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
ARM_SUBSCRIPTION_ID: $(ARM_SUBSCRIPTION_ID)
ARM_TENANT_ID: $(ARM_TENANT_ID)