azureazure-devopsterraformworkload-identity

Unable to execute Terraform after converting Service Connection to Workload Identity

In Azure DevOps, I recently converted the Service Connection to using WLID and now I'm getting the message:

Error: Backend configuration changed

A change in the backend configuration has been detected, which may require migrating existing state.

I added the following to the backend

use_azuread_auth = true
use_oidc = true

I also added use_oidc = true to the provider

Any thoughts on this?

Solution

  • I had a similar issue during Service Principal migration. You need to install a newer version of Terraform CLI to use the OIDC (OpenID connection) authentication option. After that, you need to authenticate using a Service Principal with Open ID Connect by setting the necessary environment variables using the AzureCLI@2 task in the azure-pipelines.yaml file:

        steps:
    - task: TerraformInstaller@1
      inputs:
        terraformVersion: 1.10.4
      displayName: Install Terraform 1.10.4

    - task: AzureCLI@2
      inputs:
        azureSubscription: $(serviceConnectionName)
        addSpnToEnvironment: true
        scriptType: bash
        scriptLocation: inlineScript
        inlineScript: |
          echo "##vso[task.setvariable variable=ARM_USE_OIDC]true"
          echo "##vso[task.setvariable variable=ARM_OIDC_TOKEN]$idToken"
          echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
          echo "##vso[task.setvariable variable=ARM_SUBSCRIPTION_ID]$(az account show --query id -o tsv)"
          echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"
      displayName: Set the ARM environment variables

    - task: TerraformTaskV4@4
      displayName: Initialize Terraform
      inputs:
        provider: azurerm
        command: init
        backendServiceArm: $(serviceConnectionName)
        backendAzureRmResourceGroupName: $(resourceGroupName)
        backendAzureRmStorageAccountName: azweaapdwisdomaiblobv2
        backendAzureRmContainerName: terraform-container
        backendAzureRmKey: terraform.tfstate
        backendAzureRmUseEnvironmentVariablesForAuthentication: true
        # Use this option temporarily if you need to update the backend state
        # commandOptions: -reconfigure
        workingDirectory: $(System.DefaultWorkingDirectory)/terraform

    It is important to set the addSpnToEnvironment to true so that you can access the servicePrincipalId, servicePrincipalKey or idToken, and tenantId variables in your script.

    Also, don't forget to set the backendAzureRmUseEnvironmentVariablesForAuthentication to true in order to use the environment variables for authentication.

    If you have an error because of the change in the backend configuration has been detected, then use the commandOptions: -reconfigure to store the current configuration in the state.