skip to Main Content

I have been writing some terraform and using Azure Devops to deploy the pipeline. However if I use a variable $(serviceconnection) for the service connection it fails with the following error:

There was a resource authorization issue: "The pipeline is not valid. Job DeployDev: Step TerraformCLI1 input backendServiceArm references service connection $(serviceconnection) which could not be found. The service connection does not exist or has not been authorized for use.
I Have tried authorising it but no luck. Is there any workaround?

The task is a YAML task to use terraform as below :

- task: charleszipp.azure-pipelines-tasks-terraform.azure-pipelines-tasks-terraform-cli.TerraformCLI@0
   displayName: 'Terraform Init'
   inputs:
     command: init
     workingDirectory: $(Agent.BuildDirectory)/a/azuredirectory/terraform
     backendType: azurerm
     backendServiceArm: $(serviceconnection)
     backendAzureRmResourceGroupName: $(ResourceGroupName)
     backendAzureRmStorageAccountName: $(StorageAccountName)
     backendAzureRmContainerName: $(ContainerName)
     backendAzureRmKey: $(AzureRmKey)

2

Answers


  1. You need to use a Template expression syntax for the service connection variable:

    backendServiceArm: ${{ variables.serviceconnection }}
    

    I imagine it’s because the service connection needs to be known before the pipeline runs.

    Sample use case. Using a variable file called variable.dev.yaml:

    variables:
      serviceconnection: my-dev-service-connection-name
    ...
    

    You could then reference that in your pipeline:

    jobs:
    - job: myJob
      ...
      variables:
      - template: ./variable.dev.yaml
      steps:
      - task: AzureCLI@2
        inputs:
          azureSubscription: ${{ variables.serviceconnection  }}
    ...
    
    Login or Signup to reply.
  2. If you want to use runtime variable like $(serviceconnection), it is not supported now.

    You can use ${{ variables.serviceconnection }} as Thomas recommended. But this practice means that you have to specify variables in advance(Before you run the pipeline).

    For service connections, you can specify a value directly or use the ’compile-time variable‘ ${{xxx}}, which will expand and then populate the service connection section with values before running. In this usage of $(xxx), the service connection of the task cannot be obtained, because this is a runtime value.

    The service connection needs to be specified before running. The changes (runtime changes) of the variables during the pipeline run will not be acquired by the service connection part of the subsequent task.

    You are using a runtime variable.

    But run time variables aren’t supported for service connection OR azure subscription. The variable will get initialized at the run time.

    https://github.com/microsoft/azure-pipelines-tasks/issues/10376#issuecomment-514477023

    You can follow below method to use different service connection:

    https://stackoverflow.com/a/57520153/6261890

    But still need point that, parameters are expanded just before the pipeline runs, hardcode the specific service connection is unavoidable, this is by design.

    Also clearly in this official document:

    https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#use-a-service-connection

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search