Ubuntu Question posted in
The official Ubuntu documentation can be found here.

Ubuntu – Azure DevOps Terraform Pipeline: Authentication Issue with Federated Identity and Managed Identity

I’m setting up a CI/CD pipeline in Azure DevOps to automate Terraform deployments.

My service connection uses a federated identity and a user-assigned managed identity for authentication. Despite my efforts, I’m encountering issues during the terraform init step, where the process fails to authenticate correctly.

Pipeline Configuration:

Here’s the configuration of my Azure DevOps pipeline:

trigger:
- none

variables:
  terraform_version: '1.8.5'
  azure_service_connection_name: 'it-sandbox-connection'

parameters:
  - name: resource_group
    displayName: 'Resource Group'
    type: string
    default: 'browser-euw-poc-rg-01'
    values:
      - browser-poc-rg-01
      - centralrepository-euw-poc-rg-01
      - data-euw-poc-rg-01

  - name: terraform_action
    displayName: 'Terraform Action'
    type: string
    default: 'plan'
    values:
      - plan
      - apply
      - destroy

pool:
  vmImage: 'ubuntu-latest'

stages:
  - stage: Terraform
    jobs:
      - job: InstallTerraform
        displayName: 'Install Terraform'
        steps:
          - task: TerraformInstaller@0
            inputs:
              terraformVersion: '$(terraform_version)'

      - job: InitTerraform
        displayName: 'Initialize Terraform'
        dependsOn: InstallTerraform
        steps:
          - checkout: self
          
          - task: TerraformCLI@0
            displayName: 'Terraform Init'
            inputs:
              command: 'init'
              workingDirectory: '$(Build.SourcesDirectory)/terraform/${{ parameters.resource_group }}'
              backendServiceArm: '$(azure_service_connection_name)'

      - job: TerraformPlanApplyDestroy
        displayName: 'Run Terraform Action'
        dependsOn: InitTerraform
        condition: succeeded()
        steps:
          - checkout: self

          - task: TerraformCLI@0
            displayName: 'Run Terraform Action'
            inputs:
              command: '$(parameters.terraform_action)'
              workingDirectory: '$(Build.SourcesDirectory)/terraform/${{ parameters.resource_group }}'
              environmentServiceNameAzureRM: '$(azure_service_connection_name)'
              commandOptions: '-var-file=terraform.tfvars'

Provider Configuration:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.39.1"
    }
  }

  backend "azurerm" {
    resource_group_name  = "terraform-rg-01"
    storage_account_name = "terrastatepocst01"
    container_name       = "tfstate"
    key                  = "browser-euw-poc-rg-01/terraform.tfstate"
  }
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy = false
    }
  }
  skip_provider_registration = true
}

During terraform init I get this error:

Initializing the backend...
Initializing modules...
- app_service_plan in ../modules/app_service_plan
- storage_account in ../modules/storage_account
- web_app in ../modules/web_app
╷
│ Error: Error building ARM Config: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.

User assigned identity has contributor on subscription

Tags:

2

Answers


  1. 0

    You’re on the right track with authenticating using a (user) managed identity. Follow this guide.

    Tl;Dr:

    Create a user assigned managed identity. You could assign it more fine-grained RBAC roles, but if you don’t want to think, just assign it the Contributor role to your subscription.

    Modify your Terraform Backend configuration:

    terraform {
  backend "azurerm" {
    ...
    use_msi              = true
    client_id            = "<your-managed-identity-client-id>"
  }
}

    Add a DevOps steps before Terraform executes to log in using the managed identity.

    - task: AzureCLI@2
  inputs:
    azureSubscription: '<your-service-connection-name>'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az login --identity --username <your-managed-identity-client-id>

    Terraform should now be able to execute.

    Login or Signup to reply.
  2. 0

    Error: Error building ARM Config: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run ‘az login’ to setup account.

    I can reproduce the same error, it is caused by that you lost backendType: 'azurerm' parameter for task TerraformCLI@0 task.

              - task: TerraformCLI@0
            displayName: 'Terraform Init'
            inputs:
              command: 'init'
              #workingDirectory: '$(Build.SourcesDirectory)/terraform/${{ parameters.resource_group }}'
              backendType: 'azurerm'
              backendServiceArm: '$(azure_service_connection_name)'

    To use user managed identity, you should put the use_msi = true in provider "azurerm" block. Please refer to doc Configuring with the provider block and sample here.

    terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.39.1"
    }
  }

  backend "azurerm" {
    resource_group_name  = "terraform-rg-01"
    storage_account_name = "terrastatepocst01"
    container_name       = "tfstate"
    key                  = "browser-euw-poc-rg-01/terraform.tfstate"
  }
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy = false
    }
  }
  skip_provider_registration = true
  use_msi = true
}

    In addition, you should put all terraform tasks(init, plan,apply…etc) in one job, otherwise it will not find the init info in latter steps.

    The yaml:

    variables:
  terraform_version: '1.8.5'
  azure_service_connection_name: 'ARMConn1'

parameters:
  - name: resource_group
    displayName: 'Resource Group'
    type: string
    default: 'browser-euw-poc-rg-01'

pool:
  vmImage: 'ubuntu-latest'

stages:
  - stage: Terraform
    jobs:
      - job: InitTerraform
        displayName: 'Initialize Terraform'
        steps:
          - checkout: self
          
          - task: JasonBJohnson.azure-pipelines-tasks-terraform.azure-pipelines-tasks-terraform-installer.TerraformInstaller@2
            inputs:
              terraformVersion: '$(terraform_version)'

          - task: TerraformCLI@0
            displayName: 'Terraform Init'
            inputs:
              command: 'init'
              #workingDirectory: '$(Build.SourcesDirectory)/terraform/${{ parameters.resource_group }}'
              backendType: 'azurerm'
              backendServiceArm: '$(azure_service_connection_name)'
           
           # add your terraform plan,apply tasks...

    The terraform init succeeds:

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search