Question posted in 
I’m setting up a CI/CD pipeline in Azure DevOps to automate Terraform deployments.
My service connection uses a federated identity and a user-assigned managed identity for authentication. Despite my efforts, I’m encountering issues during the terraform init step, where the process fails to authenticate correctly.
Pipeline Configuration:
Here’s the configuration of my Azure DevOps pipeline:
trigger:
- none
variables:
terraform_version: '1.8.5'
azure_service_connection_name: 'it-sandbox-connection'
parameters:
- name: resource_group
displayName: 'Resource Group'
type: string
default: 'browser-euw-poc-rg-01'
values:
- browser-poc-rg-01
- centralrepository-euw-poc-rg-01
- data-euw-poc-rg-01
- name: terraform_action
displayName: 'Terraform Action'
type: string
default: 'plan'
values:
- plan
- apply
- destroy
pool:
vmImage: 'ubuntu-latest'
stages:
- stage: Terraform
jobs:
- job: InstallTerraform
displayName: 'Install Terraform'
steps:
- task: TerraformInstaller@0
inputs:
terraformVersion: '$(terraform_version)'
- job: InitTerraform
displayName: 'Initialize Terraform'
dependsOn: InstallTerraform
steps:
- checkout: self
- task: TerraformCLI@0
displayName: 'Terraform Init'
inputs:
command: 'init'
workingDirectory: '$(Build.SourcesDirectory)/terraform/${{ parameters.resource_group }}'
backendServiceArm: '$(azure_service_connection_name)'
- job: TerraformPlanApplyDestroy
displayName: 'Run Terraform Action'
dependsOn: InitTerraform
condition: succeeded()
steps:
- checkout: self
- task: TerraformCLI@0
displayName: 'Run Terraform Action'
inputs:
command: '$(parameters.terraform_action)'
workingDirectory: '$(Build.SourcesDirectory)/terraform/${{ parameters.resource_group }}'
environmentServiceNameAzureRM: '$(azure_service_connection_name)'
commandOptions: '-var-file=terraform.tfvars'
Provider Configuration:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.39.1"
}
}
backend "azurerm" {
resource_group_name = "terraform-rg-01"
storage_account_name = "terrastatepocst01"
container_name = "tfstate"
key = "browser-euw-poc-rg-01/terraform.tfstate"
}
}
provider "azurerm" {
features {
key_vault {
purge_soft_delete_on_destroy = false
}
}
skip_provider_registration = true
}
During terraform init I get this error:
Initializing the backend...
Initializing modules...
- app_service_plan in ../modules/app_service_plan
- storage_account in ../modules/storage_account
- web_app in ../modules/web_app
╷
│ Error: Error building ARM Config: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.
User assigned identity has contributor on subscription
2
Answers
You’re on the right track with authenticating using a (user) managed identity. Follow this guide.
Tl;Dr:
Create a user assigned managed identity. You could assign it more fine-grained RBAC roles, but if you don’t want to think, just assign it the Contributor role to your subscription.
Modify your Terraform Backend configuration:
Add a DevOps steps before Terraform executes to log in using the managed identity.
Terraform should now be able to execute.
I can reproduce the same error, it is caused by that you lost
backendType: 'azurerm'parameter for taskTerraformCLI@0task.To use user managed identity, you should put the
use_msi = trueinprovider "azurerm"block. Please refer to doc Configuring with the provider block and sample here.In addition, you should put all terraform tasks(init, plan,apply…etc) in
one job, otherwise it will not find the init info in latter steps.The yaml:
The terraform init succeeds: