Missing tfstate when using separate service connection for backend

[mariussm]

trafficstars

Issue When configuring a separate service connection for the Azure RM backend than the planning and apply stages, there is no way to get the tfstate to actually be stored in the expected Azure storage account.

The apply successfully deploys stuff, but the tfstate is not stored anywhere (probably still local to the pipeline host)

Our configuration

• We have a centralized Azure subscription for our customer environment's tfstate files.
• We configure 3 steps in the pipeline
• Terraform install version 0.13.2 (also tried 0.12 versions)
• Terraform init with subscription A for backend. This succeeds only when the storage account and container is available.
• Terraform apply into subscription B, expecting to use subscription A for backend
• There is NO backend azurerm configured in .tf files. When this is configured, it must match the backend with access key and everything, which of course is not how this should work.
• Our providers.tf:

terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "~>2.24.0" } } }

• We tried both windows-2019 and ubuntu host
• Adding an empty backend azurerm {} block causes the wrong subscription (the one configured as target for the deployment) to be checked for the storage account for the tfstate, which does not exist, giving a 404 error.

A workaround We have added a Azure CLI step instead of the terraform init step, using list keys and generating a separate backend.tf file, that is only used during the release pipeline, before trigger terraform init in the script:

https://pastebin.com/Ky3QMC76

[mariussm]

Anyone?