azure-pipelines-tasks-terraform icon indicating copy to clipboard operation
azure-pipelines-tasks-terraform copied to clipboard

Published 20 hours ago verified publisher icon jason-johnson

Enable Task Environment Variables Section

Open AdamCoulterOz opened this issue 5 years ago • 5 comments

Can the task level environment variables section be enabled?

image

AdamCoulterOz avatar Sep 27 '20 23:09 AdamCoulterOz

I don't see why not, outside of the fact that people can set TFVAR variables there and mess up the ones task sets up.. @charleszipp Any insights on why it's disabled now?

favoretti avatar Oct 22 '20 08:10 favoretti

I dont recall any specific reason why its disabled. However, if we enable it, would suggest we verify the variables are engaged and document which vars win in the case that they overlap.

charleszipp avatar Oct 23 '20 20:10 charleszipp

I use Terraform to deploy infrastructure to the Azure China. There's ARM_ENVIRONMENT variable which can help. Despite the fact I can use -environment=china it does't work with current setup and gives me an error.

vladkasianenko avatar Jun 03 '21 14:06 vladkasianenko

@vladkasianenko a workaround would be to use secure env files to set ARM_ENVIRONMENT.

charleszipp avatar Jun 03 '21 15:06 charleszipp

Would be great if this task could read TF_VAR_* environment variables from the build agent, without having to use the env input. https://www.terraform.io/cli/config/environment-variables#tf_var_name https://www.terraform.io/language/values/variables#environment-variables

illrill avatar Apr 27 '22 15:04 illrill

It already does. For example, if you have a variable group with variables of that format (TF_VAR_*) and reference it at the start of the job, all the terraform CLI tasks will see these variables.

jason-johnson avatar Feb 02 '23 12:02 jason-johnson

@AdamCoulterOz @favoretti @vladkasianenko is this still an issue? We are passing TF_VAR_* vars to terraform CLI directly from variable groups without issue

jason-johnson avatar Mar 22 '23 12:03 jason-johnson

@jason-johnson not for me personally. Out of curiosity, do you have an example of passing the vars from a vargroup? I'm pondering moving away from secret files to a KV-backed vargroups, but if I can steal an example somewhere - would be nice :)

favoretti avatar Mar 22 '23 13:03 favoretti

I don't have any publicly available examples available but the usage is straight forward. First, I make a variable group and put variables in it, e.g. a variable group named my_var_group with a variable called TF_VAR_COLOR. Next, in the top level terraform I will define a variable color. Now in the job which will call terraformCli I specify

variables:
  - group: my_var_group

With this in place, when terraform plan runs it will pull the value of TF_VAR_COLOR into the color variable automatically. This works because referencing the variable group in the job puts all the variables from the variable group into the environment of all tasks that run in that job (NOTE: In windows the variables will get uppercased before doing this, on linux probably not but I usually just make them all upper case to avoid any issues).

NOTE: This will only work for non-secret variables. All variables get injected into the environment but secret variables will not propagate further. To make use of secret variables, my convention was to simply use the regular name (e.g. COLOR) and have the a task where I specify which secrets to pull in and have the template generate env variables which inject these manually. A template which does this can be seen in the attached template here.

jason-johnson avatar Mar 22 '23 14:03 jason-johnson

No further comments from anyone so I'm closing this as resolved. Please re-open if there is something further to look at here.

jason-johnson avatar Sep 11 '23 17:09 jason-johnson