TerraformCLI ensureBackend modifies existing resource group

Open philchuang opened this issue 4 years ago • 0 comments

https://github.com/charleszipp/azure-pipelines-tasks-terraform/blob/329e64b8b5bf8fbc6f3dc61bbec8bd1ce3271d71/tasks/terraform-cli/src/commands/az-group-create.ts#L12

This line is executing az group create --name <groupName> --location <location> - the problem is, if the resource group already exists, then parts of it get modified. In my experience, it's the tags, but there could be other properties being changed too.

My organization has policies based on resource group tags, so any changes to them break a lot of processes, and it took a bit to hunt down that the cause was a pipeline running the TerraformCLI task with ensureBackend set to true.

I don't know if this is an AZ CLI issue or a TerraformCLI task issue, but either way it needs to be made non-modifying.

Please at least add an az group exists check before running az group create - in the meantime, we cannot use your helpful extension.

Oct 07 '21 13:10 philchuang