azure-pipelines-tasks-terraform
azure-pipelines-tasks-terraform copied to clipboard
jason-johnson
Add support for azure resource manager service connections using managed identity
Hello,
I currently have a pipeline running fine with a SPN on a self hosted agent.
I would like to switch to a managed identity (VM) I setup a new Service Connection in azure Devops, and got a simple powershell pipeline to work to validate the managed identity is fine.
Now with TerraformCLI@0, terraform init fails with this error : ##[error]Terraform backend initialization for AzureRM only support service principal authorization (nothing more useful when I activate TF_LOG TRACE)
Does TerraformCLI@0 support managed identity ?
For info : I have also tried using MS's TerraformTaskV1@0 I get an error too, but different, where I think it is "badly" trying to authenticate will a null identifier instead of using MSI (there is "-backend-config=arm_client_id=null -backend-config=arm_client_secret=null" in the command line....)
Failed to get existing workspaces: Error retrieving keys for Storage Account "xxx": azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/xxx/listKeys?api-version=2016-01-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'null' was not found in the directory '***'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 6274265d-18cf-4f75-b5c4-3fa164bc1b00\r\nCorrelation ID: d27e928c-76b4-4ad0-a4cc-be07b3480d6a\r\nTimestamp: 2021-05-19 23:09:07Z","error_codes":[700016],"timestamp":"2021-05-19 23:09:07Z","trace_id":"6274265d-18cf-4f75-b5c4-3fa164bc1b00","correlation_id":"d27e928c-76b4-4ad0-a4cc-be07b3480d6a","error_uri":"https://login.microsoftonline.com/error?code=700016"}[0m
Any help or guidance would be appreciated, maybe I'm missing something obvious ?...
Regards,
Olivier Beau
@Olivier-Beau, unfortunately the task does not support managed identity. Its is explicitly coded to only allow for SPN which is why you are seeing that error. I imagine this would be a fairly simple change to add support for this so would be a good candidate for contribution from the community.
Edited the title to frame this as an ask to support managed identity service connections. Added to prioritized as this will probably be helpful for many not wanting to manage spn creds.
Ok, so it is a new feature request. I'll be happy to contribute by being part of the testing
Hi! We would like to help build this feature, just want to know if someone is already working on it? If so, we can collaborate, if not, we can get started on requirements.. 😄
@tplive no one is currently working on this that I know of. If you would like to start on this, please assign yourself to the issue and move to the "In Progress" state on the assigned project.
@charleszipp hmm, for some reason it seems I'm unable to assign myself on the issue...
I'm sorry to announce that we were unable to get the resources needed to work on this issue. Please release it for someone else to work on. Again, I'm sorry for holding up the issue, I was sure we would be able to get it done.
Hi @jaredfholgate, is this now resolved with your PR?
Hi. Yes, I added support for managed identity too. Thanks
