azure-pipelines-tasks-terraform icon indicating copy to clipboard operation
azure-pipelines-tasks-terraform copied to clipboard

Published 20 hours ago verified publisher icon jason-johnson

Support OIDC enhancement in Terraform 1.11.2

Open tlfzhylj opened this issue 8 months ago • 12 comments

As seen in Terraform 1.11.2 there are some enhancements regarding OIDC token refresh: https://github.com/hashicorp/terraform/releases/tag/v1.11.2

The error is explained earlier in https://github.com/jason-johnson/azure-pipelines-tasks-terraform/issues/426

What can I do to get this working in Terraform version 1.11.2? I've tested and I still see the same error when waiting longer than 10 minutes between the plan and apply step.

tlfzhylj avatar Mar 13 '25 10:03 tlfzhylj

Those fields are set in your terraform configuration. I don't think terraform CLI would need a change to support it.

jason-johnson avatar Mar 13 '25 16:03 jason-johnson

This may not be the place to ask, but I'll try anyway... I don't understand how to fix the issue described in #426

I've read the Azure DevOps Pipelines section here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc#oidc-token

I tried these environment variables in the init task before the apply task:

          - task: TerraformCLI@1
            displayName: "Run > terraform init"
            inputs:
              command: "init"
              backendType: "azurerm"
              backendServiceArm: "$(service_connection_name)"
              backendAzureRmResourceGroupName: $(tf_state_rg_name)
              backendAzureRmStorageAccountName: $(tf_state_sa_name)
              backendAzureRmContainerName: $(tf_state_container_name)
              backendAzureRmKey: "$(tf_environment).terraform.tfstate"
              workingDirectory: $(working_directory)
              allowTelemetryCollection: false
            env:
              ARM_USE_OIDC: true
              SYSTEM_ACCESSTOKEN: $(System.AccessToken)
              SYSTEM_OIDCREQUESTURI: $(System.OidcRequestUri)
              ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID: $(service_connection_id)

I tried both the service connection name and the ID which I found here:

Image

tlfzhylj avatar Mar 13 '25 21:03 tlfzhylj

Yea, I don't know how this works yet. @jaredfholgate do you know what is required?

jason-johnson avatar Mar 14 '25 11:03 jason-johnson

There are two separate items here:

  • Timeout between plan and apply. This is because the task uses CLI -backend-config instead of environment variables to set config on init. This causes the id token to be cached in the plan file and therefore will timeout if there is a delay between plan and apply. This can be resolved by setting any auth config as environment variables.
  • The second item and the original request here is support for backend / provider based id token refresh. This is now available in the backend, azurerm and azapi. The azuread PR is still pending. Implementing this would also solve the first item.

Until the azuread provider is merged I would recommend holding off making this the default.

In the meantime your options are:

  • Use terraform CLI directly (e.g. https://github.com/Azure-Samples/azure-devops-terraform-oidc-ci-cd/tree/main/pipelines/templates/helpers)
  • Use the DevLabs task which does support the env vars

@jason-johnson and I will discuss how to move forward with this

jaredfholgate avatar Mar 14 '25 12:03 jaredfholgate

Great article about this subject from Jared and Eric, about the new version of Microsoft DevLabs Terraform Task. Hope to see the same capabilities in this extension.

https://devblogs.microsoft.com/devops/introducing-azure-devops-id-token-refresh-and-terraform-task-version-5/

tlfzhylj avatar May 04 '25 05:05 tlfzhylj

Is there any update to this issue? Or still is recomended to use DevLabs tasks?

novatelli avatar Jul 16 '25 10:07 novatelli

I'm waiting for a couple of features to be complete and then I will retire this extension.

jason-johnson avatar Jul 17 '25 04:07 jason-johnson

I hope the Terraform Plan tab on the pipeline run page will be one of these features, because that is mainly why I use this one over the DevLabs one. Do you have any insides on that, @jason-johnson?

tlfzhylj avatar Jul 17 '25 04:07 tlfzhylj

I hope the Terraform Plan tab on the pipeline run page will be one of these features, because that is mainly why I use this one over the DevLabs one. Do you have any insides on that, @jason-johnson?

We are working on adding this to the DevLabs Task.

jaredfholgate avatar Jul 17 '25 09:07 jaredfholgate

@jaredfholgate Are you also have on backlog to add more out variables like once in here with TERRAFORM_PLAN_HAS_DESTROY_CHANGES ?

novatelli avatar Jul 17 '25 13:07 novatelli

@jaredfholgate Are you also have on backlog to add more out variables like once in here with TERRAFORM_PLAN_HAS_DESTROY_CHANGES ?

I don't think we have this specific ask on the list. We can add it if there is demand. Feel free to raise an issue over there.

jaredfholgate avatar Jul 17 '25 13:07 jaredfholgate

I'm waiting for a couple of features to be complete and then I will retire this extension.

@jason-johnson, do you mean this extension will reach its end of life soon?

gregbaleyy avatar Oct 28 '25 11:10 gregbaleyy