terraform-provider-azuredevops icon indicating copy to clipboard operation
terraform-provider-azuredevops copied to clipboard

Published 20 hours ago verified publisher icon microsoft

creating keyvault-linked variable group fails with Workload Federated Identity service connection (OIDC)

Open digorgonzola opened this issue 8 months ago • 4 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform v1.8.5 AzureDevops provider v1.1.1

Affected Resource(s)

azuredevops_variable_group

Terraform Configuration Files

resource "azuredevops_variable_group" "kv" {
  count        = var.enable_azdo && length(var.service_connections) > 0 ? 1 : 0
  project_id   = azuredevops_project.this[0].id
  name         = module.keyvault[0].resource.name
  description  = "Keyvault-linked variable group"
  allow_access = true

  key_vault {
    name                = module.keyvault[0].resource.name
    service_endpoint_id = azuredevops_serviceendpoint_azurerm.this[local.platform_spn].id
  }

  variable {
    name = "dummy-secret"
  }

  depends_on = [
    time_sleep.wait_for_rbac_before_variable_group_operations
  ]
}

resource "time_sleep" "wait_for_rbac_before_variable_group_operations" {
  count = var.enable_azdo && length(var.service_connections) > 0 ? 1 : 0

  create_duration = "2m"
  depends_on = [
    module.keyvault[0]
  ]
}

Debug Output

debug logs

Panic Output

Expected Behavior

The key vault linked variable is created

Actual Behavior

Terraform fails to create the resource with the following error:

 Error: Expanding variable group resource data: Failed to get the Azure Key value. Error: ( code: badRequest, messge: Failed to generate an OIDC token for service principal d404bcdc-3806-4a3a-8966-e15378a322f7 )

Steps to Reproduce

  • Clone repository to an Azure VM to uses a user-assigned managed identity.
  • terraform plan -out=tfplan
  • terraform apply tfplan
  1. terraform apply

Important Factoids

Works perfectly fine if I use a PAT for the Azure Devops provider.

Provider config using managed identity:

provider "azuredevops" {
  org_service_url = var.org_service_url
  use_msi         = true
}

References

  • #0000

digorgonzola avatar Jun 08 '24 11:06 digorgonzola