As the terraform azurerm provider misses support for azure webapp access restrictions (see github issue). We use a null_resource
with local-exec
to apply a access restriction:
provisioner "local-exec" {
command = <<COMMAND
az webapp config access-restriction add --subscription ${self.triggers.subscription_id} --resource-group ${self.triggers.resource_group} \
--name ${self.triggers.web_app_name} --rule-name 'allow application gateway' --action Allow --vnet-name ${self.triggers.vnet_name} \
--subnet ${self.triggers.subnet_name} --priority 100
COMMAND
}
Our terraform code is then later run by an azure DevOps Pipeline, which uses a Service Connection (with Service Principal) to authenticate with Azure. The following task is trying to apply the terraform resources:
- task: TerraformCLI@0
displayName: "Terraform apply"
inputs:
command: 'apply'
commandOptions: '--var-file="./environments/${{ parameters.environment }}.tfvars"'
workingDirectory: '$(System.DefaultWorkingDirectory)/${{ parameters.projectFolder }}'
environmentServiceName: 'shared-${{ parameters.environment }}-001'
which results in the following Error:
Error: Error running command ' az webapp config access-restriction remove --subscription shared-staging-001 --resource-group rg-hub-network-staging \
--name landing-webapp-hub --rule-name 'allow application gateway'
': exit status 1. Output: Subscription 'shared-staging-001' not recognized.
Command group 'webapp config access-restriction' is in preview. It may be changed/removed in a future release.
Please run 'az login' to setup account.
No we tried to replace the TerraformCLI@0 Task with either a plain bash script or a AzureCLI@2 Task.
We could not get az login to work in a plain bash script due to the missing Infos. The approach described here does not work either.
Running the terraform commands inside a AzureCLI@2 Task looks promissing but causes some strange errors related to the service principal login:
- task: AzureCLI@2
displayName: "Terraform init"
inputs:
azureSubscription: shared-${{ parameters.environment }}-001
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
terraform init --backend-config="./environments/${{ parameters.environment }}_backend.tfvars"
This causes the following error:
Initializing modules...
- app-gateway in modules/app-gateway
- dummy1 in modules/BRZ365-AppService
- dummy2 in modules/BRZ365-AppService
- hub-network in modules/hub-network
- landing_zone_app in modules/BRZ365-AppService
- squad-area in modules/squad-area
Initializing the backend...
Error: Error building ARM Config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
auth method - instructions for which can be found here:
Alternatively you can authenticate using the Azure CLI by using a User Account.