Powershell in local-exec (Azure DevOps Pipelines)

0
votes

I'm using Azure DevOps Pipeline to deploy an infrastructure. One of Terraform modules use local-exec and it is a Powershell script which enables VM SQL Backup. Everything works fine locally from my PC when I'm connected to Azure as a user. The problem appears only in a pipeline where I connect to Azure via Service Principal. I use a built-in Powershell just to run Connect-AzAccount hoping that connection will be kept during all tasks. Unfortunately when it comes to Terraform Apply, during my module deployment, there's an error:

Please provide a valid tenant or a valid subscription.

Resource group 'abcd' could not be found.

Does somebody know how to keep connection with Azure during all tasks? I even tried to run Set-AzContext -SubscriptionId "xxxx-xxxx-xxxx-xxxx" in a module but it doesn't find my subscription.

This is how Powershell task looks like:

$AzureAADClientKey = "***"
$AzureTenantID = " xxxx-xxxx-xxxx-xxxx "
$AzureSubscriptionName = " xxxx-xxxx-xxxx-xxxx "
$AzureEnv = "AzureCloud"
#Start Connection
$securePassword = ConvertTo-SecureString $AzureAADClientKey -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $AzureAADClientID,$securePassword
$n = Disable-AzContextAutosave -Scope Process
Clear-AzContext -Scope Process
Connect-AzAccount -Credential $credential -TenantId $AzureTenantID -Environment $AzureEnv -ServicePrincipal -SubscriptionId $AzureSubscriptionName

Any help appreciated!

2
powershellazure-devopsterraformazure-pipelinesterraform-provider-azure
Can you share the full tf files? I want to reproduce it against my environmentAmit Baranes
When you use the AzurePowerShell@5 task, you don't need to worry about setting the azcontext, it does this automatically for you. It does require a service connection to the azure environment though, but it seems you already have a principal, so adding a service connection should not be a problem.PaulVrugt

2 Answers

1
votes

try with the following sample task, it worked for me.

# Prepare the Postgres admin password
- task: AzurePowerShell@4
  inputs:
    azureSubscription: '$(subscription)'
    ScriptType: 'FilePath'
    ScriptPath: 'Scripts/PreparePostgresAdminPassword.ps1'
    ScriptArguments: '-ResourceGroupName $(rgName) -KeyVaultName $(kvName) -SecretName $(secretName)'
    errorActionPreference: 'silentlyContinue'
    azurePowerShellVersion: 'LatestVersion'
    timeoutInMinutes: 2
0
votes

Eventually I managed to do it another way. I use Bash task to run 'Terraform Apply' and it contains three commands - Set-AzContext, az account set and terraform apply. Thank you for help, guys!

      - bash: |          
          echo "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]$(client_id)"
          echo "##vso[task.setvariable variable=AZURE_CLIENT_SECRET;issecret=true]$(client_secret)"
          echo "##vso[task.setvariable variable=AZURE_SUBSCRIPTION_ID]$(subscription_id)"
          echo "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]$(tenant_id)" 
        workingDirectory: '$(Build.ArtifactStagingDirectory)/${{parameters.tfExecutionDir}}'
        displayName: 'Set environment variables for Service Principal authentication'

        
      - bash: |
          pwsh -c "Set-AzContext -SubscriptionId "$(AZURE_SUBSCRIPTION_ID)" -Tenant "$(AZURE_TENANT_ID)""
          az account set --subscription "$(AZURE_SUBSCRIPTION_ID)"

          terraform apply $(Build.BuildNumber).tfplan
        workingDirectory: '$(Build.ArtifactStagingDirectory)/${{parameters.tfExecutionDir}}'
        displayName: 'Terraform Apply'
        env:
          ARM_CLIENT_ID: $(AZURE_CLIENT_ID)
          ARM_CLIENT_SECRET: $(AZURE_CLIENT_SECRET)
          ARM_SUBSCRIPTION_ID: $(AZURE_SUBSCRIPTION_ID)
          ARM_TENANT_ID: $(AZURE_TENANT_ID)