Deploy terraform to azure through a pipeline in azure devops

Question

I have deployed terraform to azure locally from the azure cli to success so I know the TF is working I am now trying to build a pipeline to automate this process, however i get this error...

Error: Error building ARM Config: obtain subscription(xxxxxx) from Azure CLI: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1

This error appears when the init is running in the pipeline.

This is what the pipeline looks like...

pool:
  vmImage: ubuntu-latest

stages :
  - stage: validate
    jobs:
    - job: validate
      continueOnError: false
      steps:
      - task: ms-devlabs.custom-terraform-tasks.custom-terraform-installer-task.TerraformInstaller@0
        displayName: 'install'
        inputs:
          terraformVersion: '0.14.10'
      
      - bash: echo $(ls -latR)
        
      - task: TerraformTaskV1@0
        displayName: 'init'
        inputs:
          provider: 'azurerm'
          command: 'init'
          workingDirectory: "$(System.DefaultWorkingDirectory)"
          backendServiceArm: 'Service-Fabric'
          backendAzureRmResourceGroupName: 'fvs-uks-sf-rg-02'
          backendAzureRmStorageAccountName: 'fvsukssfstorage'
          backendAzureRmContainerName: 'fvs-uks-sf-backend01'
          backendAzureRmKey: 'terraform.tfstate'
              
      - task: TerraformTaskV1@0
        displayName: 'validate'
        inputs:
         provider: 'azurerm'
         command: 'validate'

      - task: TerraformTaskV1@0
        displayName: 'plan'
        inputs:
          provider: 'azurerm'
          command: 'plan'
          workingDirectory: "$(System.DefaultWorkingDirectory)"
          environmentServiceNameAzureRM: 'test'
          environmentServiceNameAWS: 'AWS-Azure-VPN'

This is what the backend.tf looks like...

provider "azurerm" {
  alias   = "hub"
  subscription_id = "xxxxxxx"
  features {}
}

provider "azurerm" {
  features {}
}

terraform {
  backend "azurerm" {
    subscription_id      = "xxxxxx"
    resource_group_name  = "xxxxxx"
    storage_account_name = "xxxxxx"
    container_name       = "xxxxxx"
    key                  = "terraform.tfstate"
  }
}

I have also set up a service connection to azure via a service principal, that when authenticated connects successfully.

Any help is greatly appreciated

Any update for this issue? Have you resolved this issue? If not, would you please let me know the latest information about this issue? If yes, you you could Accept it as an Answer , so it could help other community members who get the same issues and we could archive this thread, thanks. — Leo Liu-MSFT
I am yet to test the below. I am going to test this shortly and update the thread accordingly — TomT5

Leo Liu-MSFT Leo Liu-MSFT · Accepted Answer · 2021-05-03T07:11:33

Deploy terraform to azure through a pipeline in azure devops

This issue should be related to the authorization.

When we use the service connection to authorization, it use the Service Principal instead of username/password to authenticate.

Then according to the terraform docs:

If you're authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API.

Please try to add a API permission for your principal, which you used to create the service connection:

Navigate to the Azure Active Directory overview within the Azure Portal and select the App Registrations blade. Locate your registered Application and click on its display name to manage it.

Go to the API Permissions blade for the Application and click the "Add a permission" button. In the pane that opens, select "Azure Active Directory Graph" (under the Supported Legacy APIs subheading). Do not select "Microsoft Graph", as the provider does not currently make use of this API.

Choose "Application Permissions" for the permission type, and check the permissions you would like to assign. The permissions you need will depend on which directory objects you are seeking to manage with Terraform. We suggest the following permissions:

Application.ReadWrite.All

Directory.ReadWrite.All

Deploy terraform to azure through a pipeline in azure devops

1 Answers