Support Azure DevOps Service Connection

[Bouke]

Terraform Version

Terraform v1.9.5
on linux_amd64
+ provider registry.terraform.io/cyrilgdn/postgresql v1.21.1-beta.1

Affected Resource(s)

provider

Terraform Configuration Files

provider "postgresql" {
  host                = azurerm_postgresql_flexible_server.instance.fqdn
  port                = 5432
  database            = "postgres"
  username            = azurerm_postgresql_flexible_server_active_directory_administrator.instance.principal_name
  sslmode             = "require"
  superuser           = false
  azure_identity_auth = true
  azure_tenant_id     = data.azurerm_client_config.current.tenant_id
}

Debug Output

│ Error: DefaultAzureCredential: failed to acquire a token.
│ Attempted credentials:
│ 	EnvironmentCredential: missing environment variable AZURE_CLIENT_ID
│ 	WorkloadIdentityCredential: no client ID specified. Check pod configuration or set ClientID in the options
│ 	ManagedIdentityCredential: no default identity is assigned to this resource
│ 	AzureCLICredential: ERROR: Please run 'az login' to setup account.
│ 
│ 
│   with provider["registry.terraform.io/cyrilgdn/postgresql"],
│   on main.tf line 446, in provider "postgresql":
│  446: provider "postgresql" {

Expected Behavior

Use the service connection's principal to access Azure RM.

Actual Behavior

Doesn't use the service connection's principal, and cannot communicate with Azure RM.

Steps to Reproduce

Run terraform using Azure DevOps Pipeline, using a service connection principal:

- task: TerraformTaskV4@4
  displayName: Build execution plan
  inputs:
    provider: 'azurerm'
    command: 'plan'
    environmentServiceNameAzureRM: '$(azureSubscription)'

Important Factoids

References

• https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure
• Error is same as postgresql flexible server Azure AD authentication issue: DefaultAzureCredential: failed to acquire a token #385, but here the principal is managed by Azure DevOps

[librucha]

Hi @Bouke

Which credentials type of service connection are you using?

[Bouke]

The service connection is a service principal (there's a linked app registration).

[muratakdeniz]

i have the same issue :

│ Error: DefaultAzureCredential authentication failed. failed to acquire a token.
│ Attempted credentials:
│ 	EnvironmentCredential: missing environment variable AZURE_TENANT_ID
│ 	WorkloadIdentityCredential: no client ID specified. Check pod configuration or set ClientID in the options
│ 	ManagedIdentityCredential authentication failed. ManagedIdentityCredential authentication failed. authentication failed
│ GET http://169.254.169.254/metadata/identity/oauth2/token
....
....
│   with provider["registry.terraform.io/cyrilgdn/postgresql"],
│   on main.tf line 113, in provider "postgresql":
│  113: provider "postgresql" {

[diegoddp]

Hi there,
PLease verify that the service connection is properly authorized for use in the pipeline. You can do this by navigating to Project Settings > Service Connections in Azure DevOps and ensuring the service connection is authorized

[davidzenisu]

Ran into this as well yesterday.

As far as my understanding goes, the TerraformTaskV4@4 won't work because it is passing the token into environment variables that are supported by popular providers such as azapi and azurerm out of the box (reference).

However, my understanding is this doesn't work with the DefaultCredentials object used by the underlying Go SDK of the postgreSQL provider because it doesn't taken tokens directly but needs to generate them.

What did work for me is using the AzureCLI task because it uses the Azure CLI to login which is then used by the DefaultCredentials implementation. Since this "interferes" with other providers, I've used this reference implementation to get them working as well.

Ugly workarounds but at least my terraform is running for now.