Azure DevOps Terraform Pipeline:联合身份和托管身份的身份验证问题

问题描述 投票:0回答:2

我正在 Azure DevOps 中设置 CI/CD 管道以自动化 Terraform 部署。

我的服务连接使用联合身份和用户分配的托管身份进行身份验证。尽管我付出了努力,但我在 

terraform init
步骤中遇到了问题,该过程无法正确进行身份验证。

管道配置:

这是我的 Azure DevOps 管道的配置:

trigger:
- none

variables:
  terraform_version: '1.8.5'
  azure_service_connection_name: 'it-sandbox-connection'

parameters:
  - name: resource_group
    displayName: 'Resource Group'
    type: string
    default: 'browser-euw-poc-rg-01'
    values:
      - browser-poc-rg-01
      - centralrepository-euw-poc-rg-01
      - data-euw-poc-rg-01

  - name: terraform_action
    displayName: 'Terraform Action'
    type: string
    default: 'plan'
    values:
      - plan
      - apply
      - destroy

pool:
  vmImage: 'ubuntu-latest'

stages:
  - stage: Terraform
    jobs:
      - job: InstallTerraform
        displayName: 'Install Terraform'
        steps:
          - task: TerraformInstaller@0
            inputs:
              terraformVersion: '$(terraform_version)'

      - job: InitTerraform
        displayName: 'Initialize Terraform'
        dependsOn: InstallTerraform
        steps:
          - checkout: self
          
          - task: TerraformCLI@0
            displayName: 'Terraform Init'
            inputs:
              command: 'init'
              workingDirectory: '$(Build.SourcesDirectory)/terraform/${{ parameters.resource_group }}'
              backendServiceArm: '$(azure_service_connection_name)'

      - job: TerraformPlanApplyDestroy
        displayName: 'Run Terraform Action'
        dependsOn: InitTerraform
        condition: succeeded()
        steps:
          - checkout: self

          - task: TerraformCLI@0
            displayName: 'Run Terraform Action'
            inputs:
              command: '$(parameters.terraform_action)'
              workingDirectory: '$(Build.SourcesDirectory)/terraform/${{ parameters.resource_group }}'
              environmentServiceNameAzureRM: '$(azure_service_connection_name)'
              commandOptions: '-var-file=terraform.tfvars'

提供商配置:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.39.1"
    }
  }

  backend "azurerm" {
    resource_group_name  = "terraform-rg-01"
    storage_account_name = "terrastatepocst01"
    container_name       = "tfstate"
    key                  = "browser-euw-poc-rg-01/terraform.tfstate"
  }
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy = false
    }
  }
  skip_provider_registration = true
}

在 terraform init 期间,我收到此错误:

Initializing the backend...
Initializing modules...
- app_service_plan in ../modules/app_service_plan
- storage_account in ../modules/storage_account
- web_app in ../modules/web_app
╷
│ Error: Error building ARM Config: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.

用户分配的身份有订阅贡献者

azure azure-devops terraform azure-pipelines
2个回答
1
投票

使用(用户)托管身份进行身份验证,您走在正确的轨道上。请遵循本指南

Tl;博士:

创建用户分配的托管身份。您可以为其分配更细粒度的 RBAC 角色,但如果您不想考虑,只需将其分配给您的订阅的贡献者角色即可。

修改您的 Terraform 后端配置:

terraform {
  backend "azurerm" {
    ...
    use_msi              = true
    client_id            = "<your-managed-identity-client-id>"
  }
}

在 Terraform 执行之前添加 DevOps 步骤以使用托管身份登录。

- task: AzureCLI@2
  inputs:
    azureSubscription: '<your-service-connection-name>'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az login --identity --username <your-managed-identity-client-id>

Terraform 现在应该能够执行。

0
投票

错误:构建 ARM 配置时出错:从 Azure CLI 获取订阅():从 Azure CLI 解析 json 结果:等待 Azure CLI:退出状态 1:错误:请运行“az 登录”来设置帐户。

我可以重现相同的错误,这是因为您丢失了任务

backendType: 'azurerm'
任务的
TerraformCLI@0
参数。

          - task: TerraformCLI@0
            displayName: 'Terraform Init'
            inputs:
              command: 'init'
              #workingDirectory: '$(Build.SourcesDirectory)/terraform/${{ parameters.resource_group }}'
              backendType: 'azurerm'
              backendServiceArm: '$(azure_service_connection_name)'

要使用用户管理的身份,您应该将 

use_msi = true
放入 
provider "azurerm"
块中。请参阅文档使用提供程序块进行配置和示例此处

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.39.1"
    }
  }

  backend "azurerm" {
    resource_group_name  = "terraform-rg-01"
    storage_account_name = "terrastatepocst01"
    container_name       = "tfstate"
    key                  = "browser-euw-poc-rg-01/terraform.tfstate"
  }
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy = false
    }
  }
  skip_provider_registration = true
  use_msi = true
}

另外,你应该把所有的terraform都放在

one job
中,否则后面的步骤将找不到init信息。

yaml:

variables:
  terraform_version: '1.8.5'
  azure_service_connection_name: 'ARMConn1'

parameters:
  - name: resource_group
    displayName: 'Resource Group'
    type: string
    default: 'browser-euw-poc-rg-01'
    values:
      - browser-poc-rg-01
      - centralrepository-euw-poc-rg-01
      - data-euw-poc-rg-01

pool:
  vmImage: 'ubuntu-latest'

stages:
  - stage: Terraform
    jobs:
      - job: InitTerraform
        displayName: 'Initialize Terraform'
        steps:
          - checkout: self
          
          - task: JasonBJohnson.azure-pipelines-tasks-terraform.azure-pipelines-tasks-terraform-installer.TerraformInstaller@2
            inputs:
              terraformVersion: '$(terraform_version)'

          - task: TerraformCLI@0
            displayName: 'Terraform Init'
            inputs:
              command: 'init'
              #workingDirectory: '$(Build.SourcesDirectory)/terraform/${{ parameters.resource_group }}'
              backendType: 'azurerm'
              backendServiceArm: '$(azure_service_connection_name)'
           
           # add your terraform plan,apply tasks...

terraform初始化成功:

enter image description here

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.