不同订阅中的 Terraform 状态文件:错误:请运行“az login”来设置帐户

问题描述 投票:0回答:1

我正在 Azure DevOps 管道中使用 Terraform,我需要使用后端配置参数初始化 Terraform。这是我的 Terraform 配置:

terraform {
  required_providers {
    azurerm = {}
  }

  backend "azurerm" {}
}

我想在我的 Azure DevOps 管道中传递这样的后端参数:

steps:
  - task: PowerShell@2
    displayName: "tf init"
    inputs:
      targetType: 'inline'
      script: |
        terraform init `
        -backend-config="resource_group_name=${{ parameters.resourceGroupName }}" `
        -backend-config="storage_account_name=${{ parameters.storageAccountName }}" `
        -backend-config="container_name=${{ parameters.containerName }}" `
        -backend-config="key=${{ parameters.stateKey }}" `
        -backend-config="subscription_id=${{ parameters.stateSubscriptionId }}"

在此步骤之前,我设置了 Azure 凭据的环境变量:

steps:
  - task: PowerShell@2
    displayName: "set envs"
    inputs:
      targetType: 'inline'
      script: |
        $env:ARM_CLIENT_ID = "{{ parameters.clientId }}"
        $env:ARM_CLIENT_SECRET = "{{ parameters.clientSecret }}"
        $env:ARM_TENANT_ID = "{{ parameters.tenantId }}"
        $env:ARM_SUBSCRIPTION_ID = "{{ parameters.deploymentSubscriptionId }}"

但是,当我运行

terraform init
时,出现以下错误:

Initializing the backend...
╷
│ Error: Error building ARM Config: obtain subscription(stateSubscriptionId) from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.
│ 
│ 
╵

尝试在服务主体模式下使用 

az login
登录不起作用,并导致此错误:

Initializing the backend...
╷
│ Error: Error building ARM Config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
│ 
│ To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal' auth method - instructions for which can be found here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret
│ 
│ Alternatively you can authenticate using the Azure CLI by using a User Account.
│ 
│ 
╵

尽管已登录 Azure CLI,我仍然遇到此问题。

如何登录一个订阅的服务主体并将状态存储在 Azure Pipelines 中的另一订阅中?

如有任何帮助,我们将不胜感激!

azure azure-devops terraform azure-pipelines
1个回答
0
投票

我不完全确定 

set envs
任务中设置的变量是否可用于其他任务。

代替:

steps:
  - task: PowerShell@2
    displayName: "tf init"
    inputs:
      targetType: 'inline'
      script: |
        terraform init `
        -backend-config="resource_group_name=${{ parameters.resourceGroupName }}" `
        -backend-config="storage_account_name=${{ parameters.storageAccountName }}" `
        -backend-config="container_name=${{ parameters.containerName }}" `
        -backend-config="key=${{ parameters.stateKey }}" `
        -backend-config="subscription_id=${{ parameters.stateSubscriptionId }}"

尝试在运行 Terraform 命令的每个任务中设置环境变量,例如 

terraform plan
terraform apply
- 示例:

steps:
steps:
  - task: PowerShell@2
    displayName: "tf init"
    inputs:
      targetType: 'inline'
      script: |
        terraform init `
        -backend-config="resource_group_name=${{ parameters.resourceGroupName }}" `
        -backend-config="storage_account_name=${{ parameters.storageAccountName }}" `
        -backend-config="container_name=${{ parameters.containerName }}" `
        -backend-config="key=${{ parameters.stateKey }}" `
        -backend-config="subscription_id=${{ parameters.stateSubscriptionId }}"
    env:
      ARM_CLIENT_ID: {{ parameters.clientId }}
      ARM_CLIENT_SECRET: {{ parameters.clientSecret }}
      ARM_TENANT_ID: {{ parameters.tenantId }}
      ARM_SUBSCRIPTION_ID: {{ parameters.deploymentSubscriptionId }}

如果您想避免在每个任务中重复环境变量,请考虑创建一个 

steps
模板来运行需要所有变量的 terraform 命令。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.