Today I’m working on configuring terraform in Azure DevOps CI. The goal is very simple; just try to use terraform automatically install the terraform templates. Not only that, I also want to use a docker container to run the whole thing, just try to make the pipeline as simple as possible, so that we dont rely on the pipeline; while will give you the freedom to run things any pipeline, or even locally.
So the first problem I was running into is Azure Key Vault. The client uses AKV as their secret management system. So all the subscriptions details are all save in AKV. Because I was using Docker, I have to create arguments and environmental variables in conjunction to pipeline the AKV into the actual container.
# Dockerfile
ARG SUBSCRIPTION_ID
ARG TENANT_ID
ARG CLIENT_ID
ARG CLIENT_SECRET
ARG ARM_ACCESS_KEY
ENV ARM_SUBSCRIPTION_ID ${SUBSCRIPTION_ID}
ENV ARM_TENANT_ID ${TENANT_ID}
ENV ARM_CLIENT_ID ${CLIENT_ID}
ENV ARM_CLIENT_SECRET ${CLIENT_SECRET}
ENV ARM_ACCESS_KEY ${ARM_ACCESS_KEY}
# azure-pipeline.yml
$ docker build -t build-container --build-arg SUBSCRIPTION_ID=${AKVVAULE}
And then I was running into another problem. Normally I prefer to use bash to login by leverage the service principal. However, I was getting the following error while I try to use az login
Error: Error building AzureRM Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
This drove me a bit of crazy; because I tried multiple ways to fix it, but with no luck. One time I remember that Azure DevOps was complaining about the old environment variables will be depreciated, such as ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, ARM_CLIENT_ID and ARM_CLIENT_SECRET
So there was one thing in my mind that I should use SUBSCRIPTION_ID, TENANT_ID, CLIENT_ID, CLIENT_SECRET.
Until I was found an old issue that appeared in github. I realised that I should use the environment variable with the ARM. When I add the ARM prefix back. Everything comes back to work. This literally takes me a whole day to figure out.
