Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intermittent ValidationError: AKV10032 when running on GitHub actions #83

Closed
jellevandehaterd opened this issue Oct 29, 2020 · 4 comments
Closed

Intermittent ValidationError: AKV10032 when running on GitHub actions #83

jellevandehaterd opened this issue Oct 29, 2020 · 4 comments

Comments

@jellevandehaterd
Copy link

When running rover on GitHub I see intermittent ValidationError: AKV10032. Sometimes It completes successfully but mostly the pipeline fails with a ValidationError: AKV10032. This error can occur in every step after the caf_launchpad and caf_foundation successfully completes. Running the same code from my local machine works fine. The code I am running is based on branch caf-terraform-landingzones v0.4

/$$$$$$   /$$$$$$  /$$$$$$$$       /$$$$$$$                                        
 /$$__  $$ /$$__  $$| $$_____/      | $$__  $$                                       
| $$  \__/| $$  \ $$| $$            | $$  \ $$  /$$$$$$  /$$    /$$/$$$$$$   /$$$$$$ 
| $$      | $$$$$$$$| $$$$$         | $$$$$$$/ /$$__  $$|  $$  /$$/$$__  $$ /$$__  $$
| $$      | $$__  $$| $$__/         | $$__  $$| $$  \ $$ \  $$/$$/ $$$$$$$$| $$  \__/
| $$    $$| $$  | $$| $$            | $$  \ $$| $$  | $$  \  $$$/| $$_____/| $$      
|  $$$$$$/| $$  | $$| $$            | $$  | $$|  $$$$$$/   \  $/ |  $$$$$$$| $$      
 \______/ |__/  |__/|__/            |__/  |__/ \______/     \_/   \_______/|__/      
                                                                                     
                                                                                                                                                           
version: aztfmod/rover:2010.2803

Expanding variable files: /__w/cloud-management/cloud-management/landingzones/caf_networking/scenario/200-single-region-hub/*.tfvars

mode                          : 'landingzone'
terraform command output file : ''
tf_action                     : 'apply'
command and parameters        : '-var-file /__w/cloud-management/cloud-management/landingzones/caf_networking/scenario/200-single-region-hub/configuration.tfvars -parallelism=5'
level (current)               : 'level2'
environment                   : 'develop'
workspace                     : 'tfstate'
tfstate                       : '200-single-region-hub.tfstate'

@calling process_actions
@calling verify_azure_session
Checking existing Azure session
@calling verify_parameters
landingzone                   : '/__w/cloud-management/cloud-management/landingzones/caf_networking'
@calling_deploy
@calling get_storage_id

launchpad already installed

@calling deploy_from_remote_state
Connecting to the launchpad
@calling_get_logged_user_object_id
 Logged in rover app object_id: 076b009f-8d7d-44ff-b340-2178bfe63a39
 Logged in rover app object_id: 076b009f-8d7d-44ff-b340-2178bfe63a39
 - logged in Azure AD application:  GitHub-Actions-Non-Prod
@calling login_as_launchpad
 - keyvault_name: null

Getting launchpad coordinates:
ValidationError: AKV10032: Invalid issuer. Expected one of https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/, https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/, https://sts.windows.net/e2d54eb5-3869-4f70-8578-dee5fc7331f4/, https://sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/, https://sts.windows.net/975f013f-7f24-47e8-a7d3-abc4752bf346/, found https://sts.windows.net/***/.
Error on or near line 326: Not authorized to manage landingzones. User must be member of the security group to access the launchpad and deploy a landing zone; exiting with status 102
 - subscription id: 

@calling clean_up_variables
make: *** [networking.apply] Error 102
cleanup variables
clean_up backend_files
Error: Process completed with exit code 2.
@jellevandehaterd jellevandehaterd mentioned this issue Nov 3, 2020
Closed
@LaurentLesle
Copy link
Contributor

Can you share your github yaml pipeline?

@jellevandehaterd
Copy link
Author

I used the pipeline file from caf-terraform-landingzones v0.4

name: v0.4

on:
 push:
   branches:
     - v0.4
   paths-ignore:
     - 'documentation/**'
     - '_pictures/**'
     - 'README.md'
     - 'CHANGELOG.md'
 schedule:
   - cron:  '0 4 * * *'

env:
 TF_CLI_ARGS: '-no-color'
 TF_CLI_ARGS_destroy: '-auto-approve -refresh=false'
 ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_NON_PROD }}
 ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID_NON_PROD }}
 ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID_NON_PROD }}
 ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}

jobs:
 foundations100:
   name: foundations-100
   runs-on: ubuntu-latest

   strategy:
     fail-fast: true
     max-parallel: 1
     matrix:
       random_length: ['5']

   container:
     image: aztfmod/rover:2010.2808
     options: --user 0

   steps:
     - uses: actions/checkout@v2

     - name: Login azure
       run: |
         az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
         az account set -s  ${{ env.ARM_SUBSCRIPTION_ID }}
         echo "local user: $(whoami)"
     - name: launchpad
       run: |
         /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_launchpad -a apply \
           -var-folder ${GITHUB_WORKSPACE}/landingzones/caf_launchpad/scenario/100 \
           -level level0 \
           -launchpad \
           -parallelism=30 \
           --environment ${{ github.run_id }} \
           '-var random_length=${{ matrix.random_length }}' \
           '-var prefix=g${{ github.run_id }}' \
           '-var tags={testing_job_id="${{ github.run_id }}"}'
     - name: foundations
       run: |
         /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_foundations -a apply \
           -level level1 \
           -parallelism=30 \
           --environment ${{ github.run_id }}
 networking100:
   name: networking-100
   runs-on: ubuntu-latest

   needs: foundations100

   strategy:
     fail-fast: false
     matrix:
       config_files: [
           "caf_networking/scenario/100-single-region-hub",
#            "caf_networking/scenario/101-multi-region-hub",
#            "caf_networking/scenario/105-hub-and-spoke",
#            "caf_networking/scenario/106-hub-virtual-wan-firewall"
       ]

   container:
     image: aztfmod/rover:2010.2808
     options: --user 0

   steps:
     - uses: actions/checkout@v2

     - name: Login azure
       run: |
         az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
         az account set -s  ${{ env.ARM_SUBSCRIPTION_ID }}
     - name: deploy example
       run: |
         /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a apply \
           -tfstate $(basename ${{ matrix.config_files }}).tfstate \
           -level level2 \
           -parallelism=30 \
           -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \
           --environment ${{ github.run_id }}
     - name: destroy example
       run: |
         /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a destroy \
           -tfstate $(basename ${{ matrix.config_files }}).tfstate \
           -level level2 \
           -parallelism=30 \
           -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \
           --environment ${{ github.run_id }} \
           -refresh=false \
           -auto-approve
 foundations200:
   name: foundations-200
   runs-on: ubuntu-latest
   needs: networking100
   if: always()

   strategy:
     fail-fast: true
     max-parallel: 1
     matrix:
       random_length: ['5']

   container:
     image: aztfmod/rover:2010.2808
     options: --user 0

   steps:
     - uses: actions/checkout@v2

     - name: Login azure
       run: |
         az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
         az account set -s  ${{ env.ARM_SUBSCRIPTION_ID }}
         echo "local user: $(whoami)"
     - name: launchpad-200-upgrade
       run: |
         /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_launchpad -a apply \
           -var-folder ${GITHUB_WORKSPACE}/landingzones/caf_launchpad/scenario/200 \
           -level level0 \
           -launchpad \
           -parallelism=30 \
           --environment ${{ github.run_id }} \
           '-var random_length=${{ matrix.random_length }}' \
           '-var prefix=g${{ github.run_id }}' \
           '-var tags={testing_job_id="${{ github.run_id }}"}'
     - name: foundations-200-upgrade
       run: |
         /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_foundations -a apply \
         -level level1 \
         --environment ${{ github.run_id }}
 networking200:
   name: networking-200
   runs-on: ubuntu-latest

   needs: foundations200

   strategy:
     fail-fast: false
     matrix:
       config_files: [
           "caf_networking/scenario/200-single-region-hub",
#            "caf_networking/scenario/201-multi-region-hub",
#            "caf_networking/scenario/210-aks-private"
       ]

   container:
     image: aztfmod/rover:2010.2808
     options: --user 0

   steps:
     - uses: actions/checkout@v2

     - name: Login azure
       run: |
         az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
         az account set -s  ${{ env.ARM_SUBSCRIPTION_ID }}
     - name: deploy example
       run: |
         /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a apply \
           -tfstate $(basename ${{ matrix.config_files }}).tfstate \
           -level level2 \
           -parallelism=30 \
           -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \
           --environment ${{ github.run_id }}
     - name: destroy example
       run: |
         /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_networking/ -a destroy \
           -tfstate $(basename ${{ matrix.config_files }}).tfstate \
           -level level2 \
           -parallelism=30 \
           -var-folder ${GITHUB_WORKSPACE}/landingzones/${{ matrix.config_files }} \
           --environment ${{ github.run_id }} \
           -refresh=false \
           -auto-approve
 foundations_destroy:
   name: foundations_destroy
   runs-on: ubuntu-latest
   if: always()
   needs: networking200

   strategy:
     fail-fast: false
     matrix:
       random_length: ['5']

   container:
     image: aztfmod/rover:2010.2808
     options: --user 0

   steps:
     - uses: actions/checkout@v2

     - name: Login azure
       run: |
         az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}'
         az account set -s  ${{ env.ARM_SUBSCRIPTION_ID }}
         echo "local user: $(whoami)"
     - name: foundations
       run: |
         /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_foundations -a destroy \
           -level level1 \
           -parallelism=30 \
           --environment ${{ github.run_id }} \
           -auto-approve
     - name: Remove launchpad
       run: |
         /tf/rover/rover.sh -lz ${GITHUB_WORKSPACE}/landingzones/caf_launchpad -a destroy \
           -var-folder ${GITHUB_WORKSPACE}/landingzones/caf_launchpad/scenario/200 \
           -level level0 \
           -launchpad \
           -parallelism=30 \
           --environment ${{ github.run_id }} \
           '-var random_length=${{ matrix.random_length }}' \
           '-var prefix=g${{ github.run_id }}' \
           '-var tags={testing_job_id="${{ github.run_id }}"}' \
           -auto-approve
     - name: Complete purge
       if: ${{ always() }}
       run: |
         for i in `az monitor diagnostic-settings subscription list -o tsv --query "value[?contains(name, '${{ github.run_id }}' )].name"`; do echo "purging subscription diagnostic-settings: $i" && $(az monitor diagnostic-settings subscription delete --name $i --yes); done
         for i in `az monitor log-profiles list -o tsv --query '[].name'`; do az monitor log-profiles delete --name $i; done
         for i in `az ad group list --query "[?contains(displayName, '${{ github.run_id }}')].objectId" -o tsv`; do echo "purging Azure AD group: $i" && $(az ad group delete --verbose --group $i || true); done
         for i in `az ad app list --query "[?contains(displayName, '${{ github.run_id }}')].appId" -o tsv`; do echo "purging Azure AD app: $i" && $(az ad app delete --verbose --id $i || true); done
         for i in `az keyvault list-deleted --query "[?tags.environment=='${{ github.run_id }}'].name" -o tsv`; do az keyvault purge --name $i; done
         for i in `az group list --query "[?tags.environment=='${{ github.run_id }}'].name" -o tsv`; do echo "purging resource group: $i" && $(az group delete -n $i -y --no-wait || true); done
         for i in `az role assignment list --query "[?contains(roleDefinitionName, '${{ github.run_id }}')].roleDefinitionName" -o tsv`; do echo "purging role assignment: $i" && $(az role assignment delete --role $i || true); done
         for i in `az role definition list --query "[?contains(roleName, '${{ github.run_id }}')].roleName" -o tsv`; do echo "purging custom role definition: $i" && $(az role definition delete --name $i || true); done

@LaurentLesle
Copy link
Contributor

@jellevandehaterd do you still see this issue or was it a transient error?

@arnaudlh
Copy link
Member

arnaudlh commented Feb 4, 2021

Closing as error does not seem to repro.

@arnaudlh arnaudlh closed this as completed Feb 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LaurentLesle @jellevandehaterd @arnaudlh