Backend interactive prompting fails with 1 required of 2 possible #18325
Comments
|
I have same problem. I tried 3 documentation ways but I always have this error |
|
Hi all, I expect this is a consequence of how this provider is designed. Since there are two possible ways to provide credentials here, all of them are marked as "optional" and then the validation logic within the backend code itself checks to see if a valid combination is used. The interactive mode currently only prompts for required arguments, with the intention of not overwhelming the user with the different esoteric settings that many backends have. In general we offer the interactive prompts here as a best-effort for helping users who are just getting started. It's not intended for regular use, and has a number of limitations. For regular use of Azure in particular, a common approach is to authenticate via the Azure CLI, which then configures both the backend and the provider simultaneously, along with any other software that you use to interact with the Azure API. Each backend has a similar native, non-interactive authentication mechanism which is what most users are expected to use once they get past initial experimentation. |
|
Finally, I checked Attributes Reference in resource "azurerm_storage_account" where showed primary_access_key element. This resource is element "access_key" in backend configuration https://www.terraform.io/docs/providers/azurerm/r/storage_account.html#primary_access_key |
|
Hi @apparentlymart. I have some concerns with this approach.
This assumes the user has rights via their native AAD account permissions to write to the storage account. If this is not permitted in the IAM config, an access key must be used. Obviously, that key can be written to the In my specific use case, our separation of duties pushes us to use access keys in this fashion. We also take care to separate where our state files are located from where we are creating resources (separate resource groups). Also, just to clarify, am I correct in saying the backend types are not implemented by "providers"? Just trying to not confuse terminology. |
|
Hi @mbrancato, If the "ambient" credentials available for all Azure clients are not acceptable, then the next most preferred option is to set environment variables. In this case, I believe the environment variable in question is My reference to "providers" was indeed an error. A number of our backends re-use the same authentication code as their corresponding provider, and thus the behavior for the two is always the same. However, I forgot that for Azure in particular that is not true, and the |
|
I'm encountering this as well. My normal workflow is login via "az login" (writes to my ~/.azure directory). Then putting the following in my .tf, results in the same error. terraform{ |
|
@codyja You need access_key value, that is Storage primary key from your storage account. You obtain it from ${azurerm_storage_account.main.primary_access_key} Regards |
|
I can confirm that the @jmgomezcrespo Backends cannot access data sources as you suggest because of when they are initialized. |
|
Added |
|
Any update on this ticket, we have multiple state files for our environment and cant use same ARM_ACCESS_KEY for all of them :( |
|
Yes I would like to just use the ARM_CLIENT_SECRET to access multiple storage accounts. Managing multiple access keys is tricky.
|
@codyja You mean to say like first create a storage account then copy the storage account keys and then pass the variable in access_key? |
|
To use |
|
Is it intended that the access_key is always required with the use of This does not seems to match the documentation for backends: Also, the prescribed configuration for MSIs appears incorrect: terraform {
backend "azurerm" {
storage_account_name = "abcd1234"
container_name = "tfstate"
key = "prod.terraform.tfstate"
use_msi = true
subscription_id = "00000000-0000-0000-0000-000000000000"
tenant_id = "00000000-0000-0000-0000-000000000000"
}
}Results in: |
|
I am experiencing exactly the same issue as @adamday2 ; the example in the docs does not work. Specifically this one:
I'm authenticated with the Azure CLI, and with this configuration I get the error: Terraform version 0.11.13. Update I have taken a look at the source code, both the azurerm state backend and the azurerm provider rely on the same authentication helper found here: https://github.com/hashicorp/go-azure-helpers/blob/master/authentication/builder.go It supports the Azure CLI token just fine actually. This is proven by the fact that the azurerm provider supports it without issue. I believe the error is the final if-statement in It is just the wrong condition to validate! |
|
Same issue as @adamday2 with Terraform 0.11.13. I am unable to use the Azure MSI. Tried adding the access_key no luck. |
|
I am also running into a similar issue: I have provided the ACCESS_KEY as an environment variable: This is how my Terraform code looks like: Why is the code not sourcing Access Key from the Environment Variable? Any idea folks? |
Nevermind, It started working when I manually ran the export variable command instead of in a .sh script. May be the .sh script wasn't quite working, not sure. I never received any error though. |
If you set an env from a .sh script, and then ran terraform outside of the script, you have to run it with |
|
I had a similar problem due to required permissions not present: access to storage account with credentials supplied... just in case someone is struggling without the permissions... |
|
I was able to get MSI to work with terraform 0.11.13 in our CD pipeline by setting the following environment variables: |
|
Here's the commit for the MSI code. According to the commit tag, it's only present in 0.12. @darrenfurr the reason yours probably worked is that the ARM_USE_MSI was ignored and ARM_ACCESS_KEY was used for your backend. Can you verify you were actually able to terraform apply into the environment using MSI? Do the resources show as created with the MSI account? |
|
Tried and tested on v0.12.0 PowerShell: Strange imho:
|
Terraform Version
Terraform Configuration Files
Expected Behavior
The azurerm backend requires either an access_key OR 5 values related to the Azure subscription. The backend should prompt for the
access_keyvia the interactive init process for partial backend configurations.Actual Behavior
Terraform fails with the following error:
Steps to Reproduce
terraform initAdditional Context
One option to force interactive prompting here could be to force the use of
access_keyby specifying-backend-option="access_key=". This does not currently work.References
The text was updated successfully, but these errors were encountered: