azure: Error: Error building ARM Config: obtain subscription() from Azure CLI

[abazzi-neogenomics]

Hi guys, I'm here again \o/

I'm trying out digger on github runners, to deploy azure resources this time 😆
I'm using client_secret auth and this is the error i see

Initializing the backend...
Upgrading modules...
<cut>
Error: Error building ARM Config: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.


Error: exit status 1
Failed to Run digger plan command. error running init: exit status 1
Failed to run commands. error while running command: Failed to Run digger plan command. error running init: exit status 1
Error: Process completed with exit code 8.

It appears that Azure cli wants the sub id, but i cannot find a way to pass it.

This is the workflow:

<cut>
        - name: digger run
          uses: diggerhq/digger@v0.3.27. # old version i was using, see next comment for newer version
          with:
            no-backend: true
            setup-terraform: true
            setup-azure: true
            terraform-version: ${{ inputs.TF_VERSION }}
          env:
            GITHUB_CONTEXT: ${{ toJson(github) }}
            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
            GITHUB_OWNER: xxx
            LOCK_PROVIDER: azure
            DIGGER_AZURE_AUTH_METHOD: CLIENT_SECRET
            DIGGER_AZURE_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID_SANDBOX }}
            DIGGER_AZURE_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_SANDBOX}}
            DIGGER_AZURE_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
            DIGGER_AZURE_SA_NAME: "stmysotrageaccounttfstate"
          

(i redacted some stuff but you get the idea)

I tried passing to the workflow file ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID_SANDBOX }} but no luck.
I also tried adding it in the workflow configuration digger.yml like this

---
projects:

- name: sandbox
  dir: ./sandbox/
  workflow: sandbox
  terraform_plan_args: "-var-file=terraform.tfvars"
  terraform_apply_args: "-var-file=terraform.tfvars"


workflows:

  sandbox:
    env_vars:
      commands:
        - name: ARM_SUBSCRIPTION_ID
          value: ${{ secrets.ARM_SUBSCRIPTION_ID_SANDBOX }}

also no luck.

am i missing something? Is there another way to pass env vars?

Thanks!

[abazzi-neogenomics]

just to add on top, what i was really trying to do (but i was trying to proceed per steps) was account segregation with different vars per project (one project = one subscription)
Now, after a bit of playing i figured out how to pass env vars.. the sub id previously didn't get picked up so i'll leave the issue open, but i'll add the following..

this is the workflow:

      - name: digger run
        uses: diggerhq/digger@v0.6.97   # also tried with v0.3.27  which is the old one i was using
        with:
          no-backend: true
          setup-terraform: true
          setup-azure: true
          terraform-version: ${{ inputs.TF_VERSION }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
          GITHUB_OWNER: xxx
          LOCK_PROVIDER: azure
          DIGGER_AZURE_AUTH_METHOD: CLIENT_SECRET
          DIGGER_AZURE_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          # sandbox sub
          DIGGER_AZURE_CLIENT_ID_SBX: ${{ secrets.ARM_CLIENT_ID_SBX }}
          DIGGER_AZURE_CLIENT_SECRET_SBX: ${{ secrets.ARM_CLIENT_SECRET_SBX }}
          ARM_SUBSCRIPTION_ID_SBX: ${{ secrets.ARM_SUBSCRIPTION_ID_SBX }}
          DIGGER_AZURE_SA_NAME_SBX: "stsandboxtfstate"
          # dev sub
          DIGGER_AZURE_CLIENT_ID_DEV: ${{ secrets.ARM_CLIENT_ID_DEV }}
          DIGGER_AZURE_CLIENT_SECRET_DEV: ${{ secrets.ARM_CLIENT_SECRET_DEV }}
          ARM_SUBSCRIPTION_ID_DEV: ${{ secrets.ARM_SUBSCRIPTION_ID_DEV }}
          DIGGER_AZURE_SA_NAME_DEV: "stdevtfstate"

and this is the config:

---
projects:

- name: sbx
  dir: ./sbx/
  workflow: sbx
  terraform_plan_args: "-var-file=terraform.tfvars"
  terraform_apply_args: "-var-file=terraform.tfvars"

- name: dev
  dir: ./dev/
  workflow: dev
  terraform_plan_args: "-var-file=terraform.tfvars"
  terraform_apply_args: "-var-file=terraform.tfvars"


workflows:

  sbx:
    env_vars:
      state:
        - name: DIGGER_AZURE_SA_NAME
          value_from: DIGGER_AZURE_SA_NAME_SBX
        - name: DIGGER_AZURE_CLIENT_ID
          value_from: DIGGER_AZURE_CLIENT_ID_SBX
        - name: DIGGER_AZURE_CLIENT_SECRET
          value_from: DIGGER_AZURE_CLIENT_SECRET_SBX
        - name: ARM_SUBSCRIPTION_ID
          value_from: ARM_SUBSCRIPTION_ID_SBX
      commands:
        - name: DIGGER_AZURE_SA_NAME
          value_from: DIGGER_AZURE_SA_NAME_SBX
        - name: DIGGER_AZURE_CLIENT_ID
          value_from: DIGGER_AZURE_CLIENT_ID_SBX
        - name: DIGGER_AZURE_CLIENT_SECRET
          value_from: DIGGER_AZURE_CLIENT_SECRET_SBX
        - name: ARM_SUBSCRIPTION_ID
          value_from: ARM_SUBSCRIPTION_ID_SBX

  dev:
    env_vars:
      state:
        - name: DIGGER_AZURE_SA_NAME
          value_from: DIGGER_AZURE_SA_NAME_DEV
        - name: DIGGER_AZURE_CLIENT_ID
          value_from: DIGGER_AZURE_CLIENT_DEV
        - name: DIGGER_AZURE_CLIENT_SECRET
          value_from: DIGGER_AZURE_CLIENT_SECRET_DEV
        - name: ARM_SUBSCRIPTION_ID
          value_from: ARM_SUBSCRIPTION_ID_DEV
      commands:
        - name: DIGGER_AZURE_SA_NAME
          value_from: DIGGER_AZURE_SA_NAME_DEV
        - name: DIGGER_AZURE_CLIENT_ID
          value_from: DIGGER_AZURE_CLIENT_DEV
        - name: DIGGER_AZURE_CLIENT_SECRET
          value_from: DIGGER_AZURE_CLIENT_SECRET_DEV
        - name: ARM_SUBSCRIPTION_ID
          value_from: ARM_SUBSCRIPTION_ID_DEV

but it seems like the vars are totally ignored, this is the output:

WARNING: running in 'backendless' mode. Features that require backend will not be available.
Failed to create lock provider. you must set 'DIGGER_AZURE_CLIENT_ID' and 'DIGGER_AZURE_CLIENT_SECRET' and 'DIGGER_AZURE_TENANT_ID' and 'DIGGER_AZURE_SA_NAME' when using client secret authentication
Error: Process completed with exit code 2.