I have very simple pipeline, classic pipeline with Terraform Init, Plan and Apply, how ever deployment failed in middle, so I wanted to destroy all resources…
(backend is remote sitting on Azure blob container
so I enabled only Init and Destroy Task in pipeline, In Init parameters I have provided remote backend details, but when I run pipeline with destroy command it says " variable not allowed"
Actually in terraform.tfvars file I have used azure variable group variable substitution like below
and I have destory task like below
error i get is:
"It isn’t possible to define anything other than static values in a .tfvars file.", see Reference environment variables in .tfvars file.
Alternativly, you can rename the environment variables to start with TF_VAR_ prefix, e.g. TF_VAR_resource_group or you can try to pass the values via -var parameter.
I normally recommend against this type of solutions as it's non-canonical; e.g. there are ways to solve the problem, as #sschmeck has posted, so adding a third-party tool can just create more of a headache.
That said, this article details the use a "Replace Tokens" task in Azure DevOps.
Simply put, you can tell this task to scan for *.tfvars files, and have it replace some tokens with a pattern such as __example__, so in your example:
resource_group = __resource_group__
And set the resource_group variable in a Azure DevOps variable group; it will then search for your specified pattern and replace it.
Again, I would say use TF_VARs as it's canonical, but this may also work for you.
Related
We have a code repo with our IaC in Terraform. This is in Github, and we're going to pull the code, build it, etc. However, we don't want the values of our variables in Github itself. So this may be a dumb question, but where do we store the values we need for our variables? If my Terraform requires an Azure subscription id, where would I store the subscription id? The vars files won't be in source control. The goal is that we'll be pulling the code into an Azure Devops pipeline so the pipeline will have to know where to go to get the input variable values. I hope that makes sense?
You can store your secrets in Azure Key Vault and retrieve them in Terraform using azurerm_key_vault_secret.
data "azurerm_key_vault_secret" "example" {
name = "secret-sauce"
key_vault_id = data.azurerm_key_vault.existing.id
}
output "secret_value" {
value = data.azurerm_key_vault_secret.example.value
}
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret
There has to be a source of truth eventually.
You can store your values in the pipeline definitions as variables themselves and pass them into the Terraform configuration.
Usually it's a combination of tfvar files (dependent on target environment) and some variables from the pipeline. If you do have vars in your pipelines though, the pipelines should be in code.
If the variables are sensitive then you need to connect to a secret management tool to get those variables.
If you have many environments, say 20 environments and the infra is all the same with exception of a single ID you could have the same pipeline definition (normally JSON or YAML) and reference it for the 20 pipelines you build, each of those 20 would have that unique value baked in for use at execution. That var is passed through to Terraform as the missing piece.
There are other key-value property tracking systems out there but Git definitely works well for this purpose.
You can use Azure DevOps Secure files (pipelines -> library) for storing your credentials for each environment. You can create a tfvar file for each environment with all your credentials, upload it as a secure file in Azure DevOps and then download it in the pipeline with a DownloadSecureFile#1 task.
We have separate pipelines for our infrastructure and our application deployments. For our infrastructure, we are using terraform and i know that you can use terraform outputs as variables in later tasks within the same pipeline but is it possible to save the output as a variable in azure so that it can be used in a different pipeline.
We are looking to use this for S3 bucket names to use in the application code and for VPC subnet and SG ids in serverless.
Is this possible to save variables in the pipeline?
There is a variable group in Azure DevOps to share static values across pipelines.
In your case, if you want to save the terraform output as a variable in the variable group, you need to do something e.g. call the REST API dynamically to set the variable in the variable group, then you can use it in another pipeline.
You could also refer to this similar issue.
I've created a task group which deploys an Azure Function App which normally in a normal release pipeline (not a task group), it gives you the option of naming this variable on the panel which opens on the right hand side:
output variable
But when an azure function app task is contained within a task group, it gives you no option to create an output variable.
I was wondering if theres a way I can capture that output variable so I can later use it as a variable in a later task within the same task group?
You will find your variable but under slightly different name.
Assuming you have one FunctionApp in yout ask group you will get it via this variable
AZUREFUNCTIONAPP_APPSERVICEAPPLICATIONURL
To be sure please display all env variables. For Ubuntu you can add bash script with this command
env | sort
For more information please check this GitHub issue.
I have a lot of Azure Functions projects to deploy on Azure. I set build and pipeline for them. For example, this is one Release for an Azure Function.
Under Variables I defined all variables for the environments (one for dev, one for stage and one for production).
There is only one step for deploying the Azure Functions on Azure. I want to add/replace in the local.settings.json the right settings for an environment. I'm not be able to find how to configure that.
In other project, if I use Azure App Service Deploy, there is a section File Transforms & Variable Substitution Options.
How can I do the same in the release of an Azure Functions? What is the correct strategy or best practice?
Update and Solution
I thought it was much straightforward. I think this is the solution. In the App settings under Application and Configuration Settings, I have to specified each variable and its value using the ... in that line.
I can type or copy in this field. The syntax is
-variableName "$(variablename)"
I'm using quotes because if in the value there is any space (for example in the connection string you have Initial Catalog) DevOps raises an error. For array, I'm still using :.
Another way is to use File Transform task to substitute the variables in local.settings.json file with pipeline variables. See here for more information.
With File Transform task, you donot have to specify each variable and its value in App settings of deploy Azure Functions task.
You can add a File Transform task before the deploy Azure Functions task. Then define the variables(eg. KeyVaultSettings.ClientId) in your pipeline variables.
Then set the Package or folder, file format and Target files in File Transform task. See below:
This is what I've done in my Azure Functions pipeline (it's yaml, but you'll get the idea).
Create one stage per environment in your pipeline
Create your pipelines variables and asign a different value based on scope (stage)
Create a configuration entry (see picture) in your pipeline and asign the variable value.
Consume the configuration entry in your Azure Function (in my case I use Environmental Variables for that)
Use pipeline environment in your azure function configuration
I am trying to automate resource group creation with team services release.
I added azure resource group project to the solution and defined administratorLoginPassword variable as a secure string in json definition:
Also I defined administratorLoginPassword variable at the environment level in release definition as the following:
But when I run release it fails with the following reason:
Cannot process command because of one or more missing mandatory
parameters: administratorLoginPassword.
You need to pass that variable explicitly to the template script specifying its value in the Override Template Parameters text box, as follow:
-administratorLoginPassword (ConvertTo-SecureString -String '$(administratorLoginPassword)' -AsPlainText -Force)
Anyway I would suggest to create a proper azuredeploy.parameters.json file where you store all the actual values for all the required template parameters, and pass this file to Template Parameters input of the Azure Resource Group Deployment task. This file could be manipulated during build/release by replacing the content with the values you need, avoiding entirely to play with special parameters of the build task.
The variables created in the Build/Release Definition are disregarded by the Azure Res. Group Deployment task unless you pass it over explicitly as shown above.