Using terraform along with service connection based on workload identity federation

Question

I'm trying to run Terraform tasks "plan" and "apply" from Azure Devops pipelines to deploy resources over Azure Devops pipeline with service connection based on workload identity federation. After running the pipeline with the new service connection based on workload identity federation I get the following error as shown in the screenshot:

Steps I followed in the process:

1. create spn
2. give spn, role assignment "Reader" role over management group scope
3. created federated credentials and configured issuer and subject identifier
4. created service connection based on workload identity federation (manual) based on spn
5. run pipeline under new service connection

Answer 1

From the log of the terraform task, it seems that you are using the extension task: Azure Pipelines Terraform Tasks

Test the terraform task version 0, I can reproduce the same issue.

This is a known issue in task version 0. Refer to this ticket: [error] Terraform backend initialization for AzureRM only support service principal authorization

To solve this issue, you need to change to use the task version 1. Then it will work.

For example:

steps:
- task:TerraformCLI@1
  displayName: 'terraform plan'
  inputs:
    command: plan
    environmentServiceName: kevin1010
    allowTelemetryCollection: false

Or you can also change to use this extension task from Microsoft DevLabs: Terraform