Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azuredevops_build_definition: Secret Variable Values Unavailable from Pipeline #1167

Open
jamiejackson opened this issue Sep 23, 2024 · 2 comments
Open

azuredevops_build_definition: Secret Variable Values Unavailable from Pipeline #1167

jamiejackson opened this issue Sep 23, 2024 · 2 comments
Labels
question

Comments

@jamiejackson
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform v1.9.6
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v5.68.0
+ provider registry.terraform.io/hashicorp/null v3.2.3
+ provider registry.terraform.io/hashicorp/random v3.6.3
+ provider registry.terraform.io/microsoft/azuredevops v1.3.0

It's also a problem with, say, Terraform 1.7.4 & azuredevops provider 1.0.1

Affected Resource(s)

  • azuredevops_build_definition

Terraform Configuration Files

terraform {
  required_providers {
    azuredevops = {
      source  = "microsoft/azuredevops"
      version = "1.3.0"
    }

    aws = {
      source  = "hashicorp/aws"
      version = "5.68.0"
    }
  }

  required_version = ">= 1.9.6"

  backend "s3" {
    bucket = "terraform-state-hudx"
    key    = "jenkins"
    region = "us-east-1"
  }
}

provider "aws" {
  region = "us-east-1"
}

data "aws_ssm_parameter" "azdo_personal_access_token" {
  name = "/secret/global/azdo_pat/jenkins_terraform"
}

provider "azuredevops" {
  org_service_url       = "https://dev.azure.com/REDACTED"
  personal_access_token = data.aws_ssm_parameter.azdo_personal_access_token.value
}

data "azuredevops_project" "hudx" {
  name = "hudx"
}

data "azuredevops_git_repository" "jenkins" {
  project_id = data.azuredevops_project.hudx.id
  name       = "jenkins"
}

resource "azuredevops_build_definition" "terraform_drift_detection" {
  project_id = data.azuredevops_project.hudx.id
  name       = "secrets-repro-case"
  path       = "\\jenkins"

  ci_trigger {
    use_yaml = true
  }

  repository { # refers to terraform-util info
    branch_name = "refs/heads/main"
    repo_type   = "TfsGit"
    repo_id     = data.azuredevops_git_repository.jenkins.id
    yml_path    = "terraform/secrets-repro-case-pipeline.yml"
  }

  variable {
    name      = "plainTextFromTerraform"
    value     = "plain_text_value"
    is_secret = false
  }

  # this value is unavailable from the pipeline
  variable {
    name      = "secretFromTerraform"
    value     = "secret_value"
    is_secret = true
  }

}

Debug Output

Please let me know which operation to supply debug info for.

Panic Output

N/A

Expected Behavior

The values of secret variables created via Terraform are available to the pipeline.

Actual Behavior

Only manually created secret variables are available to the pipeline.

Steps to Reproduce

  1. Use the attached pipeline configuration to create a pipeline from Terraform.
  2. Create two more "manual" variables (one secret, one plain) to compare with the Terraform-generated variables:
  • plainTextFromManual
  • secretFromManual
    image
  1. Run the pipeline.
  2. Observe the missing Terraform-generated secret value
Starting: Bash
==============================================================================
Task         : Bash
Description  : Run a Bash script on macOS, Linux, or Windows
Version      : 3.244.1
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/bash
==============================================================================
Generating script.
========================== Starting Command Output ===========================
/usr/bin/bash /home/vsts/work/_temp/b2cb90a0-e5c4-4f97-adf7-23847ce59d07.sh
#### plainTextFromTerraform ####
Direct Access: p l a i n _ t e x t _ v a l u e 
Mapped Access: plain_text_value
#### secretFromTerraform ####
Direct Access: 
Mapped Access: 
#### plainTextFromManual ####
Direct Access: v a l u e _ f r o m _ m a n u a l 
Mapped Access: value_from_manual
#### secretFromManual ####
Direct Access: s e c r e t _ v a l u e _ m a n u a l 
Mapped Access: ***

Finishing: Bash
@rdalbuquerque
Copy link
Contributor

rdalbuquerque commented Sep 23, 2024
edited
Loading

if is_secret is set to true than secret_value should be used instead of value.
For variable groups, a validation was added in #1075 it's still missing from build definition tho

@jamiejackson
Copy link
Author

Arrgh, RTFM error. Thanks for pointing it out.

I don't understand the nuances of what's been fixed and what hasn't, though. Why was I able to use a problematic combination of attributes? Was that because of something missing from "build definition?"

Should I create a new ticket for a validation gap?

@xuzhang3 xuzhang3 pinned this issue Nov 1, 2024
@xuzhang3 xuzhang3 unpinned this issue Nov 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jamiejackson @rdalbuquerque @xuzhang3