Semaphore + Terraform/OpenTofu with Azure CLI credentials

[mlanner]

I have a Terraform/OpenTofu project for Azure that works just fine if run from the command line. The project uses Azure's CLI and specifically az login to consistently build the resources in Azure as defined in the main.tf code. I recently added this project to Semaphore and it all looks right (to me) and it successfully initializes the workspace when starting the task. However, as soon as it starts running the tofu plan it fails and says to run az login. I assume this is because Semaphore can't read the Azure CLI env variables? But, no matter if that assumption is right or wrong, I'd like to understand how I can make Semaphore execute my task. My goal is to use Semaphore to make this easier for other people on my team to stand up infrastructure without needing to know a lot about Terraform, using the command line, or even having CLI access to the server.

Any suggestions, ideas or insights into how to go about it would be greatly appreciated.

Thanks in advance!

[chriswdixon]

I created a bash script (below) to run the "az login", which then outputs the URL and code to authenticate. Once that is complete, my TF build works.

#!/bin/sh
az login

[MichelGP]

Good idea, like the logic. I tried this but it prompts that it cannot find the "az" executable. Any clues?

[jguay]

You would probably need to add the az executable in Dockerfile or on the semaphore server (https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=script)
Or if this is installed already and not found - add location in the path before calling az : PATH="${PATH}:<az install path>/bin"

[mlanner]

In the end I asked my IT department to set up a ServicePrincipal account for me. Once I logged in with the ServicePrincipal on the Semaphore server, it did start working. I've not had any issues since then. I've also used the same ServicePrincipal account successfully with Ansible, so I'm happy with that solution for now.

Thanks for your input and ideas around this.

One thing I'd perhaps like to see is some kind of "integration" of cloud provider credentials that could be configured in Semaphore and then scoped and used for a given project or even globally (although that might have some implications).

[ParaZzzedgar]

Good idea!