Adding containers has a permissions issue when running from Github Runner.
Dipak-Mistry-WTW opened this issue · 14 comments
Is there an existing issue for this?
- I have searched the existing issues
Greenfield/Brownfield provisioning
greenfield
Terraform Version
1.81
Module Version
0.1.1
AzureRM Provider Version
3.99.0
Affected Resource(s)/Data Source(s)
azapi_resource
Terraform Configuration Files
module "storage_account_emea" {
depends_on = [azurerm_resource_group.emea]
source = "git::https://github.com/Azure/terraform-azurerm-avm-res-storage-storageaccount.git"
name = lower("*****${local.environment_short}data")
resource_group_name = azurerm_resource_group.emea.name
public_network_access_enabled = true
is_hns_enabled = true
shared_access_key_enabled = true
use_nested_nacl = true
network_rules = {
default_action = "Deny"
bypass = ["AzureServices"]
ip_rules = local.ip_rules
}
containers = {
name = {
name = "bronze"
}
}
private_endpoints = {
pe1 = {
inherit_tags = true
location = azurerm_resource_group.emea.location
resource_group_name = azurerm_resource_group.emea.name
subnet_resource_id = var.peered_vnet_subnet_id
subresource_name = ["blob"]
}
}tfvars variables values
Not needed.Debug Output/Panic Output
╷
│ Error: checking for presence of existing Resource: (ResourceId "/subscriptions/***/resourceGroups/***-******-*-rgrp/providers/Microsoft.Storage/storageAccounts/*****/blobServices/default/containers/bronze" / Api Version "2022-09-01"): ChainedTokenCredential authentication failed
│ GET http://169.254.169.254/metadata/identity/oauth2/token
│ --------------------------------------------------------------------------------
│ RESPONSE 400 Bad Request
│ --------------------------------------------------------------------------------
│ {
│ "error": "invalid_request",
│ "error_description": "Identity not found"
│ }
│ --------------------------------------------------------------------------------
│
│Expected Behaviour
It should create the container resource.
However the OIDC user assigned managed identity doesn't seem to be getting passed through to the azapi_resource type.
Actual Behaviour
If the resource exists it can't plan. If it doesn't exist it plans but doesn't apply. The error is as the logs.
Steps to Reproduce
No response
Important Factoids
No response
References
No response
The provider is trying to auth by MSI.
I got around this by creating an iptables rule to reject all outbound traffic to that IP.
- name: iptables block MSI endpoint
run: sudo iptables -I OUTPUT --destination 169.254.169.254 -j REJECT
The provider is trying to auth by MSI.
I got around this by creating an iptables rule to reject all outbound traffic to that IP.
- name: iptables block MSI endpoint
run: sudo iptables -I OUTPUT --destination 169.254.169.254 -j REJECT
Thanks @matt-FFFFFF - But in my case I am using a managed identity for auth. If i add that task it presents another error which is:
##[debug]Error: reading "Resource: (ResourceId \"/subscriptions/***/resourceGroups/****-rgrp/providers/Microsoft.Storage/storageAccounts/*********data/blobServices/default/containers/bronze\" / Api Version \"2022-09-01\")": ChainedTokenCredential: failed to acquire a token. ##[debug]Attempted credentials: ##[debug] managed identity timed out ##[debug] AzureCLICredential: ERROR: Please run 'az login' to setup account. ##[debug] ##[debug] ##[debug] with module.storage_account_emea.azapi_resource.containers["name"], ##[debug] on .terraform/modules/storage_account_emea/main.containers.tf line 2, in resource "azapi_resource" "containers": ##[debug] 2: resource "azapi_resource" "containers" { ##[debug] ##[debug]
Oh ok. That's odd. I use UAMI in my test pipelines and that works well.
Are you using self-hosted runners?
Not using self hosted. Just using Github hosted.
So you're using OIDC not MSI?
In that case my previous recommendation stands. Reject traffic to the metadata IP and configure the providers to use OIDC as per the docs.
Warning
Tagging the AVM Core Team (@Azure/avm-core-team-technical-terraform) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.
Tip
- To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
- To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!
Note
This message was posted as per ITA01TF.
Caution
**This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-terraform) immediate attention as it hasn't been responded to within 6 business days. **
Tip
- To avoid this rule being (re)triggered, the "Needs: Triage 🔍" and "Status: Response Overdue 🚩" labels must be removed when the issue is first responded to!
- Remove the "Needs: Immediate Attention
‼️ " label once the issue has been responded to.
Note
This message was posted as per ITA02TF.
Warning
Tagging the AVM Core Team (@Azure/avm-core-team-technical-terraform) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.
Tip
- To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
- To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!
Note
This message was posted as per ITA01TF.
Caution
**This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-terraform) immediate attention as it hasn't been responded to within 6 business days. **
Tip
- To avoid this rule being (re)triggered, the "Needs: Triage 🔍" and "Status: Response Overdue 🚩" labels must be removed when the issue is first responded to!
- Remove the "Needs: Immediate Attention
‼️ " label once the issue has been responded to.
Note
This message was posted as per ITA02TF.
@matt-FFFFFF Yes using oidc but its still not working.
I still get this error.
Error: reading "Resource: (ResourceId \"/subscriptions/***/resourceGroups/***-***-***/providers/Microsoft.Storage/storageAccounts/********/blobServices/default/containers/applications-state\" / Api Version \"2022-09-01\")": ChainedTokenCredential: failed to acquire a token.
Happy to jump on a call to have a look next week.
My yaml looks like this:
# See https://github.com/Azure/terraform-azurerm-avm-res-storage-storageaccount/issues/74
- name: iptables block MSI endpoint
run: sudo iptables -I OUTPUT --destination 169.254.169.254 -j REJECT
- name: Terraform Plan
id: tf-plan
run: |
export exitcode=0
terraform plan -detailed-exitcode -no-color -out ${{ inputs.tfvars-filename }}.tfplan -var-file="${{ inputs.subscription }}/${{ inputs.tfvars-filename }}.tfvars" || export exitcode=$?
echo "exitcode=$exitcode" >> $GITHUB_OUTPUT
if [ $exitcode -eq 1 ]; then
echo Terraform Plan Failed!
exit 1
else
exit 0
fi
Warning
Tagging the AVM Core Team (@Azure/avm-core-team-technical-terraform) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.
Tip
- To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
- To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!
Note
This message was posted as per ITA01TF.
Caution
**This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-terraform) immediate attention as it hasn't been responded to within 6 business days. **
Tip
- To avoid this rule being (re)triggered, the "Needs: Triage 🔍" and "Status: Response Overdue 🚩" labels must be removed when the issue is first responded to!
- Remove the "Needs: Immediate Attention
‼️ " label once the issue has been responded to.
Note
This message was posted as per ITA02TF.
Warning
Tagging the AVM Core Team (@Azure/avm-core-team-technical-terraform) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.
Tip
- To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
- To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!
Note
This message was posted as per ITA01TF.
Caution
**This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-terraform) immediate attention as it hasn't been responded to within 6 business days. **
Tip
- To avoid this rule being (re)triggered, the "Needs: Triage 🔍" and "Status: Response Overdue 🚩" labels must be removed when the issue is first responded to!
- Remove the "Needs: Immediate Attention
‼️ " label once the issue has been responded to.
Note
This message was posted as per ITA02TF.
Warning
Tagging the AVM Core Team (@Azure/avm-core-team-technical-terraform) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.
Tip
- To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
- To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!
Note
This message was posted as per ITA01TF.
Caution
**This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-terraform) immediate attention as it hasn't been responded to within 6 business days. **
Tip
- To avoid this rule being (re)triggered, the "Needs: Triage 🔍" and "Status: Response Overdue 🚩" labels must be removed when the issue is first responded to!
- Remove the "Needs: Immediate Attention
‼️ " label once the issue has been responded to.
Note
This message was posted as per ITA02TF.
Warning
Tagging the AVM Core Team (@Azure/avm-core-team-technical-terraform) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.
Tip
- To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
- To avoid this rule being (re)triggered, the ""Needs: Triage 🔍" label must be removed as part of the triage process (when the issue is first responded to)!
Note
This message was posted as per ITA01TF.
Caution
**This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-terraform) immediate attention as it hasn't been responded to within 6 business days. **
Tip
- To avoid this rule being (re)triggered, the "Needs: Triage 🔍" and "Status: Response Overdue 🚩" labels must be removed when the issue is first responded to!
- Remove the "Needs: Immediate Attention
‼️ " label once the issue has been responded to.
Note
This message was posted as per ITA02TF.