0

I have a case that marking variables as secrets loses their value in Release task, please allow me to elaborate further.

Please find below screenshot of Terraform Service principal

enter image description here

The above one works as variables are available in pipeline.

Take scenario, where they are secret and locked.

enter image description here

Now, run the pipeline and it reports required variable not set.

enter image description here

I have added a step to echo these variables, just to see if I can see them, here is the Release task: enter image description here

I "assume" *** means actual echo, so they word in echo statement.

Not able to understand why the behavior is different:

  1. When in plain text, they are available in pipeline
  2. When marked as secret they are not available.

How to make them available in pipeline?

Updates

doing something like this: 

Terraform plan -out main.plan -var "ARM_SUBSCRIPTION_ID=$(TF_VAR_ARM_SUBSCRIPTION_ID)" "ARM_CLIENT_ID=$(TF_VAR_ARM_CLIENT_ID)" "ARM_CLIENT_SECRET=$(TF_VAR_ARM_CLIENT_SECRET)" "ARM_TENANT_ID=$(TF_VAR_ARM_TENANT_ID)" It reports: 2019-03-07T00:21:19.7692360Z ##[command]"terraform" plan -out main.plan -var "ARM_SUBSCRIPTION_ID=***" "ARM_CLIENT_ID=***" "ARM_CLIENT_SECRET=***" "ARM_TENANT_ID=***" -input=false -no-color

get error

2019-03-07T00:21:19.8504985Z Too many command line arguments. Configuration path expected.
BMW
  • 42,880
  • 12
  • 99
  • 116
learner
  • 2,480
  • 10
  • 50
  • 94
  • doing something like this: Terraform plan -out main.plan -var "ARM_SUBSCRIPTION_ID=$(TF_VAR_ARM_SUBSCRIPTION_ID)" "ARM_CLIENT_ID=$(TF_VAR_ARM_CLIENT_ID)" "ARM_CLIENT_SECRET=$(TF_VAR_ARM_CLIENT_SECRET)" "ARM_TENANT_ID=$(TF_VAR_ARM_TENANT_ID)" It reports: 2019-03-07T00:21:19.7692360Z ##[command]"terraform" plan -out main.plan -var "ARM_SUBSCRIPTION_ID=***" "ARM_CLIENT_ID=***" "ARM_CLIENT_SECRET=***" "ARM_TENANT_ID=***" -input=false -no-color 2019-03-07T00:21:19.8504985Z Too many command line arguments. Configuration path expected. – learner Mar 07 '19 at 00:27
  • first the usage of `-var` is wrong, you need provide `-var` for each variable – BMW Mar 07 '19 at 03:01
  • @BMW That's irrelevant because the environment variables are prefixed with `TF_VAR_` which will mean Terraform will load them anyway. – ydaetskcoR Mar 07 '19 at 09:41
  • Guys, issue resolved when I did -var prior to each variable, still I unable to understand different behavior of Azure Pipelines? When password is in plain text then there is no issue. When in encrypted format then we have to be explicitly defined each variable ?? I however appreciate the security of Azure Pipelines! The password does not come as plain text anywhere, so its really secured. – learner Mar 07 '19 at 10:46
  • @ydaetskcoR You see this problem is fixed by my way. :-) – BMW Mar 08 '19 at 07:07
  • That's just because without doing so they broke the command line flag parser. Ditching all the -var flags entirely would also work. – ydaetskcoR Mar 08 '19 at 07:11

1 Answers1

1

So to follow up with this, if make a variable a secret, you cannot access it from any script directly. What I do is that task that I need it decrypted is go to the environment variables section of the task and enter the following.

enter image description here

What this does is decrypts the variable and sets a variable of the same name so tools like Terraform can access it.

Jamie
  • 3,094
  • 1
  • 18
  • 28