Teraform Gitlab image - no azure cli

Replace this template with your information

I am using the Gitlab runner for terraform in this container registry:

I am experimenting using this image to deploy to Azure:

When I am deploying using my gitlab runner to Azure I am getting this error:

│ Error: building AzureRM Client: Please ensure you have installed Azure CLI version 2.0.79 or newer. Error parsing json result from the Azure CLI: Error launching Azure CLI: exec: "az": executable file not found in $PATH.


[51](https://gitlab.com/prometheus-build-repository/sourcecontrollayout/prometheus_inventory/terraform-afd/-/jobs/1714837184#L51)│ with provider["registry.terraform.io/hashicorp/azurerm"],

[52](https://gitlab.com/prometheus-build-repository/sourcecontrollayout/prometheus_inventory/terraform-afd/-/jobs/1714837184#L52)│ on main.tf line 15, in provider "azurerm":

[53](https://gitlab.com/prometheus-build-repository/sourcecontrollayout/prometheus_inventory/terraform-afd/-/jobs/1714837184#L53)│ 15: provider "azurerm" {

My gitlab-runner gitlab-cicd.yml file for terraform looks like this:

  name: registry.gitlab.com/gitlab-org/terraform-images/stable:latest

  TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/afdexample
  key: example
    - ${TF_ROOT}/.terraform

  - cd ${TF_ROOT}

  - TERRAFORM_prepare
  - TERRAFORM_validate
  - TERRAFORM_build
  - TERRAFORM_deploy
  - TERRAFORM_destroy

  stage: TERRAFORM_prepare
    - gitlab-terraform init

  stage: TERRAFORM_validate
    - gitlab-terraform validate

  stage: TERRAFORM_build
    - export TF_VAR_subscriptionid=$azuresubscriptionid
    - export TF_VAR_tenantid=$azuresubscriptiontenantid
    - export TF_VAR_serviceprincipalappid=$azureserviceprincipalappid
    - export TF_VAR_serviceprincipalsecret=$azureserviceprincipalpassword
    - gitlab-terraform plan
    - gitlab-terraform plan-json
    name: plan
      - ${TF_ROOT}/plan.cache
      terraform: ${TF_ROOT}/plan.json

  stage: TERRAFORM_deploy
    - configuration
    name: production
    - gitlab-terraform apply
    - TERRAFORM_plan
  when: manual
    - main

  stage: TERRAFORM_destroy
    name: production
    - export TF_VAR_subscription_id=$subscription_id
    - export TF_VAR_vtenant_id=$tenant_id
    - export TF_VAR_service_principal_appid=$service_principal_appid
    - export TF_VAR_service_principal_secret=$service_principal_secret
    - gitlab-terraform destroy 
    - TERRAFORM_plan
  when: manual
    - main

Is there an image that has the Azure Cli in it? Or do we have to make our own?

Many thanks… WY

I started to try to do this, and ran into the same issue. I wasn’t sure whether to file a bug or come here, but if this isn’t getting any attention …

I’m using the Terraform.latest.gitlab-ci.yml template (because I’m a slave to code reuse), which uses the same base image as the OP. It doesn’t have any obvious hooks for adding extra content to the image before the jobs run, so I’ve overridden the build and deploy jobs by copying in their definitions from the template, and adding a before_script:

.install_azure: &install_azure
  - apk add --no-cache python3 py3-pip
  - apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo make
  - pip install azure-cli

  extends: .terraform:build
    - *install_azure

deploy is more annoying, since it’s more than a simple wrapper around .terraform:deploy, but it’s the same idea.

Adding python3 isn’t a big deal, and that’s needed for az anyway. But the second apk add invocation adds about a gig to the image, and the azure-cli install, which ends up building a handful of wheels, took about ten minutes to complete. I’ll try to work out the caching necessary for that.

This is a bit nuts, though most of the nuttiness is due to Microsoft not just providing an APK for az. I’ve added a question about that to Install Azure CLI on Alpine Linux · Issue #19591 · Azure/azure-cli · GitHub.

But it would be nice to have a more elegant, DRY-compatible way to install extra software or otherwise prep the image before getting to the build and deploy stages. I’ve been thinking about that as having some way to “inject” a before_script into an existing job description, but maybe it’s just a matter of doing what I’ve done here, with a more generic name, integrated into the existing YAML files, but I’m struggling to figure out what that would look like (not being super familiar with all that YAML has to offer).

I had the same issue. The solution offered by @dhduvall works, but increases the runtime substantially.
To solve the issue I changed the authentication to be via service principal and env variables: Authenticate Terraform to Azure | Microsoft Docs

You can modifiy the api permissions of the service principal under app registration in the azure portal.
You can set those variables in gitlab under Settings > CI/CD > Variables (Expand)
Make sure the Variables can be used on every branch. Protected variables can only be used by protected branches.