Teraform Gitlab image - no azure cli

GitLab CI/CD
1

Replace this template with your information

I am using the Gitlab runner for terraform in this container registry:

I am experimenting using this image to deploy to Azure:
registry.gitlab.com/gitlab-org/terraform-images/stable:latest

When I am deploying using my gitlab runner to Azure I am getting this error:

│ Error: building AzureRM Client: Please ensure you have installed Azure CLI version 2.0.79 or newer. Error parsing json result from the Azure CLI: Error launching Azure CLI: exec: "az": executable file not found in $PATH.

[50](https://gitlab.com/prometheus-build-repository/sourcecontrollayout/prometheus_inventory/terraform-afd/-/jobs/1714837184#L50)│

[51](https://gitlab.com/prometheus-build-repository/sourcecontrollayout/prometheus_inventory/terraform-afd/-/jobs/1714837184#L51)│ with provider["registry.terraform.io/hashicorp/azurerm"],

[52](https://gitlab.com/prometheus-build-repository/sourcecontrollayout/prometheus_inventory/terraform-afd/-/jobs/1714837184#L52)│ on main.tf line 15, in provider "azurerm":

[53](https://gitlab.com/prometheus-build-repository/sourcecontrollayout/prometheus_inventory/terraform-afd/-/jobs/1714837184#L53)│ 15: provider "azurerm" {

My gitlab-runner gitlab-cicd.yml file for terraform looks like this:

image:
  name: registry.gitlab.com/gitlab-org/terraform-images/stable:latest

variables:
  TF_ROOT: ${CI_PROJECT_DIR}/
  TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/afdexample
cache:
  key: example
  paths:
    - ${TF_ROOT}/.terraform

before_script:
  - cd ${TF_ROOT}

stages:
  - TERRAFORM_prepare
  - TERRAFORM_validate
  - TERRAFORM_build
  - TERRAFORM_deploy
  - TERRAFORM_destroy

TERRAFORM_init:
  stage: TERRAFORM_prepare
  script:
    - gitlab-terraform init

TERRAFORM_validate:
  stage: TERRAFORM_validate
  script:
    - gitlab-terraform validate

TERRAFORM_plan:
  stage: TERRAFORM_build
  script:
    - export TF_VAR_subscriptionid=$azuresubscriptionid
    - export TF_VAR_tenantid=$azuresubscriptiontenantid
    - export TF_VAR_serviceprincipalappid=$azureserviceprincipalappid
    - export TF_VAR_serviceprincipalsecret=$azureserviceprincipalpassword
    - gitlab-terraform plan
    - gitlab-terraform plan-json
  artifacts:
    name: plan
    paths:
      - ${TF_ROOT}/plan.cache
    reports:
      terraform: ${TF_ROOT}/plan.json

TERRAFORM_apply:
  stage: TERRAFORM_deploy
  tags:
    - configuration
  environment:
    name: production
  script:
    - gitlab-terraform apply
  dependencies:
    - TERRAFORM_plan
  when: manual
  only:
    - main

TERRAFORM_destroy:
  stage: TERRAFORM_destroy
  environment:
    name: production
  script:
    - export TF_VAR_subscription_id=$subscription_id
    - export TF_VAR_vtenant_id=$tenant_id
    - export TF_VAR_service_principal_appid=$service_principal_appid
    - export TF_VAR_service_principal_secret=$service_principal_secret
    - gitlab-terraform destroy 
  dependencies:
    - TERRAFORM_plan
  when: manual
  only:
    - main

Is there an image that has the Azure Cli in it? Or do we have to make our own?

Many thanks… WY

2

I started to try to do this, and ran into the same issue. I wasn’t sure whether to file a bug or come here, but if this isn’t getting any attention …

I’m using the Terraform.latest.gitlab-ci.yml template (because I’m a slave to code reuse), which uses the same base image as the OP. It doesn’t have any obvious hooks for adding extra content to the image before the jobs run, so I’ve overridden the build and deploy jobs by copying in their definitions from the template, and adding a before_script:

.install_azure: &install_azure
  - apk add --no-cache python3 py3-pip
  - apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo make
  - pip install azure-cli

build:
  extends: .terraform:build
  before_script:
    - *install_azure

deploy is more annoying, since it’s more than a simple wrapper around .terraform:deploy, but it’s the same idea.

Adding python3 isn’t a big deal, and that’s needed for az anyway. But the second apk add invocation adds about a gig to the image, and the azure-cli install, which ends up building a handful of wheels, took about ten minutes to complete. I’ll try to work out the caching necessary for that.

This is a bit nuts, though most of the nuttiness is due to Microsoft not just providing an APK for az. I’ve added a question about that to Install Azure CLI on Alpine Linux · Issue #19591 · Azure/azure-cli · GitHub.

But it would be nice to have a more elegant, DRY-compatible way to install extra software or otherwise prep the image before getting to the build and deploy stages. I’ve been thinking about that as having some way to “inject” a before_script into an existing job description, but maybe it’s just a matter of doing what I’ve done here, with a more generic name, integrated into the existing YAML files, but I’m struggling to figure out what that would look like (not being super familiar with all that YAML has to offer).

3

I had the same issue. The solution offered by @dhduvall works, but increases the runtime substantially.
To solve the issue I changed the authentication to be via service principal and env variables: Authenticate Terraform to Azure | Microsoft Docs

You can modifiy the api permissions of the service principal under app registration in the azure portal.
You can set those variables in gitlab under Settings > CI/CD > Variables (Expand)
Make sure the Variables can be used on every branch. Protected variables can only be used by protected branches.