In Azure DevOps, I recently converted the Service Connection to using WLID and now I'm getting the message:
Error: Backend configuration changed
A change in the backend configuration has been detected, which may require migrating existing state.
I added the following to the backend
use_azuread_auth = true
use_oidc = true
I also added use_oidc = true to the provider
Any thoughts on this?
I had a similar issue during Service Principal migration. You need to install a newer version of Terraform CLI to use the OIDC (OpenID connection) authentication option. After that, you need to authenticate using a Service Principal with Open ID Connect by adding the backendAzureRmUseEnvironmentVariablesForAuthentication parameter under the Terraform task in the azure-pipelines.yaml file:
steps:
- task: TerraformInstaller@1
inputs:
terraformVersion: 1.10.4
displayName: Install Terraform 1.10.4
- task: TerraformTaskV4@4
displayName: Initialize Terraform
inputs:
provider: azurerm
command: init
backendServiceArm: $(serviceConnectionName)
backendAzureRmResourceGroupName: $(resourceGroupName)
backendAzureRmStorageAccountName: azweaapdwisdomaiblobv2
backendAzureRmContainerName: terraform-container
backendAzureRmKey: terraform.tfstate
backendAzureRmUseEnvironmentVariablesForAuthentication: true
# Use this option temporarily if you need to update the backend state
# commandOptions: -reconfigure
workingDirectory: $(System.DefaultWorkingDirectory)/terraform
It is important to set the addSpnToEnvironment to true so that you can access the servicePrincipalId, servicePrincipalKey or idToken, and tenantId variables in your script.
Also, don't forget to set the backendAzureRmUseEnvironmentVariablesForAuthentication to true in order to use the environment variables for authentication.
If you have an error because of the change in the backend configuration has been detected, then use the commandOptions: -reconfigure to store the current configuration in the state.