Using TerraformTaskV4 init command with cross-subscription access and Federated Identity authentication

avaw · July 27, 2025, 6:52am

I’m working with an Azure DevOps pipeline where I need to initialize Terraform using the TerraformTaskV4 task. My setup involves deploying infrastructure to Azure but I’m facing some configuration issues.

Here’s my current task configuration:

- task: TerraformTaskV4@4
  displayName: Setup Terraform initialization
  inputs:
    provider: 'azurerm'
    command: 'init'
    backendServiceArm: 'my-service-connection'
    backendAzureRmResourceGroupName: 'terraform-backend-rg'
    backendAzureRmStorageAccountName: 'terraformstatestore'
    backendAzureRmContainerName: 'tfstate-container'
    backendAzureRmKey: 'project.tfstate'

I have two specific requirements that I need help with:

My service connection is configured for one subscription, but I need to initialize Terraform against a different Azure subscription. The service principal has permissions across multiple subscriptions.
My service connection uses Federated Identity credentials instead of traditional client secrets.

What’s the proper way to configure the terraform init step to handle these requirements?

amelial · August 4, 2025, 4:31am

for federated identity with cross-sub access, you’ll need to set the subscription_id explicitly in your terraform provider block. don’t rely on the service connection’s default. the TerraformTask picks up federated creds automatically but doesn’t know which subscription to use unless you specify it.