Terraform v4 upgrade

[paintedrust]

Provide the changes need to upgrade Obelisk to use Terraform V4, rather than V3.

Description

Terraform V4 upgrade

1. Update version numbers in infra-build-tfp-steps.yml and
   rollout-deploy-stage-jobs.yml to V4@4

2. Change version number for Terraform in providers.tf to latest version (4+)
   a. 4.10.0 from 3.x.x for azurerm
   b. 3.0.2 from 2.x.x for azuread

3. Add resource_provider_registrations = "none" to providers.tf under the section provider "azurerm" { beneath subscription_id and tenant_id.

Caution there is some debate about what the pipeline says versus what it means; Adding an additional " at the start of the error message. See below PRs for others issues.

hashicorp/terraform-provider-azurerm#27144
hashicorp/terraform-provider-azurerm#27110

In addition to this, make sure you do resource_provider_registrations not resource_provider_registration. Note the s at the end.

4. Add a value health_check_eviction_time_in_min = 10 to the web-api.tf under the site_config section as recommended by the pipeline. This value is meant to be set by default, but currently is not working.

microsoft/PubSec-Info-Assistant#860
microsoft/PubSec-Info-Assistant#861

5. There is now a limit to the length of the storage account name in Terraform/storage.tf where it must be between 3 & 24 characters. I have combated this by reducing the backend prefix to just be. Longer project names could be an issue. E.g. onebeyondobeliskbackendqastorage.

name = "${replace(replace(local.resource_prefix, "-", ""), "backend", "be")}storage" # must be between 3 & 24 chars

6. Update Random Password Generation to exclude the $ sign.

This caused an error for me where my password began with a $. So when performing the Apply EF bundle in the rollout pipeline, the EF bundler seems to have treated the $FK as a variable and stripped it out from the connection string, failing the login.

If you do have this error, but haven't updated this code yet, you can just delete the $ in the password generator and Terraform will just create a new password, no need to delete the resource group and start again.

Related Issue

(See motivation below)

Motivation and Context

I am using Obelisk myself for my own personal project and required to do this change as TerraformV3@3 did not work and failed at Initialize TF stage in infra-pr.yml. I used v4 instead and had to do a couple of extra changes

Error: Failed to get existing workspaces: Error retrieving keys for Storage Account "xxxinfrastorage": azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/listKeys?api-version=2021-01-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F

How Has This Been Tested?

I now have a functional and hosted in azure backend using V4 and frontend using Obelisk Vuetify, which is also working with V4 (minimal changes there are needed.) Setting values to V4@4 & registrations... = none. Although the registrations change may not be needed.

Further internal testing should be completed

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[paintedrust]

@andriikaplanovskyi