From ea4af9043ef3ce42073848667407d8a674b99d96 Mon Sep 17 00:00:00 2001 From: magodo Date: Fri, 14 Feb 2025 02:02:28 +1100 Subject: [PATCH 1/2] Backend/azure: Update go-azure-sdk version to v0.20250131.1134653 (#36458) * dependencies: update go-azure-sdk to v0.20250131.1134653 * Update backend test for Github and ADO to not rely on the env vars * Setting ado_pipeline_service_connection_id during provider config * Update doc * changelog --- .../ENHANCEMENTS-20250207-164803.yaml | 5 ++ go.mod | 4 +- go.sum | 8 +- .../backend/remote-state/azure/backend.go | 19 +++-- .../remote-state/azure/backend_test.go | 79 ++++++++++++++++--- .../backend/remote-state/azure/client_test.go | 12 +-- internal/backend/remote-state/azure/go.mod | 4 +- internal/backend/remote-state/azure/go.sum | 8 +- .../remote-state/azure/helpers_test.go | 41 +++++++--- website/docs/language/backend/azurerm.mdx | 6 +- 10 files changed, 142 insertions(+), 44 deletions(-) create mode 100644 .changes/unreleased/ENHANCEMENTS-20250207-164803.yaml diff --git a/.changes/unreleased/ENHANCEMENTS-20250207-164803.yaml b/.changes/unreleased/ENHANCEMENTS-20250207-164803.yaml new file mode 100644 index 000000000000..d457460040c6 --- /dev/null +++ b/.changes/unreleased/ENHANCEMENTS-20250207-164803.yaml @@ -0,0 +1,5 @@ +kind: ENHANCEMENTS +body: Azure Backend supports ADO Pipelines OIDC token refresh by using the `oidc_request_url`, `oidc_request_token` and (the new) `ado_pipeline_service_connection_id`. +time: 2025-02-07T16:48:03.902464157+11:00 +custom: + Issue: "36458" diff --git a/go.mod b/go.mod index a199a910312c..18dd4b488f8a 100644 --- a/go.mod +++ b/go.mod @@ -182,8 +182,8 @@ require ( github.com/hashicorp/consul/api v1.13.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-azure-helpers v0.71.0 // indirect - github.com/hashicorp/go-azure-sdk/resource-manager v0.20241212.1154051 // indirect - github.com/hashicorp/go-azure-sdk/sdk v0.20241212.1154051 // indirect + github.com/hashicorp/go-azure-sdk/resource-manager v0.20250131.1134653 // indirect + github.com/hashicorp/go-azure-sdk/sdk v0.20250131.1134653 // indirect github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 // indirect github.com/hashicorp/go-immutable-radix v1.0.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect diff --git a/go.sum b/go.sum index 27cd4319a15e..6dcd0d5f138d 100644 --- a/go.sum +++ b/go.sum @@ -618,10 +618,10 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-azure-helpers v0.71.0 h1:ra3aIRzg01g6MLKQ+yABcb6WJtrqRUDDgyuPLmyZ9lY= github.com/hashicorp/go-azure-helpers v0.71.0/go.mod h1:BmbF4JDYXK5sEmFeU5hcn8Br21uElcqLfdQxjatwQKw= -github.com/hashicorp/go-azure-sdk/resource-manager v0.20241212.1154051 h1:jFgd3bzeRViGTzicIn9gDw2O/Gk6WjVJCTTefPNOGPY= -github.com/hashicorp/go-azure-sdk/resource-manager v0.20241212.1154051/go.mod h1:XapOZ9HiCtXz3qb5yNFiCuWbOBj2I3WU1K2jwqgK2zA= -github.com/hashicorp/go-azure-sdk/sdk v0.20241212.1154051 h1:4fCKJPSeLVvwl7ZCqU7MOUKyx/M7kl/J6wlw2O3xn40= -github.com/hashicorp/go-azure-sdk/sdk v0.20241212.1154051/go.mod h1:oI5R0fTbBx3K/sJBK5R/OlEy8ozdQjvctxVU9v3EDkc= +github.com/hashicorp/go-azure-sdk/resource-manager v0.20250131.1134653 h1:KuDCZKWoOByX5MUyFRNWLl4Gy6wpZCwJ7Ez1mbUwouo= +github.com/hashicorp/go-azure-sdk/resource-manager v0.20250131.1134653/go.mod h1:AawbnS/Kkp/IURMJVzmvD+Co2zK91lKFqYYDbenCpGU= +github.com/hashicorp/go-azure-sdk/sdk v0.20250131.1134653 h1:Bd+glHUD1mdal1zn0NgoS4wDFhUB8Qfw61j0nZEnC5A= +github.com/hashicorp/go-azure-sdk/sdk v0.20250131.1134653/go.mod h1:oI5R0fTbBx3K/sJBK5R/OlEy8ozdQjvctxVU9v3EDkc= github.com/hashicorp/go-checkpoint v0.5.0 h1:MFYpPZCnQqQTE18jFwSII6eUQrD/oxMFp3mlgcqk5mU= github.com/hashicorp/go-checkpoint v0.5.0/go.mod h1:7nfLNL10NsxqO4iWuW6tWW0HjZuDrwkBuEQsVcpCOgg= github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= diff --git a/internal/backend/remote-state/azure/backend.go b/internal/backend/remote-state/azure/backend.go index 044c396d3f28..d14105f446ff 100644 --- a/internal/backend/remote-state/azure/backend.go +++ b/internal/backend/remote-state/azure/backend.go @@ -156,17 +156,24 @@ func New() backend.Backend { Description: "Allow OpenID Connect to be used for authentication", }, + "ado_pipeline_service_connection_id": { + Type: schema.TypeString, + Optional: true, + DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID", "ARM_OIDC_AZURE_SERVICE_CONNECTION_ID"}, nil), + Description: "The Azure DevOps Pipeline Service Connection ID.", + }, + "oidc_request_token": { Type: schema.TypeString, Optional: true, - DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_TOKEN", "ACTIONS_ID_TOKEN_REQUEST_TOKEN"}, ""), + DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_TOKEN", "ACTIONS_ID_TOKEN_REQUEST_TOKEN", "SYSTEM_ACCESSTOKEN"}, nil), Description: "The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID Connect.", }, "oidc_request_url": { Type: schema.TypeString, Optional: true, - DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_URL", "ACTIONS_ID_TOKEN_REQUEST_URL"}, ""), + DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_URL", "ACTIONS_ID_TOKEN_REQUEST_URL", "SYSTEM_OIDCREQUESTURI"}, nil), Description: "The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal using OpenID Connect.", }, @@ -329,9 +336,10 @@ func (b *Backend) configure(ctx context.Context) error { ClientCertificatePassword: data.Get("client_certificate_password").(string), ClientSecret: *clientSecret, - OIDCAssertionToken: *oidcToken, - GitHubOIDCTokenRequestURL: data.Get("oidc_request_url").(string), - GitHubOIDCTokenRequestToken: data.Get("oidc_request_token").(string), + OIDCAssertionToken: *oidcToken, + OIDCTokenRequestURL: data.Get("oidc_request_url").(string), + OIDCTokenRequestToken: data.Get("oidc_request_token").(string), + ADOPipelineServiceConnectionID: data.Get("ado_pipeline_service_connection_id").(string), CustomManagedIdentityEndpoint: data.Get("msi_endpoint").(string), @@ -341,6 +349,7 @@ func (b *Backend) configure(ctx context.Context) error { EnableAuthenticatingUsingManagedIdentity: enableManagedIdentity, EnableAuthenticationUsingOIDC: enableOidc, EnableAuthenticationUsingGitHubOIDC: enableOidc, + EnableAuthenticationUsingADOPipelineOIDC: enableOidc, } backendConfig := BackendConfig{ diff --git a/internal/backend/remote-state/azure/backend_test.go b/internal/backend/remote-state/azure/backend_test.go index 8abb1e15ed6d..b2b2d4c48936 100644 --- a/internal/backend/remote-state/azure/backend_test.go +++ b/internal/backend/remote-state/azure/backend_test.go @@ -57,7 +57,7 @@ func TestAccBackendAccessKeyBasic(t *testing.T) { } defer m.destroyTestResources(ctx) - clearEnv() + clearARMEnv() b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "storage_account_name": m.names.storageAccountName, "container_name": m.names.storageContainerName, @@ -89,7 +89,7 @@ func TestAccBackendSASTokenBasic(t *testing.T) { t.Fatalf("Error building SAS Token: %+v", err) } - clearEnv() + clearARMEnv() b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "storage_account_name": m.names.storageAccountName, "container_name": m.names.storageContainerName, @@ -106,6 +106,16 @@ func TestAccBackendGithubOIDCBasic(t *testing.T) { testAccAzureBackendRunningInGitHubActions(t) + oidcRequestToken := os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN") + if oidcRequestToken == "" { + t.Fatalf("Missing ACTIONS_ID_TOKEN_REQUEST_TOKEN") + } + + oidcRequestURL := os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") + if oidcRequestURL == "" { + t.Fatalf("Missing ACTIONS_ID_TOKEN_REQUEST_URL") + } + ctx := newCtx() m := BuildTestMeta(t, ctx) @@ -116,7 +126,7 @@ func TestAccBackendGithubOIDCBasic(t *testing.T) { } defer m.destroyTestResources(ctx) - clearEnv() + clearARMEnv() b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "subscription_id": m.subscriptionId, "resource_group_name": m.names.resourceGroup, @@ -124,6 +134,8 @@ func TestAccBackendGithubOIDCBasic(t *testing.T) { "container_name": m.names.storageContainerName, "key": m.names.storageKeyName, "use_oidc": true, + "oidc_request_token": oidcRequestToken, + "oidc_request_url": oidcRequestURL, "tenant_id": m.tenantId, "client_id": m.clientId, "environment": m.env.Name, @@ -132,6 +144,55 @@ func TestAccBackendGithubOIDCBasic(t *testing.T) { backend.TestBackendStates(t, b) } +func TestAccBackendADOPipelinesOIDCBasic(t *testing.T) { + t.Parallel() + + testAccAzureBackendRunningInADOPipelines(t) + + oidcRequestToken := os.Getenv("SYSTEM_ACCESSTOKEN") + if oidcRequestToken == "" { + t.Fatalf("Missing SYSTEM_ACCESSTOKEN") + } + + oidcRequestURL := os.Getenv("SYSTEM_OIDCREQUESTURI") + if oidcRequestURL == "" { + t.Fatalf("Missing SYSTEM_OIDCREQUESTURI") + } + + adoPipelineServiceConnectionId := os.Getenv("ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID") + if adoPipelineServiceConnectionId == "" { + t.Fatalf("Missing ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID") + } + + ctx := newCtx() + m := BuildTestMeta(t, ctx) + + err := m.buildTestResources(ctx) + if err != nil { + m.destroyTestResources(ctx) + t.Fatalf("Error creating Test Resources: %q", err) + } + defer m.destroyTestResources(ctx) + + clearARMEnv() + b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ + "subscription_id": m.subscriptionId, + "resource_group_name": m.names.resourceGroup, + "storage_account_name": m.names.storageAccountName, + "container_name": m.names.storageContainerName, + "key": m.names.storageKeyName, + "use_oidc": true, + "oidc_request_token": oidcRequestToken, + "oidc_request_url": oidcRequestURL, + "ado_pipeline_service_connection_id": adoPipelineServiceConnectionId, + "tenant_id": m.tenantId, + "client_id": m.clientId, + "environment": m.env.Name, + })).(*Backend) + + backend.TestBackendStates(t, b) +} + func TestAccBackendAzureADAuthBasic(t *testing.T) { t.Parallel() @@ -147,7 +208,7 @@ func TestAccBackendAzureADAuthBasic(t *testing.T) { } defer m.destroyTestResources(ctx) - clearEnv() + clearARMEnv() b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "subscription_id": m.subscriptionId, "resource_group_name": m.names.resourceGroup, @@ -179,7 +240,7 @@ func TestAccBackendManagedServiceIdentityBasic(t *testing.T) { } defer m.destroyTestResources(ctx) - clearEnv() + clearARMEnv() b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "subscription_id": m.subscriptionId, "resource_group_name": m.names.resourceGroup, @@ -215,7 +276,7 @@ func TestAccBackendServicePrincipalClientCertificateBasic(t *testing.T) { } defer m.destroyTestResources(ctx) - clearEnv() + clearARMEnv() b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "subscription_id": m.subscriptionId, "resource_group_name": m.names.resourceGroup, @@ -247,7 +308,7 @@ func TestAccBackendServicePrincipalClientSecretBasic(t *testing.T) { } defer m.destroyTestResources(ctx) - clearEnv() + clearARMEnv() b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "subscription_id": m.subscriptionId, "resource_group_name": m.names.resourceGroup, @@ -278,7 +339,7 @@ func TestAccBackendAccessKeyLocked(t *testing.T) { } defer m.destroyTestResources(ctx) - clearEnv() + clearARMEnv() b1 := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "storage_account_name": m.names.storageAccountName, @@ -318,7 +379,7 @@ func TestAccBackendServicePrincipalLocked(t *testing.T) { } defer m.destroyTestResources(ctx) - clearEnv() + clearARMEnv() b1 := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "subscription_id": m.subscriptionId, diff --git a/internal/backend/remote-state/azure/client_test.go b/internal/backend/remote-state/azure/client_test.go index ab0e0706345c..78814448c04b 100644 --- a/internal/backend/remote-state/azure/client_test.go +++ b/internal/backend/remote-state/azure/client_test.go @@ -29,7 +29,7 @@ func TestRemoteClientAccessKeyBasic(t *testing.T) { } defer m.destroyTestResources(ctx) - clearEnv() + clearARMEnv() b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "storage_account_name": m.names.storageAccountName, "container_name": m.names.storageContainerName, @@ -61,7 +61,7 @@ func TestRemoteClientManagedServiceIdentityBasic(t *testing.T) { } defer m.destroyTestResources(ctx) - clearEnv() + clearARMEnv() b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "subscription_id": m.subscriptionId, "resource_group_name": m.names.resourceGroup, @@ -101,7 +101,7 @@ func TestRemoteClientSasTokenBasic(t *testing.T) { t.Fatalf("Error building SAS Token: %+v", err) } - clearEnv() + clearARMEnv() b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "storage_account_name": m.names.storageAccountName, "container_name": m.names.storageContainerName, @@ -133,7 +133,7 @@ func TestRemoteClientServicePrincipalBasic(t *testing.T) { } defer m.destroyTestResources(ctx) - clearEnv() + clearARMEnv() b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "subscription_id": m.subscriptionId, "resource_group_name": m.names.resourceGroup, @@ -169,7 +169,7 @@ func TestRemoteClientAccessKeyLocks(t *testing.T) { } defer m.destroyTestResources(ctx) - clearEnv() + clearARMEnv() b1 := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "storage_account_name": m.names.storageAccountName, @@ -215,7 +215,7 @@ func TestRemoteClientServicePrincipalLocks(t *testing.T) { } defer m.destroyTestResources(ctx) - clearEnv() + clearARMEnv() b1 := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ "subscription_id": m.subscriptionId, diff --git a/internal/backend/remote-state/azure/go.mod b/internal/backend/remote-state/azure/go.mod index 9b1e0bf01582..8d1502f7663f 100644 --- a/internal/backend/remote-state/azure/go.mod +++ b/internal/backend/remote-state/azure/go.mod @@ -4,8 +4,8 @@ go 1.23.3 require ( github.com/hashicorp/go-azure-helpers v0.71.0 - github.com/hashicorp/go-azure-sdk/resource-manager v0.20241212.1154051 - github.com/hashicorp/go-azure-sdk/sdk v0.20241212.1154051 + github.com/hashicorp/go-azure-sdk/resource-manager v0.20250131.1134653 + github.com/hashicorp/go-azure-sdk/sdk v0.20250131.1134653 github.com/hashicorp/go-uuid v1.0.3 github.com/hashicorp/terraform v0.0.0-00010101000000-000000000000 github.com/hashicorp/terraform/internal/legacy v0.0.0-00010101000000-000000000000 diff --git a/internal/backend/remote-state/azure/go.sum b/internal/backend/remote-state/azure/go.sum index 7696c6ecd458..978480d5224c 100644 --- a/internal/backend/remote-state/azure/go.sum +++ b/internal/backend/remote-state/azure/go.sum @@ -180,10 +180,10 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-azure-helpers v0.71.0 h1:ra3aIRzg01g6MLKQ+yABcb6WJtrqRUDDgyuPLmyZ9lY= github.com/hashicorp/go-azure-helpers v0.71.0/go.mod h1:BmbF4JDYXK5sEmFeU5hcn8Br21uElcqLfdQxjatwQKw= -github.com/hashicorp/go-azure-sdk/resource-manager v0.20241212.1154051 h1:jFgd3bzeRViGTzicIn9gDw2O/Gk6WjVJCTTefPNOGPY= -github.com/hashicorp/go-azure-sdk/resource-manager v0.20241212.1154051/go.mod h1:XapOZ9HiCtXz3qb5yNFiCuWbOBj2I3WU1K2jwqgK2zA= -github.com/hashicorp/go-azure-sdk/sdk v0.20241212.1154051 h1:4fCKJPSeLVvwl7ZCqU7MOUKyx/M7kl/J6wlw2O3xn40= -github.com/hashicorp/go-azure-sdk/sdk v0.20241212.1154051/go.mod h1:oI5R0fTbBx3K/sJBK5R/OlEy8ozdQjvctxVU9v3EDkc= +github.com/hashicorp/go-azure-sdk/resource-manager v0.20250131.1134653 h1:KuDCZKWoOByX5MUyFRNWLl4Gy6wpZCwJ7Ez1mbUwouo= +github.com/hashicorp/go-azure-sdk/resource-manager v0.20250131.1134653/go.mod h1:AawbnS/Kkp/IURMJVzmvD+Co2zK91lKFqYYDbenCpGU= +github.com/hashicorp/go-azure-sdk/sdk v0.20250131.1134653 h1:Bd+glHUD1mdal1zn0NgoS4wDFhUB8Qfw61j0nZEnC5A= +github.com/hashicorp/go-azure-sdk/sdk v0.20250131.1134653/go.mod h1:oI5R0fTbBx3K/sJBK5R/OlEy8ozdQjvctxVU9v3EDkc= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 h1:1/D3zfFHttUKaCaGKZ/dR2roBXv0vKbSCnssIldfQdI= diff --git a/internal/backend/remote-state/azure/helpers_test.go b/internal/backend/remote-state/azure/helpers_test.go index 31bce2f83dc4..ba8aa58da1b7 100644 --- a/internal/backend/remote-state/azure/helpers_test.go +++ b/internal/backend/remote-state/azure/helpers_test.go @@ -56,7 +56,16 @@ func testAccAzureBackendRunningInGitHubActions(t *testing.T) { } } -// clearEnv cleans up the azure related environment variables. +// these kind of tests can only run when within ADO Pipelines (e.g. OIDC) +func testAccAzureBackendRunningInADOPipelines(t *testing.T) { + testAccAzureBackend(t) + + if os.Getenv("TF_RUNNING_IN_ADO_PIPELINES") == "" { + t.Skip("Skipping test since not running in ADO Pipelines") + } +} + +// clearARMEnv cleans up the azure related environment variables. // This is to ensure the configuration only comes from HCL, which avoids // env vars for test setup interfere the behavior. // @@ -65,7 +74,7 @@ func testAccAzureBackendRunningInGitHubActions(t *testing.T) { // impact can be eliminated given all the tests are implemented in a similar // pattern that those env vars will be consumed at the very begining. The test // runner has to ensure to set a **big enough parallelism**. -func clearEnv() { +func clearARMEnv() { for _, evexp := range os.Environ() { k, _, ok := strings.Cut(evexp, "=") if !ok { @@ -178,19 +187,21 @@ func BuildTestMeta(t *testing.T, ctx context.Context) *TestMeta { // - MSI: For MSI related tests // - OIDC: For OIDC related tests authConfig := &auth.Credentials{ - Environment: *env, - TenantID: tenantID, - ClientID: clientID, - ClientSecret: clientSecret, - ClientCertificatePath: os.Getenv("ARM_CLIENT_CERTIFICATE_PATH"), - ClientCertificatePassword: os.Getenv("ARM_CLIENT_CERTIFICATE_PASSWORD"), - GitHubOIDCTokenRequestURL: os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL"), - GitHubOIDCTokenRequestToken: os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN"), + Environment: *env, + TenantID: tenantID, + ClientID: clientID, + ClientSecret: clientSecret, + ClientCertificatePath: os.Getenv("ARM_CLIENT_CERTIFICATE_PATH"), + ClientCertificatePassword: os.Getenv("ARM_CLIENT_CERTIFICATE_PASSWORD"), + OIDCTokenRequestURL: getEnvvars("ACTIONS_ID_TOKEN_REQUEST_URL", "SYSTEM_OIDCREQUESTURI"), + OIDCTokenRequestToken: getEnvvars("ACTIONS_ID_TOKEN_REQUEST_TOKEN", "SYSTEM_ACCESSTOKEN"), + ADOPipelineServiceConnectionID: os.Getenv("ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID"), EnableAuthenticatingUsingClientSecret: true, EnableAuthenticatingUsingClientCertificate: true, EnableAuthenticatingUsingManagedIdentity: true, EnableAuthenticationUsingGitHubOIDC: true, + EnableAuthenticationUsingADOPipelineOIDC: true, } resourceManagerAuth, err := auth.NewAuthorizerFromCredentials(ctx, *authConfig, env.ResourceManager) @@ -325,3 +336,13 @@ func randString(strlen int) string { } return string(result) } + +// getEnvvars return the first non-empty env var specified. If none is found, it returns empty string. +func getEnvvars(envvars ...string) string { + for _, envvar := range envvars { + if v := os.Getenv(envvar); v != "" { + return v + } + } + return "" +} diff --git a/website/docs/language/backend/azurerm.mdx b/website/docs/language/backend/azurerm.mdx index 9ac71293f532..b376ee80c2ec 100644 --- a/website/docs/language/backend/azurerm.mdx +++ b/website/docs/language/backend/azurerm.mdx @@ -540,9 +540,11 @@ When authenticating using a Managed Identity (MSI) - the following fields are al When authenticating using a Service Principal with OpenID Connect (OIDC / Workload Identity Federation) - the following fields are also supported: -* `oidc_request_url` - (Optional) The URL for the OIDC provider from which to request an ID token. This can also be sourced from the `ARM_OIDC_REQUEST_URL` or `ACTIONS_ID_TOKEN_REQUEST_URL` environment variables. +* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID. This can also be sourced from the `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID` or `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID` Environment Variables. The provider will look for values in this order and use the first it finds configured. -* `oidc_request_token` - (Optional) The bearer token for the request to the OIDC provider. This can also be sourced from the `ARM_OIDC_REQUEST_TOKEN` or `ACTIONS_ID_TOKEN_REQUEST_TOKEN` environment variables. +* `oidc_request_url` - (Optional) The URL for the OIDC provider from which to request an ID token. This can also be sourced from the `ARM_OIDC_REQUEST_URL`, `ACTIONS_ID_TOKEN_REQUEST_URL` or `SYSTEM_OIDCREQUESTURI` Environment Variables. The provider will look for values in this order and use the first it finds configured. + +* `oidc_request_token` - (Optional) The bearer token for the request to the OIDC provider. This can also be sourced from the `ARM_OIDC_REQUEST_TOKEN`, `ACTIONS_ID_TOKEN_REQUEST_TOKEN` or `SYSTEM_ACCESSTOKEN` Environment Variables. The provider will look for values in this order and use the first it finds configured. * `oidc_token` - (Optional) The ID token when authenticating using OpenID Connect (OIDC). This can also be sourced from the `ARM_OIDC_TOKEN` environment variable. From ecc41fae999c78784733b3fc81aa5413a6c84cd5 Mon Sep 17 00:00:00 2001 From: Daniel Banck Date: Wed, 12 Mar 2025 11:46:47 +0100 Subject: [PATCH 2/2] Move changelog to new dir structure --- .changes/{unreleased => v1.11}/ENHANCEMENTS-20250207-164803.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .changes/{unreleased => v1.11}/ENHANCEMENTS-20250207-164803.yaml (100%) diff --git a/.changes/unreleased/ENHANCEMENTS-20250207-164803.yaml b/.changes/v1.11/ENHANCEMENTS-20250207-164803.yaml similarity index 100% rename from .changes/unreleased/ENHANCEMENTS-20250207-164803.yaml rename to .changes/v1.11/ENHANCEMENTS-20250207-164803.yaml