diff --git a/go.mod b/go.mod index 30baacd01948..5e3ecc824944 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/hashicorp/terraform require ( cloud.google.com/go/storage v1.10.0 github.com/Azure/azure-sdk-for-go v59.2.0+incompatible - github.com/Azure/go-autorest/autorest v0.11.22 + github.com/Azure/go-autorest/autorest v0.11.24 github.com/Netflix/go-expect v0.0.0-20211003183012-e1a7c020ce25 github.com/agext/levenshtein v1.2.3 github.com/aliyun/alibaba-cloud-sdk-go v1.61.1501 @@ -33,7 +33,7 @@ require ( github.com/hashicorp/consul/api v1.9.1 github.com/hashicorp/consul/sdk v0.8.0 github.com/hashicorp/errwrap v1.1.0 - github.com/hashicorp/go-azure-helpers v0.18.0 + github.com/hashicorp/go-azure-helpers v0.31.1 github.com/hashicorp/go-checkpoint v0.5.0 github.com/hashicorp/go-cleanhttp v0.5.2 github.com/hashicorp/go-getter v1.5.10 @@ -53,7 +53,7 @@ require ( github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 github.com/lib/pq v1.10.3 github.com/lusis/go-artifactory v0.0.0-20160115162124-7e4ce345df82 - github.com/manicminer/hamilton v0.35.0 + github.com/manicminer/hamilton v0.44.0 github.com/masterzen/winrm v0.0.0-20200615185753-c42b5136ff88 github.com/mattn/go-isatty v0.0.12 github.com/mattn/go-shellwords v1.0.4 @@ -82,7 +82,7 @@ require ( github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b github.com/zclconf/go-cty-yaml v1.0.2 go.etcd.io/etcd v0.5.0-alpha.5.0.20210428180535-15715dcf1ace - golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa + golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 golang.org/x/net v0.0.0-20211216030914-fe4d6282115f golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f @@ -104,7 +104,7 @@ require ( require ( cloud.google.com/go v0.81.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.17 // indirect + github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect github.com/Azure/go-autorest/autorest/azure/cli v0.4.4 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect @@ -134,7 +134,7 @@ require ( github.com/go-logr/logr v1.2.0 // indirect github.com/gofrs/uuid v4.0.0+incompatible // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt/v4 v4.1.0 // indirect + github.com/golang-jwt/jwt/v4 v4.2.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.1.0 // indirect @@ -156,6 +156,7 @@ require ( github.com/klauspost/compress v1.11.2 // indirect github.com/kr/pretty v0.2.1 // indirect github.com/kr/pty v1.1.5 // indirect + github.com/manicminer/hamilton-autorest v0.2.0 // indirect github.com/masterzen/simplexml v0.0.0-20190410153822-31eea3082786 // indirect github.com/mattn/go-colorable v0.1.6 // indirect github.com/mitchellh/go-testing-interface v1.0.4 // indirect diff --git a/go.sum b/go.sum index 9e1a37bf9cae..84cbc399c929 100644 --- a/go.sum +++ b/go.sum @@ -48,15 +48,14 @@ github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSW github.com/Azure/go-autorest/autorest v0.11.3/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= github.com/Azure/go-autorest/autorest v0.11.10/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= -github.com/Azure/go-autorest/autorest v0.11.21/go.mod h1:Do/yuMSW/13ayUkcVREpsMHGG+MvV81uzSCFgYPj4tM= -github.com/Azure/go-autorest/autorest v0.11.22 h1:bXiQwDjrRmBQOE67bwlvUKAC1EU1yZTPQ38c+bstZws= -github.com/Azure/go-autorest/autorest v0.11.22/go.mod h1:BAWYUWGPEtKPzjVkp0Q6an0MJcJDsoh5Z1BFAEFs4Xs= +github.com/Azure/go-autorest/autorest v0.11.24 h1:1fIGgHKqVm54KIPT+q8Zmd1QlVsmHqeUGso5qm2BqqE= +github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= github.com/Azure/go-autorest/autorest/adal v0.9.14/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= -github.com/Azure/go-autorest/autorest/adal v0.9.17 h1:esOPl2dhcz9P3jqBSJ8tPGEj2EqzPPT6zfyuloiogKY= -github.com/Azure/go-autorest/autorest/adal v0.9.17/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= +github.com/Azure/go-autorest/autorest/adal v0.9.18 h1:kLnPsRjzZZUF3K5REu/Kc+qMQrvuza2bwSnNdhmzLfQ= +github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s= github.com/Azure/go-autorest/autorest/azure/cli v0.4.2/go.mod h1:7qkJkT+j6b+hIpzMOwPChJhTqS8VbsqqgULzMNRugoM= github.com/Azure/go-autorest/autorest/azure/cli v0.4.4 h1:iuooz5cZL6VRcO7DVSFYxRcouqn6bFVE/e77Wts50Zk= @@ -264,8 +263,8 @@ github.com/goji/httpauth v0.0.0-20160601135302-2da839ab0f4d/go.mod h1:nnjvkQ9ptG github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c= github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.1.0 h1:XUgk2Ex5veyVFVeLm0xhusUTQybEbexJXrvPNOKkSY0= -github.com/golang-jwt/jwt/v4 v4.1.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= +github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -378,8 +377,8 @@ github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brv github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-azure-helpers v0.12.0/go.mod h1:Zc3v4DNeX6PDdy7NljlYpnrdac1++qNW0I4U+ofGwpg= -github.com/hashicorp/go-azure-helpers v0.18.0 h1:hh+lFaURcQ0R12Pj0Ybn+dj6mTHU+I+ep/CAmXiYEvw= -github.com/hashicorp/go-azure-helpers v0.18.0/go.mod h1:lZo52hYeyEoo4qpUUruaEec13bFyu8ldjX2zTFzVzss= +github.com/hashicorp/go-azure-helpers v0.31.1 h1:lgwZLcyMheoLUj7dJfsrsa7ZpRvOIbsfFhttLi6ml78= +github.com/hashicorp/go-azure-helpers v0.31.1/go.mod h1:gcutZ/Hf/O7YN9M3UIvyZ9l0Rxv7Yrc9x5sSfM9cuSw= github.com/hashicorp/go-checkpoint v0.5.0 h1:MFYpPZCnQqQTE18jFwSII6eUQrD/oxMFp3mlgcqk5mU= github.com/hashicorp/go-checkpoint v0.5.0/go.mod h1:7nfLNL10NsxqO4iWuW6tWW0HjZuDrwkBuEQsVcpCOgg= github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= @@ -523,8 +522,11 @@ github.com/lusis/go-artifactory v0.0.0-20160115162124-7e4ce345df82 h1:wnfcqULT+N github.com/lusis/go-artifactory v0.0.0-20160115162124-7e4ce345df82/go.mod h1:y54tfGmO3NKssKveTEFFzH8C/akrSOy/iW9qEAUDV84= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/manicminer/hamilton v0.35.0 h1:K72BHXLhlO+H/evI5iburLDfVe19bDaXO+hEIQEVkdg= -github.com/manicminer/hamilton v0.35.0/go.mod h1:IOYn2Dc9SUiZ7Ryw6c8Ay795vPPMnrCZe3MktS447dc= +github.com/manicminer/hamilton v0.43.0/go.mod h1:lbVyngC+/nCWuDp8UhC6Bw+bh7jcP/E+YwqzHTmzemk= +github.com/manicminer/hamilton v0.44.0 h1:mLb4Vxbt2dsAvOpaB7xd/5D8LaTTX6ACwVP4TmW8qwE= +github.com/manicminer/hamilton v0.44.0/go.mod h1:lbVyngC+/nCWuDp8UhC6Bw+bh7jcP/E+YwqzHTmzemk= +github.com/manicminer/hamilton-autorest v0.2.0 h1:dDL+t2DrQza0EfNYINYCvXISeNwVqzgVAQh+CH/19ZU= +github.com/manicminer/hamilton-autorest v0.2.0/go.mod h1:NselDpNTImEmOc/fa41kPg6YhDt/6S95ejWbTGZ6tlg= github.com/masterzen/simplexml v0.0.0-20160608183007-4572e39b1ab9/go.mod h1:kCEbxUJlNDEBNbdQMkPSp6yaKcRXVI6f4ddk8Riv4bc= github.com/masterzen/simplexml v0.0.0-20190410153822-31eea3082786 h1:2ZKn+w/BJeL43sCxI2jhPLRv73oVVOjEKZjKkflyqxg= github.com/masterzen/simplexml v0.0.0-20190410153822-31eea3082786/go.mod h1:kCEbxUJlNDEBNbdQMkPSp6yaKcRXVI6f4ddk8Riv4bc= @@ -771,12 +773,11 @@ golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= -golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa h1:idItI2DDfCokpg0N51B2VtiLdJ4vAuXC9fnCb2gACo4= -golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M= +golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -864,9 +865,9 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211216030914-fe4d6282115f h1:hEYJvxw1lSnWIl8X9ofsYMklzaDs90JI2az5YMd4fPM= golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= diff --git a/internal/backend/remote-state/azure/arm_client.go b/internal/backend/remote-state/azure/arm_client.go index 85bbc4c5fae6..5419e41112f7 100644 --- a/internal/backend/remote-state/azure/arm_client.go +++ b/internal/backend/remote-state/azure/arm_client.go @@ -81,11 +81,16 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro // Managed Service Identity MsiEndpoint: config.MsiEndpoint, + // OIDC + IDTokenRequestURL: config.OIDCRequestURL, + IDTokenRequestToken: config.OIDCRequestToken, + // Feature Toggles SupportsAzureCliToken: true, SupportsClientCertAuth: true, SupportsClientSecretAuth: true, SupportsManagedServiceIdentity: config.UseMsi, + SupportsOIDCAuth: config.UseOIDC, UseMicrosoftGraph: config.UseMicrosoftGraph, } armConfig, err := builder.Build() @@ -106,13 +111,13 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro sender := sender.BuildSender("backend/remote-state/azure") var auth autorest.Authorizer if builder.UseMicrosoftGraph { - log.Printf("[DEBUG] Obtaining a MSAL / Microsoft Graph token for Resource Manager..") + log.Printf("[DEBUG] Obtaining an MSAL / Microsoft Graph token for Resource Manager..") auth, err = armConfig.GetMSALToken(ctx, hamiltonEnv.ResourceManager, sender, oauthConfig, env.TokenAudience) if err != nil { return nil, err } } else { - log.Printf("[DEBUG] Obtaining a ADAL / Azure Active Directory Graph token for Resource Manager..") + log.Printf("[DEBUG] Obtaining an ADAL / Azure Active Directory Graph token for Resource Manager..") auth, err = armConfig.GetADALToken(ctx, sender, oauthConfig, env.TokenAudience) if err != nil { return nil, err @@ -121,14 +126,14 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro if config.UseAzureADAuthentication { if builder.UseMicrosoftGraph { - log.Printf("[DEBUG] Obtaining a MSAL / Microsoft Graph token for Storage..") + log.Printf("[DEBUG] Obtaining an MSAL / Microsoft Graph token for Storage..") storageAuth, err := armConfig.GetMSALToken(ctx, hamiltonEnv.Storage, sender, oauthConfig, env.ResourceIdentifiers.Storage) if err != nil { return nil, err } client.azureAdStorageAuth = &storageAuth } else { - log.Printf("[DEBUG] Obtaining a ADAL / Azure Active Directory Graph token for Storage..") + log.Printf("[DEBUG] Obtaining an ADAL / Azure Active Directory Graph token for Storage..") storageAuth, err := armConfig.GetADALToken(ctx, sender, oauthConfig, env.ResourceIdentifiers.Storage) if err != nil { return nil, err diff --git a/internal/backend/remote-state/azure/backend.go b/internal/backend/remote-state/azure/backend.go index 5a8f15008c12..91db6936e7fd 100644 --- a/internal/backend/remote-state/azure/backend.go +++ b/internal/backend/remote-state/azure/backend.go @@ -135,6 +135,28 @@ func New() backend.Backend { DefaultFunc: schema.EnvDefaultFunc("ARM_MSI_ENDPOINT", ""), }, + // OIDC auth specific fields + "use_oidc": { + Type: schema.TypeBool, + Optional: true, + DefaultFunc: schema.EnvDefaultFunc("ARM_USE_OIDC", false), + Description: "Allow OIDC to be used for authentication", + }, + + "oidc_request_url": { + Type: schema.TypeString, + Optional: true, + DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_URL", "ACTIONS_ID_TOKEN_REQUEST_URL"}, ""), + Description: "The URL for the OIDC provider from which to request an ID token", + }, + + "oidc_request_token": { + Type: schema.TypeString, + Optional: true, + DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_TOKEN", "ACTIONS_ID_TOKEN_REQUEST_TOKEN"}, ""), + Description: "The bearer token for the request to the OIDC provider", + }, + // Feature Flags "use_azuread_auth": { Type: schema.TypeBool, @@ -182,11 +204,14 @@ type BackendConfig struct { MetadataHost string Environment string MsiEndpoint string + OIDCRequestURL string + OIDCRequestToken string ResourceGroupName string SasToken string SubscriptionID string TenantID string UseMsi bool + UseOIDC bool UseAzureADAuthentication bool UseMicrosoftGraph bool } @@ -213,12 +238,15 @@ func (b *Backend) configure(ctx context.Context) error { MetadataHost: data.Get("metadata_host").(string), Environment: data.Get("environment").(string), MsiEndpoint: data.Get("msi_endpoint").(string), + OIDCRequestURL: data.Get("oidc_request_url").(string), + OIDCRequestToken: data.Get("oidc_request_token").(string), ResourceGroupName: data.Get("resource_group_name").(string), SasToken: data.Get("sas_token").(string), StorageAccountName: data.Get("storage_account_name").(string), SubscriptionID: data.Get("subscription_id").(string), TenantID: data.Get("tenant_id").(string), UseMsi: data.Get("use_msi").(bool), + UseOIDC: data.Get("use_oidc").(bool), UseAzureADAuthentication: data.Get("use_azuread_auth").(bool), UseMicrosoftGraph: data.Get("use_microsoft_graph").(bool), } diff --git a/internal/backend/remote-state/azure/backend_test.go b/internal/backend/remote-state/azure/backend_test.go index 2411ddedb9b6..70bc272f892e 100644 --- a/internal/backend/remote-state/azure/backend_test.go +++ b/internal/backend/remote-state/azure/backend_test.go @@ -39,7 +39,7 @@ func TestBackendConfig(t *testing.T) { } } -func TestBackendAccessKeyBasic(t *testing.T) { +func TestAccBackendAccessKeyBasic(t *testing.T) { testAccAzureBackend(t) rs := acctest.RandString(4) res := testResourceNames(rs, "testState") @@ -65,7 +65,7 @@ func TestBackendAccessKeyBasic(t *testing.T) { backend.TestBackendStates(t, b) } -func TestBackendSASTokenBasic(t *testing.T) { +func TestAccBackendSASTokenBasic(t *testing.T) { testAccAzureBackend(t) rs := acctest.RandString(4) res := testResourceNames(rs, "testState") @@ -95,7 +95,35 @@ func TestBackendSASTokenBasic(t *testing.T) { backend.TestBackendStates(t, b) } -func TestBackendADALAzureADAuthBasic(t *testing.T) { +func TestAccBackendOIDCBasic(t *testing.T) { + testAccAzureBackend(t) + rs := acctest.RandString(4) + res := testResourceNames(rs, "testState") + armClient := buildTestClient(t, res) + + ctx := context.TODO() + err := armClient.buildTestResources(ctx, &res) + defer armClient.destroyTestResources(ctx, res) + if err != nil { + t.Fatalf("Error creating Test Resources: %q", err) + } + + b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{ + "storage_account_name": res.storageAccountName, + "container_name": res.storageContainerName, + "key": res.storageKeyName, + "resource_group_name": res.resourceGroup, + "use_oidc": true, + "subscription_id": os.Getenv("ARM_SUBSCRIPTION_ID"), + "tenant_id": os.Getenv("ARM_TENANT_ID"), + "environment": os.Getenv("ARM_ENVIRONMENT"), + "endpoint": os.Getenv("ARM_ENDPOINT"), + })).(*Backend) + + backend.TestBackendStates(t, b) +} + +func TestAccBackendADALAzureADAuthBasic(t *testing.T) { testAccAzureBackend(t) rs := acctest.RandString(4) res := testResourceNames(rs, "testState") @@ -123,7 +151,7 @@ func TestBackendADALAzureADAuthBasic(t *testing.T) { backend.TestBackendStates(t, b) } -func TestBackendADALManagedServiceIdentityBasic(t *testing.T) { +func TestAccBackendADALManagedServiceIdentityBasic(t *testing.T) { testAccAzureBackendRunningInAzure(t) rs := acctest.RandString(4) res := testResourceNames(rs, "testState") @@ -151,7 +179,7 @@ func TestBackendADALManagedServiceIdentityBasic(t *testing.T) { backend.TestBackendStates(t, b) } -func TestBackendADALServicePrincipalClientCertificateBasic(t *testing.T) { +func TestAccBackendADALServicePrincipalClientCertificateBasic(t *testing.T) { testAccAzureBackend(t) clientCertPassword := os.Getenv("ARM_CLIENT_CERTIFICATE_PASSWORD") @@ -188,7 +216,7 @@ func TestBackendADALServicePrincipalClientCertificateBasic(t *testing.T) { backend.TestBackendStates(t, b) } -func TestBackendADALServicePrincipalClientSecretBasic(t *testing.T) { +func TestAccBackendADALServicePrincipalClientSecretBasic(t *testing.T) { testAccAzureBackend(t) rs := acctest.RandString(4) res := testResourceNames(rs, "testState") @@ -217,7 +245,7 @@ func TestBackendADALServicePrincipalClientSecretBasic(t *testing.T) { backend.TestBackendStates(t, b) } -func TestBackendADALServicePrincipalClientSecretCustomEndpoint(t *testing.T) { +func TestAccBackendADALServicePrincipalClientSecretCustomEndpoint(t *testing.T) { testAccAzureBackend(t) // this is only applicable for Azure Stack. @@ -253,7 +281,7 @@ func TestBackendADALServicePrincipalClientSecretCustomEndpoint(t *testing.T) { backend.TestBackendStates(t, b) } -func TestBackendMSALAzureADAuthBasic(t *testing.T) { +func TestAccBackendMSALAzureADAuthBasic(t *testing.T) { testAccAzureBackend(t) rs := acctest.RandString(4) res := testResourceNames(rs, "testState") @@ -282,7 +310,7 @@ func TestBackendMSALAzureADAuthBasic(t *testing.T) { backend.TestBackendStates(t, b) } -func TestBackendMSALManagedServiceIdentityBasic(t *testing.T) { +func TestAccBackendMSALManagedServiceIdentityBasic(t *testing.T) { testAccAzureBackendRunningInAzure(t) rs := acctest.RandString(4) res := testResourceNames(rs, "testState") @@ -311,7 +339,7 @@ func TestBackendMSALManagedServiceIdentityBasic(t *testing.T) { backend.TestBackendStates(t, b) } -func TestBackendMSALServicePrincipalClientCertificateBasic(t *testing.T) { +func TestAccBackendMSALServicePrincipalClientCertificateBasic(t *testing.T) { testAccAzureBackend(t) clientCertPassword := os.Getenv("ARM_CLIENT_CERTIFICATE_PASSWORD") @@ -349,7 +377,7 @@ func TestBackendMSALServicePrincipalClientCertificateBasic(t *testing.T) { backend.TestBackendStates(t, b) } -func TestBackendMSALServicePrincipalClientSecretBasic(t *testing.T) { +func TestAccBackendMSALServicePrincipalClientSecretBasic(t *testing.T) { testAccAzureBackend(t) rs := acctest.RandString(4) res := testResourceNames(rs, "testState") @@ -379,7 +407,7 @@ func TestBackendMSALServicePrincipalClientSecretBasic(t *testing.T) { backend.TestBackendStates(t, b) } -func TestBackendMSALServicePrincipalClientSecretCustomEndpoint(t *testing.T) { +func TestAccBackendMSALServicePrincipalClientSecretCustomEndpoint(t *testing.T) { testAccAzureBackend(t) // this is only applicable for Azure Stack. @@ -416,7 +444,7 @@ func TestBackendMSALServicePrincipalClientSecretCustomEndpoint(t *testing.T) { backend.TestBackendStates(t, b) } -func TestBackendAccessKeyLocked(t *testing.T) { +func TestAccBackendAccessKeyLocked(t *testing.T) { testAccAzureBackend(t) rs := acctest.RandString(4) res := testResourceNames(rs, "testState") @@ -454,7 +482,7 @@ func TestBackendAccessKeyLocked(t *testing.T) { backend.TestBackendStateForceUnlockInWS(t, b1, b2, "foo") } -func TestBackendServicePrincipalLocked(t *testing.T) { +func TestAccBackendServicePrincipalLocked(t *testing.T) { testAccAzureBackend(t) rs := acctest.RandString(4) res := testResourceNames(rs, "testState") diff --git a/internal/backend/remote-state/azure/helpers_test.go b/internal/backend/remote-state/azure/helpers_test.go index dadb9aa26047..7fc51801eccc 100644 --- a/internal/backend/remote-state/azure/helpers_test.go +++ b/internal/backend/remote-state/azure/helpers_test.go @@ -39,6 +39,15 @@ func testAccAzureBackendRunningInAzure(t *testing.T) { } } +// these kind of tests can only run when within GitHub Actions (e.g. OIDC) +func testAccAzureBackendRunningInGitHubActions(t *testing.T) { + testAccAzureBackend(t) + + if os.Getenv("TF_RUNNING_IN_GITHUB_ACTIONS") == "" { + t.Skip("Skipping test since not running in GitHub Actions") + } +} + func buildTestClient(t *testing.T, res resourceNames) *ArmClient { subscriptionID := os.Getenv("ARM_SUBSCRIPTION_ID") tenantID := os.Getenv("ARM_TENANT_ID") diff --git a/website/docs/language/settings/backends/azurerm.mdx b/website/docs/language/settings/backends/azurerm.mdx index a2b91bc9f527..a70356072702 100644 --- a/website/docs/language/settings/backends/azurerm.mdx +++ b/website/docs/language/settings/backends/azurerm.mdx @@ -46,6 +46,24 @@ terraform { *** +When authenticating using OpenID Connect (OIDC): + +```hcl +terraform { + backend "azurerm" { + resource_group_name = "StorageAccount-ResourceGroup" + storage_account_name = "abcd1234" + container_name = "tfstate" + key = "prod.terraform.tfstate" + use_oidc = true + subscription_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000000" + } +} +``` + +*** + When authenticating using Azure AD Authentication: ```hcl @@ -137,6 +155,25 @@ data "terraform_remote_state" "foo" { *** +When authenticating using OpenID Connect (OIDC): + +```hcl +data "terraform_remote_state" "foo" { + backend = "azurerm" + config = { + resource_group_name = "StorageAccount-ResourceGroup" + storage_account_name = "terraform123abc" + container_name = "terraform-state" + key = "prod.terraform.tfstate" + use_oidc = true + subscription_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000000" + } +} +``` + +*** + When authenticating using AzureAD Authentication: ```hcl @@ -231,6 +268,18 @@ When authenticating using the Managed Service Identity (MSI) - the following fie *** +When authenticating using a Service Principal with OpenID Connect (OIDC) - the following fields are also supported: + +* `oidc_request_url` - (Optional) The URL for the OIDC provider from which to request an ID token. This can also be sourced from the `ARM_OIDC_REQUEST_URL` or `ACTIONS_ID_TOKEN_REQUEST_URL` environment variables. + +* `oidc_request_token` - (Optional) The bearer token for the request to the OIDC provider. This can also be sourced from the `ARM_OIDC_REQUEST_TOKEN` or `ACTIONS_ID_TOKEN_REQUEST_TOKEN` environment variables. + +* `use_oidc` - (Optional) Should OIDC authentication be used? This can also be sourced from the `ARM_USE_OIDC` environment variable. + +~> **Note:** When using OIDC for authentication, `use_microsoft_graph` must be set to `true` (which is the default). + +*** + When authenticating using a SAS Token associated with the Storage Account - the following fields are also supported: * `sas_token` - (Optional) The SAS Token used to access the Blob Storage Account. This can also be sourced from the `ARM_SAS_TOKEN` environment variable.