New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support generic OIDC authentication for AzureRM backend #31802
Comments
I have started looking at how this could be implemented. It looks like it should be quite straightforward, namely:
builder := authentication.Builder{
...
IDToken: config.OIDCToken,
}
func New() backend.Backend {
s := &schema.Backend{
Schema: map[string]*schema.Schema{
...
"oidc_token": {
Type: schema.TypeString,
Optional: true,
DefaultFunc: schema.EnvDefaultFunc("ARM_OIDC_TOKEN", ""),
Description: "The OIDC ID token for use when authenticating as a Service Principal using OpenID Connect.",
},
...
},
}
} and type BackendConfig struct {
....
OIDCToken string
....
} and func (b *Backend) configure(ctx context.Context) error {
...
config := BackendConfig{
...
OIDCToken: data.Get("oidc_token").(string),
...
}
UPDATE:I have now tested it with the changes above and it works. |
Note, the above is based on branching from tag v1.2.9. I am happy to have a go at submitting a PR, but since the first RC for 1.3.0 has just been cut, the timing is probably not that great. Should I try to get it in for the next RC or do you have feature freeze until the stable version is out? |
Thanks for this request and possible solution! I notified the Azure Provider team. Thanks again! |
Hi, I've run into issues assuming the functionality in the backend mirrored the azurerm provider, while trying to use circleci OIDC to authenticate to Azure. Details here hashicorp/terraform-provider-azurerm#18641, I opened this issue today and then searched the correct place and found this issue (and thankfully the reason terraform had been driving me crazy for the last few days), Is this likely to be incorporated in a release any time soon ? Many thanks Matthew |
We'd definitely welcome a PR on this if you're still up for it. Your described approach is exactly what the team would do 😄 . @matt3621 Thanks for reviving this conversation, if Karl is willing to take this up i'll let him give some context into when he'd be able to get the PR in. After that comes in we should be able to merge the PR before the following release. |
Sure I'm happy to have a go at a PR. Anything I should know? Otherwise I'll just branch from HEAD and add the changes as described above. |
The fix from #31966 works for me with Gitlab and Azure Federated Identities (OIDC). |
Thought I'd share a blog post with example code of this working: https://adamrushuk.github.io/configure-terraform-openid-connect-oidc-authentication-from-gitlab-ci-to-azure/ |
Thanks @adamrushuk for this and thanks to @karlschriek for getting this fix in, I can also confirm it works nicely on circleci, i've posted some examples https://github.com/CodeInAVan/cicd-oidc-authentication/tree/main/pipeline-examples/azure and also have referenced your blog (more working examples you can find on this the easier it is to adapt it to your use case!). |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Terraform Version
Use Cases
We want to set up workflows that run terraform using Azure Workload Identities. The workload identity approach works by treating an AKS cluster as an OIDC provider, and a specific ServiceAccount within a specific Namespace on that cluster as an identity, which can be federated to an Azure AD Service Principal. (https://azure.github.io/azure-workload-identity/docs/)
A similar (but specific to GitHub) solution was introduced in #30936. Similarly, this was introduced for GitHub on the AzureRM provider here: hashicorp/terraform-provider-azurerm#16555 (the naming of both PRs is very generic, but the actual implementation is GitHub specific).
Generic OIDC: AzureRM Provider
A generic OIDC implementation (which works for Azure Workload Identities) was added in the AzureRM provider here: hashicorp/terraform-provider-azurerm#18118. It uses
github.com/hashicorp/go-azure-helpers v0.40.0
and introduces anoidc_token
variableThis implementation allows us to configure the provider using values populated by the AWI webhook.
In conjunction with:
and
Generic OIDC: AzureRM Backend
A generic OIDC implementation does not exist for the AzureRM Backend yet. I would like to be able to configure the backend as follows, and have it use the same authentication approach as what is in the AzureRM Provider, i.e:
or, if setting everything explicitly:
Attempted Solutions
For this specific situation there is no real workaround other than to use a different authentication method altogether.
Proposal
I would propose looking into the changes introduced in hashicorp/terraform-provider-azurerm#18118 and following the same approach to add an
oidc_token
/ARM_OIDC_TOKEN
parameter to the AzureRM Backend implementation.References
No response
The text was updated successfully, but these errors were encountered: