Support for env var ARM_CLIENT_CERTIFICATE in azure remote state backend

[andreigorgan]

Terraform Version

Terraform version: 1.8.1
Go runtime version: go1.22.1

Use Cases

According to azurerm provider docs, the azurerm provider supports service principal authentication with the ARM_CLIENT_CERTIFICATE env var (base64 encoded .pfx file contents).

It would be great if azure remote state backend would support that too.

Attempted Solutions

Here is an example of the backend configuration used:

terraform {
  backend "azurerm" {
    resource_group_name  = "rg-storage-account"
    storage_account_name = "foo"
    container_name       = "foo-tfbackend"
    key                  = "foo-terraform.tfstate"
    use_azuread_auth     = true
  }
}

Example of environment variables used:

# sh
export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000"
export ARM_CLIENT_CERTIFICATE="$(base64 /path/to/my/client/certificate.pfx)"
export ARM_CLIENT_CERTIFICATE_PASSWORD=""
export ARM_TENANT_ID="10000000-0000-0000-0000-000000000000"
export ARM_SUBSCRIPTION_ID="20000000-0000-0000-0000-000000000000"

Outputed logs from terraform init:

...
Initializing the backend...
2024-04-22T08:35:08.491Z [INFO]  Testing if Service Principal / Client Certificate is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Testing if Service Principal / Client Secret is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Testing if OIDC is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Testing if Managed Service Identity is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Testing if Obtaining a Multi-tenant token from the Azure CLI is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Testing if Obtaining a token from the Azure CLI is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Using Obtaining a token from the Azure CLI for Authentication
.... # More initialization logs
╷
│ Error: Error building ARM Config: obtain subscription(20000000-0000-0000-0000-000000000000) from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.
│ 
│ 
╵

As you can see Service Principal / Client Certificate authentication is not used.

Proposal

I am guessing that the starting point would be to add a property in the schema here:

terraform/internal/backend/remote-state/azure/backend.go

Line 112 in 5868f99

"client_certificate_path": {

References

Same was proposed for azurerm provider: hashicorp/terraform-provider-azurerm#17741

[crw]

Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions.

Note that the Azure backend is maintained by the AzureRM provider team, who primarily work out of the terraform-provider-azurerm repository and have their own prioritization process and schedule.

Thanks again!