From 5842950291793f67b814aa3a115dda36af8f330c Mon Sep 17 00:00:00 2001 From: Kevin Schu Date: Fri, 7 Oct 2022 19:23:01 +0200 Subject: [PATCH 1/4] =?UTF-8?q?Added=20support=20for=20generic=20OIDC=20au?= =?UTF-8?q?thentication=20(eg.=20Gitlab)=20and=20ensure=20documentation=20?= =?UTF-8?q?is=20more=20clear=20about=20it=C2=B4s=20usage.=20oidc=5Frequest?= =?UTF-8?q?=5Furl=20and=20oidc=5Frequest=5Ftoken=20are=20meant=20to=20be?= =?UTF-8?q?=20used=20for=20Github=20Actions=20only.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- go.mod | 2 +- go.sum | 2 ++ .../backend/remote-state/azure/arm_client.go | 2 ++ .../backend/remote-state/azure/backend.go | 22 +++++++++++++++---- 4 files changed, 23 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 1f28818706e6..8e3bf2aed970 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( github.com/hashicorp/consul/api v1.9.1 github.com/hashicorp/consul/sdk v0.8.0 github.com/hashicorp/errwrap v1.1.0 - github.com/hashicorp/go-azure-helpers v0.31.1 + github.com/hashicorp/go-azure-helpers v0.43.0 github.com/hashicorp/go-checkpoint v0.5.0 github.com/hashicorp/go-cleanhttp v0.5.2 github.com/hashicorp/go-getter v1.6.2 diff --git a/go.sum b/go.sum index 3059afbcbca7..bb9b1de939f7 100644 --- a/go.sum +++ b/go.sum @@ -332,6 +332,8 @@ github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brv github.com/hashicorp/go-azure-helpers v0.12.0/go.mod h1:Zc3v4DNeX6PDdy7NljlYpnrdac1++qNW0I4U+ofGwpg= github.com/hashicorp/go-azure-helpers v0.31.1 h1:lgwZLcyMheoLUj7dJfsrsa7ZpRvOIbsfFhttLi6ml78= github.com/hashicorp/go-azure-helpers v0.31.1/go.mod h1:gcutZ/Hf/O7YN9M3UIvyZ9l0Rxv7Yrc9x5sSfM9cuSw= +github.com/hashicorp/go-azure-helpers v0.43.0 h1:larj4ZgwO3hKzA9xIOTXRW4NBpI6F3K8wpig8eikNOw= +github.com/hashicorp/go-azure-helpers v0.43.0/go.mod h1:ofh+59GPB8g/lWI08711STfrIPSPOlXQkuMc8rovpBk= github.com/hashicorp/go-checkpoint v0.5.0 h1:MFYpPZCnQqQTE18jFwSII6eUQrD/oxMFp3mlgcqk5mU= github.com/hashicorp/go-checkpoint v0.5.0/go.mod h1:7nfLNL10NsxqO4iWuW6tWW0HjZuDrwkBuEQsVcpCOgg= github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= diff --git a/internal/backend/remote-state/azure/arm_client.go b/internal/backend/remote-state/azure/arm_client.go index 13493ab13d1f..d548c30b7ba5 100644 --- a/internal/backend/remote-state/azure/arm_client.go +++ b/internal/backend/remote-state/azure/arm_client.go @@ -81,6 +81,8 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro MsiEndpoint: config.MsiEndpoint, // OIDC + IDToken: config.OIDCToken, + IDTokenFilePath: config.OIDCTokenFilePath, IDTokenRequestURL: config.OIDCRequestURL, IDTokenRequestToken: config.OIDCRequestToken, diff --git a/internal/backend/remote-state/azure/backend.go b/internal/backend/remote-state/azure/backend.go index 4a41c96458df..0398477e4a22 100644 --- a/internal/backend/remote-state/azure/backend.go +++ b/internal/backend/remote-state/azure/backend.go @@ -142,19 +142,29 @@ func New() backend.Backend { DefaultFunc: schema.EnvDefaultFunc("ARM_USE_OIDC", false), Description: "Allow OIDC to be used for authentication", }, - + "oidc_token": { + Type: schema.TypeString, + Optional: true, + DefaultFunc: schema.EnvDefaultFunc("ARM_OIDC_TOKEN", false), + Description: "A generic JWT token that can be used for OIDC authentication. Should not be used in conjunction with `oidc_request_token`.", + }, + "oidc_token_file_path": { + Type: schema.TypeString, + Optional: true, + DefaultFunc: schema.EnvDefaultFunc("ARM_OIDC_TOKEN_FILE_PATH", false), + Description: "Path to file containing a generic JWT token that can be used for OIDC authentication. Should not be used in conjunction with `oidc_request_token`.", + }, "oidc_request_url": { Type: schema.TypeString, Optional: true, DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_URL", "ACTIONS_ID_TOKEN_REQUEST_URL"}, ""), - Description: "The URL for the OIDC provider from which to request an ID token", + Description: "The URL of the OIDC provider from which to request an ID token. Needs to be used in conjunction with `oidc_request_token`. This is meant to be used for Github Actions.", }, - "oidc_request_token": { Type: schema.TypeString, Optional: true, DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_TOKEN", "ACTIONS_ID_TOKEN_REQUEST_TOKEN"}, ""), - Description: "The bearer token for the request to the OIDC provider", + Description: "The bearer token to use for the request to the OIDC providers `oidc_request_url` URL to fetch an ID token. Needs to be used in conjunction with `oidc_request_url`. This is meant to be used for Github Actions.", }, // Feature Flags @@ -197,6 +207,8 @@ type BackendConfig struct { MetadataHost string Environment string MsiEndpoint string + OIDCToken string + OIDCTokenFilePath string OIDCRequestURL string OIDCRequestToken string ResourceGroupName string @@ -230,6 +242,8 @@ func (b *Backend) configure(ctx context.Context) error { MetadataHost: data.Get("metadata_host").(string), Environment: data.Get("environment").(string), MsiEndpoint: data.Get("msi_endpoint").(string), + OIDCToken: data.Get("oidc_token").(string), + OIDCTokenFilePath: data.Get("oidc_token_file_path").(string), OIDCRequestURL: data.Get("oidc_request_url").(string), OIDCRequestToken: data.Get("oidc_request_token").(string), ResourceGroupName: data.Get("resource_group_name").(string), From bc07a54cfdb63838211cbfaf5c63b108b9363ca2 Mon Sep 17 00:00:00 2001 From: Kevin Schu Date: Fri, 7 Oct 2022 19:24:02 +0200 Subject: [PATCH 2/4] Fix go.sum --- go.sum | 2 -- 1 file changed, 2 deletions(-) diff --git a/go.sum b/go.sum index bb9b1de939f7..c428f4ced14d 100644 --- a/go.sum +++ b/go.sum @@ -330,8 +330,6 @@ github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brv github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-azure-helpers v0.12.0/go.mod h1:Zc3v4DNeX6PDdy7NljlYpnrdac1++qNW0I4U+ofGwpg= -github.com/hashicorp/go-azure-helpers v0.31.1 h1:lgwZLcyMheoLUj7dJfsrsa7ZpRvOIbsfFhttLi6ml78= -github.com/hashicorp/go-azure-helpers v0.31.1/go.mod h1:gcutZ/Hf/O7YN9M3UIvyZ9l0Rxv7Yrc9x5sSfM9cuSw= github.com/hashicorp/go-azure-helpers v0.43.0 h1:larj4ZgwO3hKzA9xIOTXRW4NBpI6F3K8wpig8eikNOw= github.com/hashicorp/go-azure-helpers v0.43.0/go.mod h1:ofh+59GPB8g/lWI08711STfrIPSPOlXQkuMc8rovpBk= github.com/hashicorp/go-checkpoint v0.5.0 h1:MFYpPZCnQqQTE18jFwSII6eUQrD/oxMFp3mlgcqk5mU= From 82c0b440dcc7a50a7b9bf0ffa54b2ade2b3b9457 Mon Sep 17 00:00:00 2001 From: Tom Bamford Date: Wed, 12 Oct 2022 13:24:16 +0100 Subject: [PATCH 3/4] Fix default values --- internal/backend/remote-state/azure/backend.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/backend/remote-state/azure/backend.go b/internal/backend/remote-state/azure/backend.go index 0398477e4a22..f21b0ba4e255 100644 --- a/internal/backend/remote-state/azure/backend.go +++ b/internal/backend/remote-state/azure/backend.go @@ -145,13 +145,13 @@ func New() backend.Backend { "oidc_token": { Type: schema.TypeString, Optional: true, - DefaultFunc: schema.EnvDefaultFunc("ARM_OIDC_TOKEN", false), + DefaultFunc: schema.EnvDefaultFunc("ARM_OIDC_TOKEN", ""), Description: "A generic JWT token that can be used for OIDC authentication. Should not be used in conjunction with `oidc_request_token`.", }, "oidc_token_file_path": { Type: schema.TypeString, Optional: true, - DefaultFunc: schema.EnvDefaultFunc("ARM_OIDC_TOKEN_FILE_PATH", false), + DefaultFunc: schema.EnvDefaultFunc("ARM_OIDC_TOKEN_FILE_PATH", ""), Description: "Path to file containing a generic JWT token that can be used for OIDC authentication. Should not be used in conjunction with `oidc_request_token`.", }, "oidc_request_url": { From 0dac88754704d7bf870cf9d549d28feaa0c34b01 Mon Sep 17 00:00:00 2001 From: Tom Bamford Date: Wed, 12 Oct 2022 13:24:49 +0100 Subject: [PATCH 4/4] Docs for azurerm generic OIDC --- website/docs/language/settings/backends/azurerm.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/website/docs/language/settings/backends/azurerm.mdx b/website/docs/language/settings/backends/azurerm.mdx index a9676b7756a3..77ee491c17e2 100644 --- a/website/docs/language/settings/backends/azurerm.mdx +++ b/website/docs/language/settings/backends/azurerm.mdx @@ -273,6 +273,10 @@ When authenticating using a Service Principal with OpenID Connect (OIDC) - the f * `oidc_request_token` - (Optional) The bearer token for the request to the OIDC provider. This can also be sourced from the `ARM_OIDC_REQUEST_TOKEN` or `ACTIONS_ID_TOKEN_REQUEST_TOKEN` environment variables. +* `oidc_token` - (Optional) The ID token when authenticating using OpenID Connect (OIDC). This can also be sourced from the `ARM_OIDC_TOKEN` environment variable. + +* `oidc_token_file_path` - (Optional) The path to a file containing an ID token when authenticating using OpenID Connect (OIDC). This can also be sourced from the `ARM_OIDC_TOKEN_FILE_PATH` environment variable. + * `use_oidc` - (Optional) Should OIDC authentication be used? This can also be sourced from the `ARM_USE_OIDC` environment variable. ***