Support full set of authentication configuration flags #546
+580
−224
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, there are some (though incomplete) authentication related flags, e.g.
--env
,--use-azure-cli-cred
, these flags only affect the behavior of theaztfexport
(e.g. listing resources), but won't be passed through to the providers. The providers' behaviors are only affected by either the-provider-config
flag or by the environment of their owns.The reason was there are a bunch of provider level properties (currently there are two providers). It would be a mass if we wrap all these flags and provide a bunch of flags back to users, and probably mentioning which set of flags are only usable for
azurerm
provider, and which are only forazapi
.However for the standview of the authentication, this separation brings a burden to users who will now need to take care of the two parts:
aztfexport
and the provider. It would be much easier for them to regard the both as a whole in terms of authentication. By reviewing the authentication flags betweenazurerm
andazapi
, they are actually quite the same. Based on this, we created this PR to wrap and expose all these authentication related flags, which will affect both theaztfexport
and the providers.Changes
The new flags (or existing flags but now passed to providers) are listed below:
env
tenant-id
auxiliary-tenant-ids
client-id
client-id-file-path
client-certificate
client-certificate-path
client-certificate-password
client-secret
client-secret-file-path
oidc-request-token
oidc-request-url
oidc-token
oidc-token-file-path
use-managed-identity-cred
(defaults to false)use-azure-cli-cred
(defaults to true)use-oidc-cred
(defaults to false)Note that the flags above are following the naming convention as the
azurerm
provider. All of them are configurable via environment variables as well, which include the same env var as is defined in theazurerm
provider.The default authentication of the
aztfexport
will attempt to authenticate with each of the credential types, in the following order, stopping when one provides a token:If one or more
use-xxx-cred
is not true, then that credential type will be skipped. This behavior is the same as the provider. This changes the old behavior where when anyuse-xxx-cred
is specified, it will only use that credential type exclusively. Also note that the old flaguse-environment-cred
is now removed.The last thing to call out is that the priority of these new auth flags have lower priority than what is defined in the
provider-config
, which means users can override any auth config for the provider in theprovider-config
. This makes it possible for users to use different credential types between theaztfexport
and the provider.Tests
With TF
Without TF
References
Fix #540