Accept AZURE_CLIENT_ID and AZURE_TENANT_ID environment variables … (

#598) * Accept `AZURE_CLIENT_ID` and `AZURE_TENANT_ID` environment variables when authenticating using AKS workload identity * update changelog
Azure · Sep 2, 2024 · b85327a · b85327a
1 parent fa9cd6e
commit b85327a
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,8 +22,10 @@ ENHANCEMENTS:
 - `azapi` resources and data sources: Support `retry` field, which is used to specify the retry configuration.
 - `azapi` resources and data sources: Support `headers` and `query_parameters` fields, which are used to specify the headers and query parameters.
 - `azapi` resources and data sources: The `response_export_values` field supports JMESPath expressions.
+- Accept `AZURE_CLIENT_ID` and `AZURE_TENANT_ID` environment variables when authenticating using AKS workload identity.
 - `azapi` provider: Support `oidc_azure_service_connection_id` field, which is used to specify the Azure Service Connection ID for OIDC authentication with Azure DevOps.
 
+
 ## v1.15.0
 
 ENHANCEMENTS:

diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -95,6 +95,14 @@ func (model providerData) GetClientId() (*string, error) {
 		clientId = fileClientId
 	}
 
+	if model.UseAKSWorkloadIdentity.ValueBool() && os.Getenv("AZURE_CLIENT_ID") != "" {
+		aksClientId := os.Getenv("AZURE_CLIENT_ID")
+		if clientId != "" && clientId != aksClientId {
+			return nil, fmt.Errorf("mismatch between supplied Client ID and that provided by AKS Workload Identity - please remove, ensure they match, or disable use_aks_workload_identity")
+		}
+		clientId = aksClientId
+	}
+
 	return &clientId, nil
 }
 
@@ -371,10 +379,26 @@ func (p Provider) Configure(ctx context.Context, request provider.ConfigureReque
 		}
 	}
 
+	if model.UseAKSWorkloadIdentity.IsNull() {
+		if v := os.Getenv("ARM_USE_AKS_WORKLOAD_IDENTITY"); v != "" {
+			model.UseAKSWorkloadIdentity = types.BoolValue(v == "true")
+		} else {
+			model.UseAKSWorkloadIdentity = types.BoolValue(false)
+		}
+	}
+
 	if model.TenantID.IsNull() {
 		if v := os.Getenv("ARM_TENANT_ID"); v != "" {
 			model.TenantID = types.StringValue(v)
 		}
+		if model.UseAKSWorkloadIdentity.ValueBool() && os.Getenv("AZURE_TENANT_ID") != "" {
+			aksTenantID := os.Getenv("AZURE_TENANT_ID")
+			if model.TenantID.ValueString() != "" && model.TenantID.ValueString() != aksTenantID {
+				response.Diagnostics.AddError("Invalid `tenant_id` value", "mismatch between supplied Tenant ID and that provided by AKS Workload Identity - please remove, ensure they match, or disable use_aks_workload_identity")
+				return
+			}
+			model.TenantID = types.StringValue(aksTenantID)
+		}
 	}
 
 	if model.Endpoint.IsNull() {
@@ -494,14 +518,6 @@ func (p Provider) Configure(ctx context.Context, request provider.ConfigureReque
 		}
 	}
 
-	if model.UseAKSWorkloadIdentity.IsNull() {
-		if v := os.Getenv("ARM_USE_AKS_WORKLOAD_IDENTITY"); v != "" {
-			model.UseAKSWorkloadIdentity = types.BoolValue(v == "true")
-		} else {
-			model.UseAKSWorkloadIdentity = types.BoolValue(false)
-		}
-	}
-
 	if model.UseCLI.IsNull() {
 		if v := os.Getenv("ARM_USE_CLI"); v != "" {
 			model.UseCLI = types.BoolValue(v == "true")