Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azuredns: allow oidc authentication #2036

Merged
merged 4 commits into from
Oct 30, 2023
Merged

azuredns: allow oidc authentication #2036

merged 4 commits into from
Oct 30, 2023

Conversation

pchanvallon
Copy link
Contributor

Hello,

Here is the implementation for the OIDC authentication support (fixes #2027).

I was able to test the integration with GitHub actions workflows, but not with Terraform cloud.
@stmcx, can you try that this is also working in your use case ?

Thanks.

@pchanvallon pchanvallon force-pushed the feat/azuredns-allow-oidc-auth branch 3 times, most recently from e319f0b to c97089b Compare October 18, 2023 07:34
@stmcx
Copy link

stmcx commented Oct 20, 2023

Thanks @pchanvallon

Rebuilt Terraform ACME provider with replace github.com/go-acme/lego/v4 v4.14.2 => github.com/pchanvallon/lego/v4 v4.0.0-20231018073353-c97089b94e14

Did not work and got 401 at first

Then included AZURE_AUTH_METHOD="oidc" and it worked!

* (Terraform Cloud exports "ARM_USE_OIDC" = "true" instead but that is okay)

resource "acme_certificate" "certificate" {
  account_key_pem              = acme_registration.registration.account_key_pem
  common_name                  = var.certificate_common_name
  subject_alternative_names    = []
  disable_complete_propagation = true
  dns_challenge {
    provider = "azuredns"
    config = {
      AZURE_RESOURCE_GROUP = var.certificate_dns_challenge_azure_resource_group_name
      AZURE_AUTH_METHOD="oidc"
    }
  }
}

Also, I added these here to the provider since Terraform Cloud exports them as ARM rather than AZURE. I guess the provider maintainers will know more.

"ARM_OIDC_REQUEST_TOKEN":   "AZURE_OIDC_REQUEST_TOKEN",
"ARM_OIDC_REQUEST_URL":     "AZURE_OIDC_REQUEST_URL",
"ARM_OIDC_TOKEN":           "AZURE_OIDC_TOKEN",
"ARM_OIDC_TOKEN_FILE_PATH": "AZURE_OIDC_TOKEN_FILE_PATH",

@pchanvallon
Copy link
Contributor Author

Hello @stmcx,
Thank you for your feedback.
Yes we will have to request this change in acme TF provider after the lib update to finalize the integration.

@ldez ldez added this to the v4.15 milestone Oct 23, 2023
@ldez ldez force-pushed the feat/azuredns-allow-oidc-auth branch from eda3149 to 5b59784 Compare October 30, 2023 13:08
ldez
ldez approved these changes Oct 30, 2023
View reviewed changes
Copy link
Member

@ldez ldez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ldez ldez merged commit 4f242c9 into go-acme:master Oct 30, 2023
7 checks passed
@sdib

This comment was marked as abuse.

Sign in to view
@adeturner adeturner mentioned this pull request Dec 21, 2023
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ldez ldez ldez approved these changes

Assignees
No one assigned
Labels
area/dnsprovider enhancement
Milestone
v4.15
Development

Successfully merging this pull request may close these issues.

Azure DNS OIDC support
4 participants
@pchanvallon @stmcx @sdib @ldez