Merge pull request #16555 from SudoSpartanDan/oidc

Support for OIDC Authentication

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/gofrs/uuid v4.0.0+incompatible
 	github.com/google/go-cmp v0.5.6
 	github.com/google/uuid v1.1.2
-	github.com/hashicorp/go-azure-helpers v0.30.0
+	github.com/hashicorp/go-azure-helpers v0.31.1
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-uuid v1.0.2
 	github.com/hashicorp/go-version v1.3.0

go.sum

@@ -256,8 +256,8 @@ github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brv
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-azure-helpers v0.12.0/go.mod h1:Zc3v4DNeX6PDdy7NljlYpnrdac1++qNW0I4U+ofGwpg=
-github.com/hashicorp/go-azure-helpers v0.30.0 h1:4wuiUiX52fmFc3tLK+uFm2f5gYqx+J3+q8Bza2YDR70=
-github.com/hashicorp/go-azure-helpers v0.30.0/go.mod h1:gcutZ/Hf/O7YN9M3UIvyZ9l0Rxv7Yrc9x5sSfM9cuSw=
+github.com/hashicorp/go-azure-helpers v0.31.1 h1:lgwZLcyMheoLUj7dJfsrsa7ZpRvOIbsfFhttLi6ml78=
+github.com/hashicorp/go-azure-helpers v0.31.1/go.mod h1:gcutZ/Hf/O7YN9M3UIvyZ9l0Rxv7Yrc9x5sSfM9cuSw=
 github.com/hashicorp/go-checkpoint v0.5.0 h1:MFYpPZCnQqQTE18jFwSII6eUQrD/oxMFp3mlgcqk5mU=
 github.com/hashicorp/go-checkpoint v0.5.0/go.mod h1:7nfLNL10NsxqO4iWuW6tWW0HjZuDrwkBuEQsVcpCOgg=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=

internal/provider/provider.go

@@ -166,6 +166,27 @@ func azureProvider(supportLegacyTestSuite bool) *schema.Provider {
 				Description: "The Client Secret which should be used. For use When authenticating as a Service Principal using a Client Secret.",
 			},
 
+			// OIDC specifc fields
+			"oidc_request_token": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_TOKEN", "ACTIONS_ID_TOKEN_REQUEST_TOKEN"}, ""),
+				Description: "The bearer token for the request to the OIDC provider. For use When authenticating as a Service Principal using OpenID Connect.",
+			},
+			"oidc_request_url": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_URL", "ACTIONS_ID_TOKEN_REQUEST_URL"}, ""),
+				Description: "The URL for the OIDC provider from which to request an ID token. For use When authenticating as a Service Principal using OpenID Connect.",
+			},
+
+			"use_oidc": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("ARM_USE_OIDC", false),
+				Description: "Allow OpenID Connect to be used for authentication",
+			},
+
 			// Managed Service Identity specific fields
 			"use_msi": {
 				Type:        schema.TypeBool,
@@ -246,20 +267,23 @@ func providerConfigure(p *schema.Provider) schema.ConfigureContextFunc {
 		metadataHost := d.Get("metadata_host").(string)
 
 		builder := &authentication.Builder{
-			SubscriptionID:     d.Get("subscription_id").(string),
-			ClientID:           d.Get("client_id").(string),
-			ClientSecret:       d.Get("client_secret").(string),
-			TenantID:           d.Get("tenant_id").(string),
-			AuxiliaryTenantIDs: auxTenants,
-			Environment:        d.Get("environment").(string),
-			MetadataHost:       metadataHost,
-			MsiEndpoint:        d.Get("msi_endpoint").(string),
-			ClientCertPassword: d.Get("client_certificate_password").(string),
-			ClientCertPath:     d.Get("client_certificate_path").(string),
+			SubscriptionID:      d.Get("subscription_id").(string),
+			ClientID:            d.Get("client_id").(string),
+			ClientSecret:        d.Get("client_secret").(string),
+			TenantID:            d.Get("tenant_id").(string),
+			AuxiliaryTenantIDs:  auxTenants,
+			Environment:         d.Get("environment").(string),
+			MetadataHost:        metadataHost,
+			MsiEndpoint:         d.Get("msi_endpoint").(string),
+			ClientCertPassword:  d.Get("client_certificate_password").(string),
+			ClientCertPath:      d.Get("client_certificate_path").(string),
+			IDTokenRequestToken: d.Get("oidc_request_token").(string),
+			IDTokenRequestURL:   d.Get("oidc_request_url").(string),
 
 			// Feature Toggles
 			SupportsClientCertAuth:         true,
 			SupportsClientSecretAuth:       true,
+			SupportsOIDCAuth:               d.Get("use_oidc").(bool),
 			SupportsManagedServiceIdentity: d.Get("use_msi").(bool),
 			SupportsAzureCliToken:          true,
 			SupportsAuxiliaryTenants:       len(auxTenants) > 0,

vendor/modules.txt

@@ -194,7 +194,7 @@ github.com/google/uuid
 # github.com/hashicorp/errwrap v1.1.0
 ## explicit
 github.com/hashicorp/errwrap
-# github.com/hashicorp/go-azure-helpers v0.30.0
+# github.com/hashicorp/go-azure-helpers v0.31.1
 ## explicit; go 1.17
 github.com/hashicorp/go-azure-helpers/authentication
 github.com/hashicorp/go-azure-helpers/lang/dates

website/docs/guides/azure_cli.html.markdown

@@ -14,6 +14,7 @@ Terraform supports a number of different methods for authenticating to Azure:
 * [Authenticating to Azure using Managed Service Identity](managed_service_identity.html)
 * [Authenticating to Azure using a Service Principal and a Client Certificate](service_principal_client_certificate.html)
 * [Authenticating to Azure using a Service Principal and a Client Secret](service_principal_client_secret.html)
+* [Authenticating to Azure using a Service Principal and Open ID Connect](service_principal_oidc.html)
 
 ---
 

website/docs/guides/managed_service_identity.html.markdown

@@ -13,6 +13,7 @@ Terraform supports a number of different methods for authenticating to Azure:
 - Authenticating to Azure using Managed Identity (covered in this guide)
 - [Authenticating to Azure using a Service Principal and a Client Certificate](service_principal_client_certificate.html)
 - [Authenticating to Azure using a Service Principal and a Client Secret](service_principal_client_secret.html)
+- [Authenticating to Azure using OpenID Connect](service_principal_oidc.html)
 
 ---
 

website/docs/guides/service_principal_client_certificate.html.markdown

@@ -14,6 +14,7 @@ Terraform supports a number of different methods for authenticating to Azure:
 * [Authenticating to Azure using Managed Service Identity](managed_service_identity.html)
 * Authenticating to Azure using a Service Principal and a Client Certificate (which is covered in this guide)
 * [Authenticating to Azure using a Service Principal and a Client Secret](service_principal_client_secret.html)
+* [Authenticating to Azure using a Service Principal and OpenID Connect](service_principal_oidc.html)
 
 ---
 
@@ -23,7 +24,7 @@ We recommend using either a Service Principal or Managed Service Identity when r
 
 ## Setting up an Application and Service Principal
 
-A Service Principal is a security principal within Azure Active Directory which can be granted access to resources within Azure Subscriptions. To authenticate with a Service Principal, you will need to create an Application object within Azure Active Directory, which you will use as a means of authentication, either [using a Client Secret](service_principal_client_secret.html) or a Client Certificate (which is documented in this guide). This can be done using the Azure Portal.
+A Service Principal is a security principal within Azure Active Directory which can be granted access to resources within Azure Subscriptions. To authenticate with a Service Principal, you will need to create an Application object within Azure Active Directory, which you will use as a means of authentication, either [using a Client Secret](service_principal_client_secret.html), a Client Certificate (which is documented in this guide), or [OpenID Connect](service_principal_oidc.html). This can be done using the Azure Portal.
 
 This guide will cover how to generate a client certificate, how to create an Application and linked Service Principal, and then how to assign the Client Certificate to the Application so that it can be used for authentication. Once that's done finally we're going to grant the Service Principal permission to manage resources in the Subscription - to do this we're going to assign `Contributor` rights to the Subscription - however, [it's possible to assign other permissions](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles) depending on your configuration.
 

website/docs/guides/service_principal_client_secret.html.markdown

@@ -14,6 +14,7 @@ Terraform supports a number of different methods for authenticating to Azure:
 * [Authenticating to Azure using Managed Service Identity](managed_service_identity.html)
 * [Authenticating to Azure using a Service Principal and a Client Certificate](service_principal_client_certificate.html)
 * Authenticating to Azure using a Service Principal and a Client Secret (which is covered in this guide)
+* [Authenticating to Azure using a Service Principal and OpenID Connect](service_principal_oidc.html)
 
 ---