-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for OIDC Authentication #16555
Conversation
@SudoSpartanDan Thanks for looking at this! I actually have a working prototype on the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@SudoSpartanDan Thanks again for the work on this! This is looking great, I've made some suggestions below mostly around naming. If you can take a look at these, this should be good to merge once the corresponding changes to the Azure remote state backend are also readied for release.
Co-authored-by: Tom Bamford <tom@bamford.io>
Sounds good! I went ahead and committed your suggestions, I'll keep an eye out for this PR until the azurerm backend changes are ready to go as well. |
@SudoSpartanDan Thanks for updating. You can go ahead and vendor v0.31.1 of go-azure-helpers now, this completes the OIDC support. Thanks! |
@manicminer updated! |
@SudoSpartanDan @manicminer I have tracked this issue some time and are very pleased to see you have come up with a solution 👑 🚀 Just wondering if we are still waiting for something since this was added to the "Future" milestone, or if you have some ballpark idea of when we can expect to see this feature released? |
This will be merged when Terraform v1.2 is released, as it requires updates to the Azure remote state backend to support OIDC. |
Terraform 1.2 now released! https://github.com/hashicorp/terraform/releases/tag/v1.2.0 |
This comment was marked as off-topic.
This comment was marked as off-topic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hey @SudoSpartanDan
Thanks for this PR - as has been mentioned above, Terraform Core 1.2 has now been released as such we can look at shipping this in the Provider now 👍
I've taken a look through and left a handful of documentation related comments inline, but if we can fix those up then this otherwise LGTM 👍
Thanks!
Co-authored-by: Tom Harvey <tombuildsstuff@users.noreply.github.com>
Co-authored-by: Tom Harvey <tombuildsstuff@users.noreply.github.com>
Co-authored-by: Tom Harvey <tombuildsstuff@users.noreply.github.com>
Co-authored-by: Tom Harvey <tombuildsstuff@users.noreply.github.com>
@tombuildsstuff Thanks, committed and ready to go! 🚀 |
dismissing since changes have been pushed
When will this appear in a a release ? or is there a clean way to point to "main" (latest) for the provider ? |
This functionality has been released in v3.7.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
Since this was recently merged, I'll ask here, this appears to only implement a specific GitHub Token OIDC implementation not an actual generic OIDC or Kubernetes Federated OIDC that Azure Service Principals support? Can the someone confirm or deny this? If its suppose to be OIDC do we have any working examples that are not GitHub? If not perhaps this needs to be renamed to GitHub Token OIDC Support? |
By design, yes, it uses the GitHub environment variables for this by default, but should be able to support OIDC with other trusted entities. Two variables in the provider configuration are used for this: oidc_request_token and oidc_request_token. Right now, the only use case we have to document is GitHub Actions, but if you have another use case that this can be used by, feel free to drop a PR adding that example in :) |
@SudoSpartanDan I ended up opening up two issues because unfortunately the "but should be able to support OIDC with other trusted entities" isn't correct as far as I can tell, the GitHub implementation only works with GitHub. I won't re-hash it here, but I opened #16900 and #16901 As for use cases, I'd like to use actual OIDC instead of GitHub Tokens. Specifically Kubernetes Federation. |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
Closes #16554
@manicminer Let me know if this looks good to you
Depends on hashicorp/go-azure-helpers#115