backend/azurerm: support for authenticating via msi

[tombuildsstuff]

Requires a feature-toggled acceptance test, since this could only be run from within an Azure VM

Fixes #18425

[tombuildsstuff]

Works in CloudShell:

When specifying the MSI Endpoint (since CloudShell uses a different endpoint):

[tombuildsstuff]

Confirmed this looks good in a VM with MSI assigned too:

using the following config:

[tombuildsstuff]

Running the MSI specific tests on an Azure VM with MSI enabled:

$ ARM_USE_MSI=true ARM_ENVIRONMENT=public ARM_LOCATION=westeurope TF_ACC=1 TF_RUNNING_IN_AZURE=1 go test -v . -run="TestBackendManagedServiceIdentityBasic" -count=1
=== RUN   TestBackendManagedServiceIdentityBasic
2018/11/22 10:30:21 Testing if Service Principal / Client Certificate is applicable for Authentication..
2018/11/22 10:30:21 Testing if Service Principal / Client Secret is applicable for Authentication..
2018/11/22 10:30:21 Testing if Managed Service Identity is applicable for Authentication..
2018/11/22 10:30:21 Using Managed Service Identity for Authentication
2018/11/22 10:30:21 [DEBUG] Using MSI endpoint "http://169.254.169.254/metadata/identity/oauth2/token"
2018/11/22 10:30:21 Creating Resource Group "acctestrg-backend-g8sj"
2018/11/22 10:30:22 Creating Storage Account "acctestsag8sj" in Resource Group "acctestrg-backend-g8sj"
2018/11/22 10:30:41 fetching access key for storage account
2018/11/22 10:30:41 Creating Container "acctestcont" in Storage Account "acctestsag8sj" (Resource Group "acctestrg-backend-g8sj")
2018/11/22 10:30:41 Testing if Service Principal / Client Certificate is applicable for Authentication..
2018/11/22 10:30:41 Testing if Service Principal / Client Secret is applicable for Authentication..
2018/11/22 10:30:41 Testing if Managed Service Identity is applicable for Authentication..
2018/11/22 10:30:41 Using Managed Service Identity for Authentication
2018/11/22 10:30:41 [DEBUG] Using MSI endpoint "http://169.254.169.254/metadata/identity/oauth2/token"
2018/11/22 10:30:41 [DEBUG] Could not lock as state blob did not exist, creating with empty state
2018/11/22 10:30:42 [DEBUG] Could not lock as state blob did not exist, creating with empty state
2018/11/22 10:30:42 [DEBUG] Could not lock as state blob did not exist, creating with empty state
2018/11/22 10:30:42 [DEBUG] Deleting Resource Group "acctestrg-backend-g8sj"..
2018/11/22 10:30:42 [DEBUG] Waiting for deletion of Resource Group "acctestrg-backend-g8sj"..
--- PASS: TestBackendManagedServiceIdentityBasic (126.09s)
    backend_test.go:76: TestBackendConfig on *azure.Backend with configs.synthBody{Filename:"<TestWrapConfig>", Values:map[string]cty.Value{"use_msi":cty.True, "arm_subscription_id":cty.StringVal("00000000-0000-0000-0000-000000000000"), "arm_tenant_id":cty.StringVal("00000000-0000-0000-0000-000000000000"), "container_name":cty.StringVal("acctestcont"), "environment":cty.StringVal("public"), "key":cty.StringVal("testState"), "resource_group_name":cty.StringVal("acctestrg-backend-g8sj"), "storage_account_name":cty.StringVal("acctestsag8sj")}}
PASS
ok  	github.com/hashicorp/terraform/backend/remote-state/azure	126.105s

$ ARM_USE_MSI=true ARM_ENVIRONMENT=public ARM_LOCATION=westeurope TF_ACC=1 TF_RUNNING_IN_AZURE=1 go test -v . -run="TestRemoteClientManagedServiceIdentityBasic" -count=1
=== RUN   TestRemoteClientManagedServiceIdentityBasic
2018/11/22 10:26:27 Testing if Service Principal / Client Certificate is applicable for Authentication..
2018/11/22 10:26:27 Testing if Service Principal / Client Secret is applicable for Authentication..
2018/11/22 10:26:27 Testing if Managed Service Identity is applicable for Authentication..
2018/11/22 10:26:27 Using Managed Service Identity for Authentication
2018/11/22 10:26:27 [DEBUG] Using MSI endpoint "http://169.254.169.254/metadata/identity/oauth2/token"
2018/11/22 10:26:27 Creating Resource Group "acctestrg-backend-gi6u"
2018/11/22 10:26:28 Creating Storage Account "acctestsagi6u" in Resource Group "acctestrg-backend-gi6u"
2018/11/22 10:26:47 fetching access key for storage account
2018/11/22 10:26:47 Creating Container "acctestcont" in Storage Account "acctestsagi6u" (Resource Group "acctestrg-backend-gi6u")
2018/11/22 10:26:47 Testing if Service Principal / Client Certificate is applicable for Authentication..
2018/11/22 10:26:47 Testing if Service Principal / Client Secret is applicable for Authentication..
2018/11/22 10:26:47 Testing if Managed Service Identity is applicable for Authentication..
2018/11/22 10:26:47 Using Managed Service Identity for Authentication
2018/11/22 10:26:47 [DEBUG] Using MSI endpoint "http://169.254.169.254/metadata/identity/oauth2/token"
2018/11/22 10:26:47 [DEBUG] Deleting Resource Group "acctestrg-backend-gi6u"..
2018/11/22 10:26:47 [DEBUG] Waiting for deletion of Resource Group "acctestrg-backend-gi6u"..
--- PASS: TestRemoteClientManagedServiceIdentityBasic (125.51s)
    client_test.go:62: TestBackendConfig on *azure.Backend with configs.synthBody{Filename:"<TestWrapConfig>", Values:map[string]cty.Value{"storage_account_name":cty.StringVal("acctestsagi6u"), "use_msi":cty.True, "arm_subscription_id":cty.StringVal("00000000-0000-0000-0000-000000000000"), "arm_tenant_id":cty.StringVal("00000000-0000-0000-0000-000000000000"), "container_name":cty.StringVal("acctestcont"), "environment":cty.StringVal("public"), "key":cty.StringVal("testState"), "resource_group_name":cty.StringVal("acctestrg-backend-gi6u")}}
PASS
ok  	github.com/hashicorp/terraform/backend/remote-state/azure	125.523s

[tombuildsstuff]

Ignoring the existing failing tests (which are a separate locking issue) - this passes in Azure Public:

and Azure Germany:

[alexsomesan]

Looks good, as much as I can understand the backend stuff.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.