azapi: Support client_certificate field

CHANGELOG.md

@@ -1,6 +1,7 @@
 ## v1.14.0 (unreleased)
 
 ENHANCEMENTS:
+- `azapi` provider: Support `client_certificate` field, which specifies base64-encoded PKCS#12 bundle to be used as the client certificate for authentication.
 - `azapi_resource`, `azapi_update_resource`, `azapi_resource_action`, `azapi_data_plane_resource` resources: Support `timeouts.update` field, which is used to specify the timeout for the update operation.
 - `azapi_update_resource` resource: Improve the id build logic to honor user's input.
 

docs/guides/service_principal_client_certificate.md

@@ -74,7 +74,7 @@ At this point the newly created Azure Active Directory Application should be ass
 
 As we've obtained the credentials for this Service Principal - it's possible to configure them in a few different ways.
 
-When storing the credentials as Environment Variables, for example:
+*Reading the certificate bundle from the filesystem*
 
 ```bash
 export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000"
@@ -84,6 +84,15 @@ export ARM_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000"
 export ARM_TENANT_ID="00000000-0000-0000-0000-000000000000"
 ```
 
+*Passing the encoded certificate bundle directly*
+```bash
+$ export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000"
+$ export ARM_CLIENT_CERTIFICATE="$(base64 /path/to/my/client/certificate.pfx)"
+$ export ARM_CLIENT_CERTIFICATE_PASSWORD="Pa55w0rd123"
+$ export ARM_TENANT_ID="10000000-0000-0000-0000-000000000000"
+$ export ARM_SUBSCRIPTION_ID="20000000-0000-0000-0000-000000000000"
+```
+
 The following Terraform and Provider blocks can be specified - where `0.1.0` is the version of the Azure Provider that you'd like to use:
 
 ```hcl
@@ -110,6 +119,7 @@ It's also possible to configure these variables either in-line or from using var
 
 ~> **NOTE:** We'd recommend not defining these variables in-line since they could easily be checked into Source Control.
 
+*Reading the certificate bundle from the filesystem*
 ```hcl
 variable "client_certificate_path" {}
 variable "client_certificate_password" {}
@@ -132,6 +142,30 @@ provider "azapi" {
 }
 ```
 
+*Passing the encoded certificate bundle directly*
+
+```hcl
+variable "client_certificate" {}
+variable "client_certificate_password" {}
+
+terraform {
+  required_providers {
+    azapi = {
+      source  = "azure/azapi"
+      version = "=0.1.0"
+    }
+  }
+}
+
+provider "azapi" {
+  client_id                   = "00000000-0000-0000-0000-000000000000"
+  client_certificate          = var.client_certificate
+  client_certificate_password = var.client_certificate_password
+  tenant_id                   = "10000000-0000-0000-0000-000000000000"
+  subscription_id             = "20000000-0000-0000-0000-000000000000"
+}
+```
+
 More information on [the fields supported in the Provider block can be found here](../index.html#argument-reference).
 
 At this point running either `terraform plan` or `terraform apply` should allow Terraform to run using the Service Principal to authenticate.

docs/index.md

@@ -96,6 +96,8 @@ A `endpoint` block supports the following:
 
 When authenticating as a Service Principal using a Client Certificate, the following fields can be set:
 
+* `client_certificate` - A base64-encoded PKCS#12 bundle to be used as the client certificate for authentication. This can also be sourced from the `ARM_CLIENT_CERTIFICATE` environment variable.
+
 * `client_certificate_password` - (Optional) The password associated with the Client Certificate. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PASSWORD` Environment Variable.
 
 * `client_certificate_path` - (Optional) The path to the Client Certificate associated with the Service Principal which should be used. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PATH` Environment Variable.

internal/acceptance/testcase.go

@@ -166,21 +166,33 @@ func (td TestData) externalProviders() map[string]resource.ExternalProvider {
 }
 
 func PreCheck(t *testing.T) {
-	variables := []string{
-		"ARM_CLIENT_ID",
-		"ARM_CLIENT_SECRET",
-		"ARM_SUBSCRIPTION_ID",
-		"ARM_TENANT_ID",
-		"ARM_TEST_LOCATION",
-		"ARM_TEST_LOCATION_ALT",
-		"ARM_TEST_LOCATION_ALT2",
-	}
-
-	for _, variable := range variables {
-		value := os.Getenv(variable)
-		if value == "" {
-			t.Fatalf("`%s` must be set for acceptance tests!", variable)
-		}
+	if v := os.Getenv("TF_ACC"); v == "" {
+		t.Fatalf(`TF_ACC must be set for acceptance tests!
+For tests that authenticate with Azure by using a Service Principal, the following environment variables must be set:
+- ARM_CLIENT_ID
+- ARM_CLIENT_SECRET
+- ARM_SUBSCRIPTION_ID
+- ARM_TENANT_ID
+- ARM_TEST_LOCATION
+- ARM_TEST_LOCATION_ALT
+- ARM_TEST_LOCATION_ALT2
+
+For tests that authenticate with Azure by OIDC in github action, the following environment variables must be set:
+- ARM_CLIENT_ID
+- ARM_TENANT_ID
+- ARM_TEST_LOCATION
+- ARM_TEST_LOCATION_ALT
+- ARM_TEST_LOCATION_ALT2
+
+For tests that authenticate with Azure by using a Service Principal with Certificate, the following environment variables must be set:
+- ARM_CLIENT_ID
+- ARM_CLIENT_CERTIFICATE_PATH
+- ARM_SUBSCRIPTION_ID
+- ARM_TENANT_ID
+- ARM_TEST_LOCATION
+- ARM_TEST_LOCATION_ALT
+- ARM_TEST_LOCATION_ALT2
+`)
 	}
 }