Merged automatically by CI pipeline

SCALRCORE-27395 Azure OIDC support.

CHANGELOG.md

@@ -9,9 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- `scalr_provider_configuration`: added new `azurerm.auth_type` and `azurerm.audience` attributes; `azurerm.client_secret` attribute became optional ([#265](https://github.com/Scalr/terraform-provider-scalr/pull/265))
 - `scalr_provider_configuration`: Updated documentation to fix a typo for the audience attribute for the `aws` provider.
 
-
 ## [1.3.0] - 2023-07-21
 
 ### Changed

docs/resources/scalr_provider_configuration.md

@@ -68,6 +68,20 @@ resource "scalr_provider_configuration" "azurerm" {
 }
 ```
 
+```hcl
+resource "scalr_provider_configuration" "azurerm_oidc" {
+  name       = "azurerm"
+  account_id = "acc-xxxxxxxxx"
+  azurerm {
+    auth_type       = "oidc"
+    audience        = "scalr-workload-identity"
+    client_id       = "my-client-id"
+    tenant_id       = "my-tenant-id"
+    subscription_id = "my-subscription-id"
+  }
+}
+```
+
 ### Google provider:
 
 ```hcl
@@ -149,10 +163,12 @@ resource "scalr_provider_configuration" "kubernetes" {
   * `project` - (Optional) The default project to manage resources in. If another project is specified on a resource, it will take precedence.
 * `azurerm` - (Optional) Settings for the azurerm provider configuration. Exactly one of the following attributes must be set: `scalr`, `aws`, `google`, `azurerm`, `custom`.
    The `azurerm` block supports the following:
+  * `auth_type` - (Optional) Authentication type, either `client-secrets` (default) or `oidc`.
   * `client_id` - (Required) The Client ID that should be used.
-  * `client_secret` - (Required) The Client Secret that should be used.
+  * `client_secret` - (Optional) The Client Secret that should be used, required when `auth_type` is `client-secrets`.
   * `tenant_id` - (Required) The Tenant ID that should be used.
   * `subscription_id` - (Optional) The Subscription ID that should be used. If skipped, it must be set as a shell variable in the workspace or as a part of the source configuration.
+  * `audience` - (Optional) The value of the `aud` claim for the identity token. This option is required with `oidc` authentication type.
 * `custom` - (Optional) Settings for the provider configuration that does not have scalr support as a built-in provider. Exactly one of the following attributes must be set: `scalr`, `aws`, `google`, `azurerm`, `custom`.
    The `custom` block supports the following:
   * `provider_name` - (Required) The name of a Terraform provider.

go.mod

@@ -5,7 +5,7 @@ require (
 	github.com/hashicorp/hcl v0.0.0-20180404174102-ef8a98b0bbce
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.24.1
 	github.com/hashicorp/terraform-svchost v0.0.0-20200729002733-f050f53b9734
-	github.com/scalr/go-scalr v0.0.0-20230720074522-81dc55375b75
+	github.com/scalr/go-scalr v0.0.0-20230724130629-32e739f11ab5
 )
 
 require (

go.sum

@@ -242,8 +242,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/scalr/go-scalr v0.0.0-20230720074522-81dc55375b75 h1:gLtZ8V0Mlaq7HOm3YRZftfyvxlZ5ugjn5ikiJrQIipI=
-github.com/scalr/go-scalr v0.0.0-20230720074522-81dc55375b75/go.mod h1:p34SHb25YRvbgft7SUjSDYESeoQhWzAlxGXId/BbaSE=
+github.com/scalr/go-scalr v0.0.0-20230724130629-32e739f11ab5 h1:qG5f2IRp3zisp2TcnQlthkI4MKPXO53c8jsolHZtBNQ=
+github.com/scalr/go-scalr v0.0.0-20230724130629-32e739f11ab5/go.mod h1:p34SHb25YRvbgft7SUjSDYESeoQhWzAlxGXId/BbaSE=
 github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=

scalr/resource_scalr_provider_configuration.go

@@ -147,13 +147,22 @@ func resourceScalrProviderConfiguration() *schema.Resource {
 				ExactlyOneOf: []string{"aws", "google", "scalr", "custom"},
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
+						"auth_type": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Default:  "client-secrets",
+						},
+						"audience": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
 						"client_id": {
 							Type:     schema.TypeString,
 							Required: true,
 						},
 						"client_secret": {
 							Type:     schema.TypeString,
-							Required: true,
+							Optional: true,
 						},
 						"tenant_id": {
 							Type:     schema.TypeString,
@@ -345,11 +354,28 @@ func resourceScalrProviderConfigurationCreate(ctx context.Context, d *schema.Res
 	} else if _, ok := d.GetOk("azurerm"); ok {
 		configurationOptions.ProviderName = scalr.String("azurerm")
 		configurationOptions.AzurermClientId = scalr.String(d.Get("azurerm.0.client_id").(string))
-		configurationOptions.AzurermClientSecret = scalr.String(d.Get("azurerm.0.client_secret").(string))
 		configurationOptions.AzurermSubscriptionId = scalr.String(d.Get("azurerm.0.subscription_id").(string))
-		if v, ok := d.GetOk("azurerm.0.tenant_id"); ok {
-			configurationOptions.AzurermTenantId = scalr.String(v.(string))
+		configurationOptions.AzurermTenantId = scalr.String(d.Get("azurerm.0.tenant_id").(string))
+
+		authType := d.Get("azurerm.0.auth_type").(string)
+		if authType == "oidc" {
+			audience, audienceExists := d.GetOk("azurerm.0.audience")
+			if !audienceExists {
+				return diag.Errorf("'audience' field is required for 'oidc' auth type of azurerm provider configuration")
+			}
+			configurationOptions.AzurermAudience = scalr.String(audience.(string))
+			configurationOptions.AzurermAuthType = scalr.String("oidc")
+		} else if authType == "client-secrets" {
+			client_secret, secretExists := d.GetOk("azurerm.0.client_secret")
+			if !secretExists {
+				return diag.Errorf("'client_secret' field is required for 'client-secrets' auth type of azurerm provider configuration")
+			}
+			configurationOptions.AzurermClientSecret = scalr.String(client_secret.(string))
+			configurationOptions.AzurermAuthType = scalr.String("client-secrets")
+		} else {
+			return diag.Errorf("unknown azurerm provider configuration auth type: '%s', allowed: 'client-secrets', 'oidc'", authType)
 		}
+
 	} else if _, ok := d.GetOk("scalr"); ok {
 		configurationOptions.ProviderName = scalr.String("scalr")
 		configurationOptions.ScalrHostname = scalr.String(d.Get("scalr.0.hostname").(string))
@@ -556,13 +582,19 @@ func resourceScalrProviderConfigurationRead(ctx context.Context, d *schema.Resou
 					stateClientSecret = stateAzurermParameters[0].(map[string]interface{})["client_secret"].(string)
 				}
 			}
+			auth_type := "client-secrets"
+			if len(providerConfiguration.AzurermAuthType) > 0 {
+				auth_type = providerConfiguration.AzurermAuthType
+			}
 
 			_ = d.Set("azurerm", []map[string]interface{}{
 				{
 					"client_id":       providerConfiguration.AzurermClientId,
 					"client_secret":   stateClientSecret,
 					"subscription_id": providerConfiguration.AzurermSubscriptionId,
 					"tenant_id":       providerConfiguration.AzurermTenantId,
+					"audience":        providerConfiguration.AzurermAudience,
+					"auth_type":       auth_type,
 				},
 			})
 		}
@@ -690,11 +722,28 @@ func resourceScalrProviderConfigurationUpdate(ctx context.Context, d *schema.Res
 			configurationOptions.ScalrToken = scalr.String(d.Get("scalr.0.token").(string))
 		} else if _, ok := d.GetOk("azurerm"); ok {
 			configurationOptions.AzurermClientId = scalr.String(d.Get("azurerm.0.client_id").(string))
-			configurationOptions.AzurermClientSecret = scalr.String(d.Get("azurerm.0.client_secret").(string))
 			configurationOptions.AzurermSubscriptionId = scalr.String(d.Get("azurerm.0.subscription_id").(string))
-			if v, ok := d.GetOk("azurerm.0.tenant_id"); ok {
-				configurationOptions.AzurermTenantId = scalr.String(v.(string))
+			configurationOptions.AzurermTenantId = scalr.String(d.Get("azurerm.0.tenant_id").(string))
+
+			authType := d.Get("azurerm.0.auth_type").(string)
+			if authType == "oidc" {
+				audience, audienceExists := d.GetOk("azurerm.0.audience")
+				if !audienceExists {
+					return diag.Errorf("'audience' field is required for 'oidc' auth type of azurerm provider configuration")
+				}
+				configurationOptions.AzurermAudience = scalr.String(audience.(string))
+				configurationOptions.AzurermAuthType = scalr.String("oidc")
+			} else if authType == "client-secrets" {
+				client_secret, secretExists := d.GetOk("azurerm.0.client_secret")
+				if !secretExists {
+					return diag.Errorf("'client_secret' field is required for 'client-secrets' auth type of azurerm provider configuration")
+				}
+				configurationOptions.AzurermClientSecret = scalr.String(client_secret.(string))
+				configurationOptions.AzurermAuthType = scalr.String("client-secrets")
+			} else {
+				return diag.Errorf("unknown azurerm provider configuration auth type: '%s', allowed: 'client-secrets', 'oidc'", authType)
 			}
+
 		}
 		_, err := scalrClient.ProviderConfigurations.Update(ctx, id, configurationOptions)
 		if err != nil {