Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

backend/azurerm: adding support for authenticating via MSAL in addition to ADAL #29968

Merged
merged 14 commits into from
Nov 17, 2021
Merged

backend/azurerm: adding support for authenticating via MSAL in addition to ADAL #29968

merged 14 commits into from
Nov 17, 2021

Conversation

tombuildsstuff
Copy link
Contributor

This PR adds support for using MSAL instead of ADAL for getting auth tokens in the AzureRM backend, meaning that Microsoft Graph Tokens will be used rather than Azure Active Directory Graph Tokens.

For the moment this is an opt-in feature - however in a future release we'll flip the default from ADAL to MSAL since ADAL is deprecated.

@tombuildsstuff
dependencies: upgrading to v0.18.0 of github.com/hashicorp/go-azure-h…
cf56f42 
…elpers
@tombuildsstuff
internal/backend/remote-state/azure: code changes for go-azure-helper…
5133d30 
…s v0.18.0
@tombuildsstuff
go mod vendor/go mod tidy
0272249
@tombuildsstuff
internal/backend/remote-state/azure: updating the link to the client …
27a34d6 
…secret

This redirects to the registry so we should point there directly
@tombuildsstuff
internal/backend/remote-state/azure: adding a feature-toggle to use MSAL
9f71055
@tombuildsstuff
go mod tidy/vendor: hamilton is now directly used
bf6c7c0
@tombuildsstuff
internal/backend/remote-state/azure: prefixing the existing tests wit…
a2cad7d 
…h ADAL
@tombuildsstuff
internal/backend/remote-state/azure: adding tests covering MSAL
ffe9a41
@tombuildsstuff
website: updating the docs for the Azure backend to highlight the `us…
1d9f7f1 
…e_microsoft_graph` field
@tombuildsstuff
Copy link
Contributor Author

tombuildsstuff commented Nov 17, 2021
edited
Loading

Client Certificate Tests:

$ go test -v ./internal/backend/remote-state/azure -timeout=60m -run="(TestBackendADALServicePrincipalClientCertificateBasic|TestBackendMSALServicePrincipalClientCertificateBasic)"
=== RUN   TestBackendADALServicePrincipalClientCertificateBasic
--- PASS: TestBackendADALServicePrincipalClientCertificateBasic (113.47s)
=== RUN   TestBackendMSALServicePrincipalClientCertificateBasic
--- PASS: TestBackendMSALServicePrincipalClientCertificateBasic (116.29s)
PASS
ok  	github.com/hashicorp/terraform/internal/backend/remote-state/azure	230.178s

MSI Tests:

$ ARM_ENVIRONMENT=public ARM_TENANT_ID="..." ARM_SUBSCRIPTION_ID="..." ARM_USE_MSI=true TF_RUNNING_IN_AZURE=true TF_ACC=1 ARM_LOCATION=westeurope go test -v ./internal/backend/remote-state/azure/ -timeout=60m -run="(TestRemoteClientManagedServiceIdentityBasic|TestBackendADALManagedServiceIdentityBasic|TestBackendMSALManagedServiceIdentityBasic)"
=== RUN   TestBackendADALManagedServiceIdentityBasic
--- PASS: TestBackendADALManagedServiceIdentityBasic (113.71s)
=== RUN   TestBackendMSALManagedServiceIdentityBasic
--- PASS: TestBackendMSALManagedServiceIdentityBasic (117.17s)
=== RUN   TestRemoteClientManagedServiceIdentityBasic
--- PASS: TestRemoteClientManagedServiceIdentityBasic (105.22s)
PASS
ok  	github.com/hashicorp/terraform/internal/backend/remote-state/azure	336.125s

Other Tests:

$ TF_ACC=1 envchain azurerm go test -v ./internal/backend/remote-state/azure -timeout=60m                                                                                                                          (f/azure-backend-updates)
=== RUN   TestBackend_impl
--- PASS: TestBackend_impl (0.00s)
=== RUN   TestBackendConfig
--- PASS: TestBackendConfig (0.00s)
=== RUN   TestBackendAccessKeyBasic
--- PASS: TestBackendAccessKeyBasic (109.42s)
=== RUN   TestBackendSASTokenBasic
--- PASS: TestBackendSASTokenBasic (104.24s)
=== RUN   TestBackendADALAzureADAuthBasic
--- PASS: TestBackendADALAzureADAuthBasic (95.10s)
=== RUN   TestBackendADALManagedServiceIdentityBasic
   helpers_test.go:38: Skipping test since not running in Azure
--- SKIP: TestBackendADALManagedServiceIdentityBasic (0.00s)
=== RUN   TestBackendADALServicePrincipalClientCertificateBasic
   backend_test.go:160: Skipping since `ARM_CLIENT_CERTIFICATE_PATH` is not specified!
--- SKIP: TestBackendADALServicePrincipalClientCertificateBasic (0.00s)
=== RUN   TestBackendADALServicePrincipalClientSecretBasic
--- PASS: TestBackendADALServicePrincipalClientSecretBasic (112.20s)
=== RUN   TestBackendADALServicePrincipalClientSecretCustomEndpoint
   backend_test.go:226: Skipping as ARM_ENDPOINT isn't configured
--- SKIP: TestBackendADALServicePrincipalClientSecretCustomEndpoint (0.00s)
=== RUN   TestBackendMSALAzureADAuthBasic
--- PASS: TestBackendMSALAzureADAuthBasic (104.03s)
=== RUN   TestBackendMSALManagedServiceIdentityBasic
   helpers_test.go:38: Skipping test since not running in Azure
--- SKIP: TestBackendMSALManagedServiceIdentityBasic (0.00s)
=== RUN   TestBackendMSALServicePrincipalClientCertificateBasic
   backend_test.go:320: Skipping since `ARM_CLIENT_CERTIFICATE_PATH` is not specified!
--- SKIP: TestBackendMSALServicePrincipalClientCertificateBasic (0.00s)
=== RUN   TestBackendMSALServicePrincipalClientSecretBasic
--- PASS: TestBackendMSALServicePrincipalClientSecretBasic (113.41s)
=== RUN   TestBackendMSALServicePrincipalClientSecretCustomEndpoint
   backend_test.go:388: Skipping as ARM_ENDPOINT isn't configured
--- SKIP: TestBackendMSALServicePrincipalClientSecretCustomEndpoint (0.00s)
=== RUN   TestBackendAccessKeyLocked
--- PASS: TestBackendAccessKeyLocked (105.80s)
=== RUN   TestBackendServicePrincipalLocked
--- PASS: TestBackendServicePrincipalLocked (105.39s)
=== RUN   TestRemoteClient_impl
--- PASS: TestRemoteClient_impl (0.00s)
=== RUN   TestRemoteClientAccessKeyBasic
--- PASS: TestRemoteClientAccessKeyBasic (101.15s)
=== RUN   TestRemoteClientManagedServiceIdentityBasic
   helpers_test.go:38: Skipping test since not running in Azure
--- SKIP: TestRemoteClientManagedServiceIdentityBasic (0.00s)
=== RUN   TestRemoteClientSasTokenBasic
--- PASS: TestRemoteClientSasTokenBasic (101.25s)
=== RUN   TestRemoteClientServicePrincipalBasic
--- PASS: TestRemoteClientServicePrincipalBasic (102.12s)
=== RUN   TestRemoteClientAccessKeyLocks
--- PASS: TestRemoteClientAccessKeyLocks (101.11s)
=== RUN   TestRemoteClientServicePrincipalLocks
--- PASS: TestRemoteClientServicePrincipalLocks (105.56s)
=== RUN   TestPutMaintainsMetaData
--- PASS: TestPutMaintainsMetaData (101.07s)
PASS
ok  	github.com/hashicorp/terraform/internal/backend/remote-state/azure	1462.183s

jackofallops
jackofallops approved these changes Nov 17, 2021
View reviewed changes
Copy link
Member

@jackofallops jackofallops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

manicminer
manicminer approved these changes Nov 17, 2021
View reviewed changes
Copy link
Member

@manicminer manicminer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thanks @tombuildsstuff. Just a couple small wording suggestions but otherwise LGTM 👍

internal/backend/remote-state/azure/backend.go Outdated Show resolved Hide resolved
website/docs/language/settings/backends/azurerm.html.md Outdated Show resolved Hide resolved
website/docs/language/settings/backends/azurerm.html.md Outdated Show resolved Hide resolved
website/docs/language/settings/backends/azurerm.html.md Outdated Show resolved Hide resolved
website/docs/language/settings/backends/azurerm.html.md Outdated Show resolved Hide resolved
tombuildsstuff and others added 5 commits November 17, 2021 20:24
@tombuildsstuff @manicminer
Update internal/backend/remote-state/azure/backend.go
a1c7c0d 
Co-authored-by: Tom Bamford <tbamford@hashicorp.com>
@tombuildsstuff @manicminer
Update website/docs/language/settings/backends/azurerm.html.md
d5404b6 
Co-authored-by: Tom Bamford <tbamford@hashicorp.com>
@tombuildsstuff @manicminer
Update website/docs/language/settings/backends/azurerm.html.md
d81e93c 
Co-authored-by: Tom Bamford <tbamford@hashicorp.com>
@tombuildsstuff @manicminer
Update website/docs/language/settings/backends/azurerm.html.md
b364506 
Co-authored-by: Tom Bamford <tbamford@hashicorp.com>
@tombuildsstuff @manicminer
Update website/docs/language/settings/backends/azurerm.html.md
890cabe 
Co-authored-by: Tom Bamford <tbamford@hashicorp.com>
@katbyte katbyte added this to the v1.1.0 milestone Nov 17, 2021
@katbyte katbyte merged commit 8f97992 into main Nov 17, 2021
@katbyte katbyte deleted the f/azure-backend-updates branch November 17, 2021 21:16
@lafentres lafentres mentioned this pull request Nov 18, 2021
Merged
@teamterraform teamterraform mentioned this pull request Nov 18, 2021
Merged
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 18, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@manicminer manicminer manicminer approved these changes

@katbyte katbyte katbyte approved these changes

@jackofallops jackofallops jackofallops approved these changes

Assignees
No one assigned
Labels
backend/azure enhancement
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging this pull request may close these issues.
4 participants
@tombuildsstuff @manicminer @katbyte @jackofallops