From fdddfeeb9ae56df1188f1e44b02cb942c58da44c Mon Sep 17 00:00:00 2001 From: Thomas Kappler Date: Wed, 29 Nov 2023 15:29:55 +0100 Subject: [PATCH] Enable and test OIDC support (#580) The dependencies this provider uses to authenticate to Azure already support OIDC. This PR enables the configuration, and adds an e2e test that authenticates to Azure via OIDC. Also, it fixes an unrelated old bug I spotted where the wrong config key was used for MSI configuration. --- .ci-mgmt.yaml | 12 +++- .github/workflows/command-dispatch.yml | 7 ++- .github/workflows/license.yml | 7 ++- .github/workflows/lint.yml | 7 ++- .github/workflows/master.yml | 7 ++- .github/workflows/nightly-test.yml | 7 ++- .github/workflows/prerelease.yml | 7 ++- .github/workflows/pull-request.yml | 7 ++- .github/workflows/release.yml | 7 ++- .github/workflows/resync-build.yml | 7 ++- .github/workflows/run-acceptance-tests.yml | 7 ++- examples/examples_nodejs_test.go | 25 ++++++++ examples/simple/index.ts | 2 +- examples/simple/package.json | 4 +- provider/go.mod | 4 +- provider/go.sum | 8 +-- provider/resources.go | 72 +++++++--------------- 17 files changed, 105 insertions(+), 92 deletions(-) diff --git a/.ci-mgmt.yaml b/.ci-mgmt.yaml index 14f2ab86c..c62eb1872 100644 --- a/.ci-mgmt.yaml +++ b/.ci-mgmt.yaml @@ -2,11 +2,17 @@ provider: azuread major-version: 5 generate-nightly-test-workflow: true env: - ARM_CLIENT_ID: "30e520fa-12b4-4e21-b473-9426c5ac2e1e" + ARM_CLIENT_ID: "d3b6ec3a-36fe-46c9-b3d9-5856a2e0e73c" # test-app ARM_ENVIRONMENT: "public" ARM_SUBSCRIPTION_ID: "0282681f-7a9e-424b-80b2-96babd57a8a1" - ARM_TENANT_ID: "706143bc-e1d4-4593-aee2-c9dc60ab9be7" - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_TENANT_ID: "9605c22c-e585-4ea3-9b83-e90339719f8a" # pulumici.onmicrosoft.com + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_CI }} + + # Setting this variable will cause the OIDC test(s) to run against this app. + # We limit running the OIDC tests to PRs because the AD configuration requires an "Entity type" of Environment, + # Branch, Pull request, or Tag. See + # https://learn.microsoft.com/en-us/azure/active-directory/workload-identities/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp#github-actions + RUN_OIDC_TESTS: ${{ github.event_name == 'pull_request' && 'true' || '' }} makeTemplate: bridged team: ecosystem plugins: diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml index d1f81ed74..f63168ef9 100644 --- a/.github/workflows/command-dispatch.yml +++ b/.github/workflows/command-dispatch.yml @@ -2,11 +2,11 @@ env: PROVIDER: azuread - ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: d3b6ec3a-36fe-46c9-b3d9-5856a2e0e73c + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_CI }} ARM_ENVIRONMENT: public ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 - ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + ARM_TENANT_ID: 9605c22c-e585-4ea3-9b83-e90339719f8a DOTNETVERSION: | 6.0.x 3.1.301 @@ -26,6 +26,7 @@ env: PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYTHONVERSION: "3.9" + RUN_OIDC_TESTS: ${{ github.event_name == 'pull_request' && 'true' || '' }} SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index c5b500bec..2354a1a83 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -8,11 +8,11 @@ on: env: - ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: d3b6ec3a-36fe-46c9-b3d9-5856a2e0e73c + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_CI }} ARM_ENVIRONMENT: public ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 - ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + ARM_TENANT_ID: 9605c22c-e585-4ea3-9b83-e90339719f8a DOTNETVERSION: | 6.0.x 3.1.301 @@ -32,6 +32,7 @@ env: PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYTHONVERSION: "3.9" + RUN_OIDC_TESTS: ${{ github.event_name == 'pull_request' && 'true' || '' }} SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 5bb5c9124..16eaf5e34 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,11 +7,11 @@ on: inputs: {} env: - ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: d3b6ec3a-36fe-46c9-b3d9-5856a2e0e73c + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_CI }} ARM_ENVIRONMENT: public ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 - ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + ARM_TENANT_ID: 9605c22c-e585-4ea3-9b83-e90339719f8a DOTNETVERSION: | 6.0.x 3.1.301 @@ -31,6 +31,7 @@ env: PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYTHONVERSION: "3.9" + RUN_OIDC_TESTS: ${{ github.event_name == 'pull_request' && 'true' || '' }} SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index 7698d3b72..7107ecb63 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -2,11 +2,11 @@ env: PROVIDER: azuread - ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: d3b6ec3a-36fe-46c9-b3d9-5856a2e0e73c + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_CI }} ARM_ENVIRONMENT: public ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 - ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + ARM_TENANT_ID: 9605c22c-e585-4ea3-9b83-e90339719f8a DOTNETVERSION: | 6.0.x 3.1.301 @@ -26,6 +26,7 @@ env: PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYTHONVERSION: "3.9" + RUN_OIDC_TESTS: ${{ github.event_name == 'pull_request' && 'true' || '' }} SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} diff --git a/.github/workflows/nightly-test.yml b/.github/workflows/nightly-test.yml index b50a13ad2..0f14b5d69 100644 --- a/.github/workflows/nightly-test.yml +++ b/.github/workflows/nightly-test.yml @@ -2,11 +2,11 @@ env: PROVIDER: azuread - ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: d3b6ec3a-36fe-46c9-b3d9-5856a2e0e73c + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_CI }} ARM_ENVIRONMENT: public ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 - ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + ARM_TENANT_ID: 9605c22c-e585-4ea3-9b83-e90339719f8a DOTNETVERSION: | 6.0.x 3.1.301 @@ -26,6 +26,7 @@ env: PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYTHONVERSION: "3.9" + RUN_OIDC_TESTS: ${{ github.event_name == 'pull_request' && 'true' || '' }} SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 0297603cd..faec59d09 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -3,11 +3,11 @@ env: PROVIDER: azuread IS_PRERELEASE: true - ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: d3b6ec3a-36fe-46c9-b3d9-5856a2e0e73c + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_CI }} ARM_ENVIRONMENT: public ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 - ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + ARM_TENANT_ID: 9605c22c-e585-4ea3-9b83-e90339719f8a DOTNETVERSION: | 6.0.x 3.1.301 @@ -27,6 +27,7 @@ env: PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYTHONVERSION: "3.9" + RUN_OIDC_TESTS: ${{ github.event_name == 'pull_request' && 'true' || '' }} SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 6c77cc87c..09d8eeb07 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -2,11 +2,11 @@ env: PROVIDER: azuread - ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: d3b6ec3a-36fe-46c9-b3d9-5856a2e0e73c + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_CI }} ARM_ENVIRONMENT: public ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 - ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + ARM_TENANT_ID: 9605c22c-e585-4ea3-9b83-e90339719f8a DOTNETVERSION: | 6.0.x 3.1.301 @@ -26,6 +26,7 @@ env: PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYTHONVERSION: "3.9" + RUN_OIDC_TESTS: ${{ github.event_name == 'pull_request' && 'true' || '' }} SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 46ad3cc4f..f6d906bab 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,11 +2,11 @@ env: PROVIDER: azuread - ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: d3b6ec3a-36fe-46c9-b3d9-5856a2e0e73c + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_CI }} ARM_ENVIRONMENT: public ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 - ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + ARM_TENANT_ID: 9605c22c-e585-4ea3-9b83-e90339719f8a DOTNETVERSION: | 6.0.x 3.1.301 @@ -26,6 +26,7 @@ env: PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYTHONVERSION: "3.9" + RUN_OIDC_TESTS: ${{ github.event_name == 'pull_request' && 'true' || '' }} SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} diff --git a/.github/workflows/resync-build.yml b/.github/workflows/resync-build.yml index 140a851d5..ad5c5d8cb 100644 --- a/.github/workflows/resync-build.yml +++ b/.github/workflows/resync-build.yml @@ -4,11 +4,11 @@ env: PROVIDER: azuread PULUMI_EXTRA_MAPPING_ERROR: true PULUMI_MISSING_MAPPING_ERROR: true - ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: d3b6ec3a-36fe-46c9-b3d9-5856a2e0e73c + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_CI }} ARM_ENVIRONMENT: public ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 - ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + ARM_TENANT_ID: 9605c22c-e585-4ea3-9b83-e90339719f8a DOTNETVERSION: | 6.0.x 3.1.301 @@ -28,6 +28,7 @@ env: PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYTHONVERSION: "3.9" + RUN_OIDC_TESTS: ${{ github.event_name == 'pull_request' && 'true' || '' }} SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 6e7500a65..8630679c0 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -3,11 +3,11 @@ env: PROVIDER: azuread PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }} - ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: d3b6ec3a-36fe-46c9-b3d9-5856a2e0e73c + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET_CI }} ARM_ENVIRONMENT: public ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 - ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + ARM_TENANT_ID: 9605c22c-e585-4ea3-9b83-e90339719f8a DOTNETVERSION: | 6.0.x 3.1.301 @@ -27,6 +27,7 @@ env: PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYTHONVERSION: "3.9" + RUN_OIDC_TESTS: ${{ github.event_name == 'pull_request' && 'true' || '' }} SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} diff --git a/examples/examples_nodejs_test.go b/examples/examples_nodejs_test.go index 6dc846a9d..645a194a3 100644 --- a/examples/examples_nodejs_test.go +++ b/examples/examples_nodejs_test.go @@ -1,9 +1,11 @@ // Copyright 2016-2017, Pulumi Corporation. All rights reserved. +//go:build nodejs || all // +build nodejs all package examples import ( + "os" "path" "testing" @@ -38,3 +40,26 @@ func TestSimple(t *testing.T) { integration.ProgramTest(t, &test) } + +// The same test than the above, but authenticating via OIDC. +func TestSimple_OIDC(t *testing.T) { + if os.Getenv("RUN_OIDC_TESTS") != "true" { + t.Skip("Skipping OIDC test without OIDC_ARM_CLIENT_ID") + } + + test := getJSBaseOptions(t). + With(integration.ProgramTestOptions{ + Dir: path.Join(getCwd(t), "simple"), + Env: []string{ + "ARM_USE_OIDC=true", + // not strictly necessary but making sure we test the OIDC path + "ARM_CLIENT_SECRET=", + }, + RunUpdateTest: true, + Secrets: map[string]string{ + "password": "SecretP@sswd99!", + }, + }) + + integration.ProgramTest(t, &test) +} diff --git a/examples/simple/index.ts b/examples/simple/index.ts index beefac495..2fdd18db9 100644 --- a/examples/simple/index.ts +++ b/examples/simple/index.ts @@ -18,7 +18,7 @@ const user = new azuread.User("me", { displayName: serverRandomPet.id, mailNickname: randomString.result, password: password, - userPrincipalName: pulumi.interpolate`${randomString.result}@pulumi.onmicrosoft.com`, + userPrincipalName: pulumi.interpolate`${randomString.result}@pulumici.onmicrosoft.com`, }); export const userid: pulumi.Output = user.id; diff --git a/examples/simple/package.json b/examples/simple/package.json index d79ca6c66..d53f326b7 100644 --- a/examples/simple/package.json +++ b/examples/simple/package.json @@ -4,10 +4,10 @@ "dependencies": { "@pulumi/pulumi": "^3.0.0", "@pulumi/random": "^4.0.0", - "@pulumi/azuread": "^2.0.0" + "@pulumi/azuread": "^5.0.0" }, "devDependencies": { - "@types/node": "^10.0.0" + "@types/node": "^18.0.0" }, "license": "Apache 2.0" } diff --git a/provider/go.mod b/provider/go.mod index 0710a9315..81c48ee7b 100644 --- a/provider/go.mod +++ b/provider/go.mod @@ -3,7 +3,7 @@ module github.com/pulumi/pulumi-azuread/provider/v5 go 1.21.3 require ( - github.com/hashicorp/go-azure-sdk v0.20231018.1171511 + github.com/hashicorp/go-azure-sdk v0.20231117.1130141 github.com/hashicorp/terraform-provider-azuread/shim v0.0.0 github.com/pulumi/pulumi-terraform-bridge/v3 v3.66.0 github.com/pulumi/pulumi/sdk/v3 v3.94.2 @@ -105,7 +105,7 @@ require ( github.com/gorilla/mux v1.8.0 // indirect github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect - github.com/hashicorp/go-azure-helpers v0.62.0 // indirect + github.com/hashicorp/go-azure-helpers v0.63.0 // indirect github.com/hashicorp/go-checkpoint v0.5.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 // indirect diff --git a/provider/go.sum b/provider/go.sum index fef69c026..4fe7b245e 100644 --- a/provider/go.sum +++ b/provider/go.sum @@ -1548,11 +1548,11 @@ github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brv github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-azure-helpers v0.55.0/go.mod h1:RQugkG8wEcNIjYmcBLHpuEI/u2mTJwO4r37rR/OKRpo= -github.com/hashicorp/go-azure-helpers v0.62.0 h1:3Ob1yFAO71Pbdnm14HUI4dGZUaO/Nqmncu5cKMGsDBg= -github.com/hashicorp/go-azure-helpers v0.62.0/go.mod h1:ELmZ65vzHJNTk6ml4jsPD+xq2gZb7t78D35s+XN02Kk= +github.com/hashicorp/go-azure-helpers v0.63.0 h1:7bYnYZsqzPjxVevi0z8Irwp5DwS8okLcaA183DQAcmY= +github.com/hashicorp/go-azure-helpers v0.63.0/go.mod h1:ELmZ65vzHJNTk6ml4jsPD+xq2gZb7t78D35s+XN02Kk= github.com/hashicorp/go-azure-sdk v0.20230331.1143618/go.mod h1:L9JXVUcnL0GjMizCnngYUlMp1lLhDBNgSTvn6Of/5O4= -github.com/hashicorp/go-azure-sdk v0.20231018.1171511 h1:n+i2b1vZ5FX/KiIvRgKtMbUAPB2aGxUrAsS0PilCcMo= -github.com/hashicorp/go-azure-sdk v0.20231018.1171511/go.mod h1:3IQjdvuhEckMgdWpvQs4e4VdiiRLIm4z82kO814t/Lw= +github.com/hashicorp/go-azure-sdk v0.20231117.1130141 h1:JhWOkTga5fKzhBz9XJGV5wDkgJsOyLE8wSx/TmjRUkQ= +github.com/hashicorp/go-azure-sdk v0.20231117.1130141/go.mod h1:mdU6Hrw1jPiwBFmENOcjRlkMWi6yRI0Tt+p4vmPvc0g= github.com/hashicorp/go-checkpoint v0.5.0 h1:MFYpPZCnQqQTE18jFwSII6eUQrD/oxMFp3mlgcqk5mU= github.com/hashicorp/go-checkpoint v0.5.0/go.mod h1:7nfLNL10NsxqO4iWuW6tWW0HjZuDrwkBuEQsVcpCOgg= github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= diff --git a/provider/resources.go b/provider/resources.go index a275ceb97..ef1ef0e84 100644 --- a/provider/resources.go +++ b/provider/resources.go @@ -19,7 +19,6 @@ import ( // embed is used to store bridge-metadata.json in the compiled binary _ "embed" "fmt" - "os" "path/filepath" "unicode" @@ -74,43 +73,12 @@ func makeResource(mod string, res string) tokens.Type { // managedByPulumi is a default used for some managed resources, in the absence of something more meaningful. // var managedByPulumi = &tfbridge.DefaultInfo{Value: "Managed by Pulumi"} -// stringValue gets a string value from a property map, then from environment vars; -// if neither are present, returns empty string "" -func stringValue(vars resource.PropertyMap, prop resource.PropertyKey, envs []string) string { - val, ok := vars[prop] - if ok && val.IsString() { - return val.StringValue() - } - for _, env := range envs { - val, ok := os.LookupEnv(env) - if ok { - return val - } - } - return "" -} - -// boolValue takes a bool value from a property map, then from environment vars; defaults to false -func boolValue(vars resource.PropertyMap, prop resource.PropertyKey, envs []string) bool { - val, ok := vars[prop] - if ok && val.IsBool() { - return val.BoolValue() - } - for _, env := range envs { - val, ok := os.LookupEnv(env) - if ok && val == "true" { - return true - } - } - return false -} - // preConfigureCallback returns an error when cloud provider setup is misconfigured // // nolint: lll func preConfigureCallback(vars resource.PropertyMap, c tfshim.ResourceConfig) error { - envName := stringValue(vars, "environment", []string{"ARM_ENVIRONMENT"}) + envName := tfbridge.ConfigStringValue(vars, "environment", []string{"ARM_ENVIRONMENT"}) if envName == "" { envName = "public" } @@ -120,28 +88,32 @@ func preConfigureCallback(vars resource.PropertyMap, c tfshim.ResourceConfig) er return fmt.Errorf("failed to read Azure environment \"%s\": %v", envName, err) } + useOIDC := tfbridge.ConfigBoolValue(vars, "useOidc", []string{"ARM_USE_OIDC"}) authConfig := auth.Credentials{ - Environment: *env, - EnableAuthenticatingUsingClientSecret: true, - EnableAuthenticatingUsingAzureCLI: true, - TenantID: stringValue(vars, "tenantId", []string{"ARM_TENANT_ID"}), - ClientID: stringValue(vars, "clientId", []string{"ARM_CLIENT_ID"}), - ClientSecret: stringValue(vars, "clientSecret", []string{"ARM_CLIENT_SECRET"}), + Environment: *env, + ClientID: tfbridge.ConfigStringValue(vars, "clientId", []string{"ARM_CLIENT_ID"}), + ClientSecret: tfbridge.ConfigStringValue(vars, "clientSecret", []string{"ARM_CLIENT_SECRET"}), + TenantID: tfbridge.ConfigStringValue(vars, "tenantId", []string{"ARM_TENANT_ID"}), + AuxiliaryTenantIDs: tfbridge.ConfigArrayValue(vars, "auxiliaryTenantIDs", []string{"ARM_AUXILIARY_TENANT_IDS"}), - EnableAuthenticatingUsingClientCertificate: true, // We don't handle ClientCertData yet, which is the actual base-64 encoded cert in config - ClientCertificatePassword: stringValue(vars, "clientCertificatePassword", []string{"ARM_CLIENT_CERTIFICATE_PASSWORD"}), - ClientCertificatePath: stringValue(vars, "clientCertificatePath", []string{"ARM_CLIENT_CERTIFICATE_PATH"}), + ClientCertificatePath: tfbridge.ConfigStringValue(vars, "clientCertificatePath", []string{"ARM_CLIENT_CERTIFICATE_PATH"}), + ClientCertificatePassword: tfbridge.ConfigStringValue(vars, "clientCertificatePassword", []string{"ARM_CLIENT_CERTIFICATE_PASSWORD"}), - EnableAuthenticatingUsingManagedIdentity: boolValue(vars, "msiEndpoint", []string{"ARM_USE_MSI"}), - CustomManagedIdentityEndpoint: stringValue(vars, "msiEndpoint", []string{"ARM_MSI_ENDPOINT"}), + CustomManagedIdentityEndpoint: tfbridge.ConfigStringValue(vars, "msiEndpoint", []string{"ARM_MSI_ENDPOINT"}), - // The configuration below would enable OIDC auth which we haven't tested and documented yet. - //FederatedAssertion: idToken, - //IDTokenRequestURL: d.Get("oidc_request_url").(string), - //IDTokenRequestToken: d.Get("oidc_request_token").(string), - //EnableClientFederatedAuth: d.Get("use_oidc").(bool), - //EnableGitHubOIDCAuth: d.Get("use_oidc").(bool), + // OIDC section. The ACTIONS_ variables are set by GitHub. + GitHubOIDCTokenRequestToken: tfbridge.ConfigStringValue(vars, "oidcRequestToken", []string{"ARM_OIDC_REQUEST_TOKEN", "ACTIONS_ID_TOKEN_REQUEST_TOKEN"}), + GitHubOIDCTokenRequestURL: tfbridge.ConfigStringValue(vars, "oidcRequestUrl", []string{"ARM_OIDC_REQUEST_URL", "ACTIONS_ID_TOKEN_REQUEST_URL"}), + OIDCAssertionToken: tfbridge.ConfigStringValue(vars, "oidcToken", []string{"ARM_OIDC_TOKEN"}), + + // Feature Toggles + EnableAuthenticatingUsingClientCertificate: true, + EnableAuthenticatingUsingClientSecret: true, + EnableAuthenticatingUsingManagedIdentity: tfbridge.ConfigBoolValue(vars, "useMsi", []string{"ARM_USE_MSI"}), + EnableAuthenticatingUsingAzureCLI: true, + EnableAuthenticationUsingOIDC: useOIDC, + EnableAuthenticationUsingGitHubOIDC: useOIDC, } _, err = auth.NewAuthorizerFromCredentials(context.Background(), authConfig, env.MicrosoftGraph)