Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support full set of authentication configuration flags #546

Merged
merged 6 commits into from
Jul 30, 2024
Merged

Support full set of authentication configuration flags #546

merged 6 commits into from
Jul 30, 2024

Conversation

magodo
Copy link
Collaborator

@magodo magodo commented Jul 26, 2024
edited
Loading

Previously, there are some (though incomplete) authentication related flags, e.g. --env, --use-azure-cli-cred, these flags only affect the behavior of the aztfexport (e.g. listing resources), but won't be passed through to the providers. The providers' behaviors are only affected by either the -provider-config flag or by the environment of their owns.

The reason was there are a bunch of provider level properties (currently there are two providers). It would be a mass if we wrap all these flags and provide a bunch of flags back to users, and probably mentioning which set of flags are only usable for azurerm provider, and which are only for azapi.

However for the standview of the authentication, this separation brings a burden to users who will now need to take care of the two parts: aztfexport and the provider. It would be much easier for them to regard the both as a whole in terms of authentication. By reviewing the authentication flags between azurerm and azapi, they are actually quite the same. Based on this, we created this PR to wrap and expose all these authentication related flags, which will affect both the aztfexport and the providers.

Changes

The new flags (or existing flags but now passed to providers) are listed below:

  • env
  • tenant-id
  • auxiliary-tenant-ids
  • client-id
  • client-id-file-path
  • client-certificate
  • client-certificate-path
  • client-certificate-password
  • client-secret
  • client-secret-file-path
  • oidc-request-token
  • oidc-request-url
  • oidc-token
  • oidc-token-file-path
  • use-managed-identity-cred (defaults to false)
  • use-azure-cli-cred (defaults to true)
  • use-oidc-cred (defaults to false)

Note that the flags above are following the naming convention as the azurerm provider. All of them are configurable via environment variables as well, which include the same env var as is defined in the azurerm provider.

The default authentication of the aztfexport will attempt to authenticate with each of the credential types, in the following order, stopping when one provides a token:

  • Client secret
  • Client certificate
  • OIDC
  • Managed identity
  • Azure CLI

If one or more use-xxx-cred is not true, then that credential type will be skipped. This behavior is the same as the provider. This changes the old behavior where when any use-xxx-cred is specified, it will only use that credential type exclusively. Also note that the old flag use-environment-cred is now removed.

The last thing to call out is that the priority of these new auth flags have lower priority than what is defined in the provider-config, which means users can override any auth config for the provider in the provider-config. This makes it possible for users to use different credential types between the aztfexport and the provider.

Tests

With TF

  • Az CLI implicit sub
  • Az CLI explicit sub
  • (usgov) Az CLI implicit sub
  • Env var (client secret)
  • client secret
  • client secret path
  • client cert
  • client cert path
  • MSI
  • OIDC

Without TF

  • Az CLI implicit sub
  • Az CLI explicit sub
  • (usgov) Az CLI implicit sub

References

Fix #540

@magodo
Config: Add AuthConfig, together with a bunch of new flags
d4e232c 
1. Flag `-use-environment-cred` is removed
1. The default credential behavior is:

    It attempts to authenticate with each of these credential types, in the following order, stopping when one provides a token:

    - ClientSecretCredential
    - ClientCertificateCredential
    - OIDCCredential
    - ManagedIdentityCredential
    - AzureCLICredential

1. In terms of provider, the new auth flags have lower precedence than the `-provider-config`
1. `use-managed-identity-cred`, `use-azure-cli-cred`, `use-oidc-cred` are not exclusive, which impact the default credential behavior now (if `false`, it will be skipped)
1. List all the newly added flags
@magodo
Fix certificate issue
151e948
@magodo
More detailed error message
3c1763a
@magodo
Update error
a5c2188
@magodo
tidy
4d85cdd
@magodo magodo added the enhancement New feature or request label Jul 26, 2024
stemaMSFT
stemaMSFT reviewed Jul 29, 2024
View reviewed changes
Copy link
Member

@stemaMSFT stemaMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In theory this makes tons of sense to me. I will let Heng review the code changes in more detail.

ms-henglu
ms-henglu approved these changes Jul 30, 2024
View reviewed changes
Copy link
Member

@ms-henglu ms-henglu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, LGTM

@magodo magodo merged commit 5743ff5 into Azure:main Jul 30, 2024
6 of 7 checks passed
This was referenced Aug 9, 2024
Closed
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stemaMSFT stemaMSFT stemaMSFT left review comments

@ms-henglu ms-henglu ms-henglu approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
3 participants
@magodo @ms-henglu @stemaMSFT