MSI authentication doesn't populate object_id in azurerm_client_config

[SeanC2222]

The azurerm_client_config data block in the top level main of this module potentially creates a keyvault for which we need to allow access by the identity that Terraform is operating under so that it can populate keys/secrets/etc. The current implementation relies on retrieving data from the azurerm_client_config data block in that same module, however when using MSI to authenticate the provider doesn't populate the object_id as noted by hashicorp/terraform-provider-azurerm#7787 .

There's a few options:

1. Don't support MSI fully in module, and users configure their key vaults manually
2. Optionally receive the object_id as a variable and when present prefer that value
3. Use a data block to look up the MSI in Azure and retrieve the object_id from that data block when using MSI
4. Wait for the provider to fix the issue, if they ever do

[SeanC2222]

Currently the top level module accepts a use_msi_to_authenticate bool to flag if MSI is being used. If we instead allow for an optional map with several optional keys we could support both options 2 and 3 above. The use_msi_to_authenticate bool could be deprecated and we could rely on the presence of the MSI variable to indicate use_msi_to_authenticate. Further, the presence of an object_id in the map would indicate no lookup is necessary. Failing that, if a name/resource group name are provided the module could lookup the identity and provide the object_id from that data block.

Pseudocode of var

msi = {
  name = optional(string)
  resource_group_name = optional(string)
 
  object_id = optional(string)

  validations = (name && resource_group_name) || object_id
}