Add Azure AD authentication support #52
Conversation
|
Just to mention it here as well: I opened a PR with an alternative approach in #54. I use the same approach as the @younux I definitely don't mean to diminish your work, but I had to fix this ASAP for ourselves anyway, so I thought to contribute our fix as well :). |
|
Hello @SemMulder I just want to mention that this is not a fix, this is a new feature. I had a look at your implementation, I think that it is overkill for something simple. In my approach I kept things very simple (in code and in how to use it). I don't know your use case exactly, but I think that you can fallback to the case I implemented : Connecting with a service principal and client credentials. |
We are running Terraform in a CI/CD agent (with a corresponding service principal) for which it is impossible to retrieve the client credentials due to compliance. That means I would have to create a new service principal just for connecting to PostgreSQL. So it's possible to work around, but it's a trade-off. |
|
@SemMulder Your service principal in the CI is using what to authenticate to Azure ? How do you authenticate against Azure in your CI ? I don't get your use case. Something that could also help you if you want a solution ASAP is to build and push your provider to terraform registry under your namespace and start using it from now. |
Using Managed Identities and the Az CLI within Azure DevOps YAML pipelines: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/azure_cli
This is what I'm currently doing :): https://registry.terraform.io/providers/SemMulder/postgresql/latest The "ASAP" was meant for the internal timeline, not for this PR ;). |
|
@SemMulder If I understand well. You have some VMs where you deployed Azure DevOps private agents (because I don't think managed identity is supported in the shared agents), and you are assigning managed identities to your VMs, then you use your managed identity to authenticate against Azure, right ? So why don't you add to the case of a service principal I implemented, the case of a managed identity using https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#NewDefaultAzureCredential It would be simple and efficient. In your PR #54, you are doing a lot of things and I don't understand why do we need all those changes (changing some functions signatures, checking many cases like azure gov ...) Could you explain why and put some examples of all the possibilities you implemented and where they are needed ? This will help understand your changes. |
That's correct. These build agents are managed by another team in the company though.
This might be a very good solution actually!
I assume you are referring to the
In general: some stuff might fail now, that's why I return an I'm sure we can find a middle ground here: the I think if we adapt the #52 to use |
|
@younux @SemMulder Thanks to both for your work on this. It's a bit hard to me to compare and test them as I almost never used Azure (I don't even have a personal account) and it would take me a long time to understand how Azure authentication is working. Could you agree on what should be done and propose/adapt a PR that works for all your use cases? Thanks in advance. |
|
I close the pull request because it is taking a lot of time to have a feedback. |
Hello,
Here is a proposition to add Azure AD authentication support as suggested in #37
I want to add an acceptance test for it but an Azure subscription is needed.
Best regards,