Use latest go-azure-helpers with TenantOnly support for CLI authentic…

…ation

go.mod

@@ -1,12 +1,13 @@
 module github.com/terraform-providers/terraform-provider-azuread
 
 require (
-	github.com/Azure/azure-sdk-for-go v45.0.0+incompatible
-	github.com/Azure/go-autorest/autorest v0.11.3
+	github.com/Azure/azure-sdk-for-go v47.1.0+incompatible
+	github.com/Azure/go-autorest/autorest v0.11.10
 	github.com/Azure/go-autorest/autorest/date v0.3.0
 	github.com/google/uuid v1.1.1
-	github.com/hashicorp/go-azure-helpers v0.12.0
+	github.com/hashicorp/go-azure-helpers v0.13.0
 	github.com/hashicorp/go-uuid v1.0.1
+	github.com/hashicorp/go-version v1.2.1 // indirect
 	github.com/hashicorp/terraform-plugin-sdk v1.6.0
 )
 

go.sum

@@ -9,18 +9,27 @@ cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbf
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 github.com/Azure/azure-sdk-for-go v45.0.0+incompatible h1:/bZYPaJLCqXeCqQqEeEIQg/p7RNafOhaVFhC6IWxZ/8=
 github.com/Azure/azure-sdk-for-go v45.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
+github.com/Azure/azure-sdk-for-go v47.1.0+incompatible h1:D6MsWmsxF+pEjN/yZDyKXoUrsamdBdTlPedIgBlvVx4=
+github.com/Azure/azure-sdk-for-go v47.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
 github.com/Azure/go-autorest/autorest v0.11.3 h1:fyYnmYujkIXUgv88D9/Wo2ybE4Zwd/TmQd5sSI5u2Ws=
 github.com/Azure/go-autorest/autorest v0.11.3/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw=
+github.com/Azure/go-autorest/autorest v0.11.10 h1:j5sGbX7uj1ieYYkQ3Mpvewd4DCsEQ+ZeJpqnSM9pjnM=
+github.com/Azure/go-autorest/autorest v0.11.10/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw=
 github.com/Azure/go-autorest/autorest/adal v0.9.0 h1:SigMbuFNuKgc1xcGhaeapbh+8fgsu+GxgDRFyg7f5lM=
 github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg=
+github.com/Azure/go-autorest/autorest/adal v0.9.5 h1:Y3bBUV4rTuxenJJs41HU3qmqsb+auo+a3Lz+PlJPpL0=
+github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
 github.com/Azure/go-autorest/autorest/azure/cli v0.4.0 h1:Ml+UCrnlKD+cJmSzrZ/RDcDw86NjkRUpnFh7V5JUhzU=
 github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.2 h1:dMOmEJfkLKW/7JsokJqkyoYSgmR08hi9KrhjZb+JALY=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.2/go.mod h1:7qkJkT+j6b+hIpzMOwPChJhTqS8VbsqqgULzMNRugoM=
 github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
 github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
 github.com/Azure/go-autorest/autorest/mocks v0.4.0 h1:z20OWOSG5aCye0HEkDp6TPmP17ZcfeMxPi6HnSALa8c=
 github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
+github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
 github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk=
 github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE=
 github.com/Azure/go-autorest/autorest/validation v0.3.0 h1:3I9AAI63HfcLtphd9g39ruUwRI+Ca+z/f36KHPFRUss=
@@ -63,6 +72,8 @@ github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TR
 github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk=
+github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
@@ -96,6 +107,10 @@ github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/U
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-azure-helpers v0.12.0 h1:7D0mFSyP3EfHu1ySubserIsnUWY87HMzzTWOB7ASwRU=
 github.com/hashicorp/go-azure-helpers v0.12.0/go.mod h1:Zc3v4DNeX6PDdy7NljlYpnrdac1++qNW0I4U+ofGwpg=
+github.com/hashicorp/go-azure-helpers v0.13.0 h1:Gm1g5atSCHhQUoNGAotLB1o5mzg01RXi/zFQjDGGoiA=
+github.com/hashicorp/go-azure-helpers v0.13.0/go.mod h1:NifBbLJtyUxdQrRVmIfr0VykEXZIlq3YfHFpFdyp7qY=
+github.com/hashicorp/go-azure-helpers v0.13.1-0.20201118193114-9a87bedaab4e h1:HgaNYUTkyArNsOFYl0zULpJwBfQydcZ0J8zUZJzmf2s=
+github.com/hashicorp/go-azure-helpers v0.13.1-0.20201118193114-9a87bedaab4e/go.mod h1:rNqsniDSSRU2jBJrrtXVNhgZChqrrfWyHKAmXFIOTZQ=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVoDkXMzJM=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
@@ -115,6 +130,8 @@ github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b
 github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E=
 github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/go-version v1.2.1 h1:zEfKbn2+PDgroKdiOzqiE8rsmLqU2uwi5PB5pBJ3TkI=
+github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -211,6 +228,9 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897 h1:pLI5jrR7OSLijeIDcmRxNmw2api+jEfxLoykJVice/E=
+golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=

internal/clients/builder.go

@@ -19,7 +19,7 @@ type ClientBuilder struct {
 
 // Build is a helper method which returns a fully instantiated *AadClient based on the auth Config's current settings.
 func (b *ClientBuilder) Build(ctx context.Context) (*AadClient, error) {
-	env, err := authentication.AzureEnvironmentByNameFromEndpoint(ctx, b.AuthConfig.MetadataURL, b.AuthConfig.Environment)
+	env, err := authentication.AzureEnvironmentByNameFromEndpoint(ctx, b.AuthConfig.MetadataHost, b.AuthConfig.Environment)
 	if err != nil {
 		return nil, err
 	}
@@ -36,7 +36,6 @@ func (b *ClientBuilder) Build(ctx context.Context) (*AadClient, error) {
 
 	// client declarations:
 	client := AadClient{
-		SubscriptionID:   b.AuthConfig.SubscriptionID,
 		ClientID:         b.AuthConfig.ClientID,
 		ObjectID:         objectID,
 		TenantID:         b.AuthConfig.TenantID,

internal/clients/client.go

@@ -13,7 +13,6 @@ type AadClient struct {
 	// todo move this to an "Account" struct as in azurerm?
 	ClientID         string
 	ObjectID         string
-	SubscriptionID   string
 	TenantID         string
 	TerraformVersion string
 	Environment      azure.Environment

internal/provider/provider.go

@@ -146,8 +146,7 @@ func providerConfigure(p *schema.Provider) schema.ConfigureFunc {
 			ClientID:           d.Get("client_id").(string),
 			ClientSecret:       d.Get("client_secret").(string),
 			TenantID:           d.Get("tenant_id").(string),
-			SubscriptionID:     d.Get("tenant_id").(string), // TODO: delete in v1.1
-			MetadataURL:        d.Get("metadata_host").(string),
+			MetadataHost:       d.Get("metadata_host").(string),
 			Environment:        d.Get("environment").(string),
 			MsiEndpoint:        d.Get("msi_endpoint").(string),
 			ClientCertPassword: d.Get("client_certificate_password").(string),
@@ -158,37 +157,34 @@ func providerConfigure(p *schema.Provider) schema.ConfigureFunc {
 			SupportsClientSecretAuth:       true,
 			SupportsManagedServiceIdentity: d.Get("use_msi").(bool),
 			SupportsAzureCliToken:          true,
-			//TenantOnly:                     true, // TODO: enable in v1.1
+			TenantOnly:                     true,
 		}
 
-		config, err := builder.Build()
-		if err != nil {
-			return nil, fmt.Errorf("building AzureAD Client: %s", err)
-		}
-
-		terraformVersion := p.TerraformVersion
-		if terraformVersion == "" {
-			// Terraform 0.12 introduced this field to the protocol
-			// We can therefore assume that if it's missing it's 0.10 or 0.11
-			terraformVersion = "0.11+compatible"
-		}
+		return buildClient(p, builder)
+	}
+}
 
-		clientBuilder := clients.ClientBuilder{
-			AuthConfig:       config,
-			TerraformVersion: terraformVersion,
-		}
+func buildClient(p *schema.Provider, b *authentication.Builder) (*clients.AadClient, error) {
+	config, err := b.Build()
+	if err != nil {
+		return nil, fmt.Errorf("building AzureAD Client: %s", err)
+	}
 
-		client, err := clientBuilder.Build(p.StopContext())
-		if err != nil {
-			return nil, err
-		}
+	clientBuilder := clients.ClientBuilder{
+		AuthConfig:       config,
+		TerraformVersion: p.TerraformVersion,
+	}
 
-		// replaces the context between tests
-		p.MetaReset = func() error { //nolint unparam
-			client.StopContext = p.StopContext()
-			return nil
-		}
+	client, err := clientBuilder.Build(p.StopContext())
+	if err != nil {
+		return nil, err
+	}
 
-		return client, nil
+	// replaces the context between tests
+	p.MetaReset = func() error { //nolint unparam
+		client.StopContext = p.StopContext()
+		return nil
 	}
+
+	return client, nil
 }

internal/provider/provider_test.go

@@ -3,7 +3,9 @@ package provider
 import (
 	"testing"
 
+	"github.com/hashicorp/go-azure-helpers/authentication"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/terraform"
 )
 
 func TestProvider(t *testing.T) {
@@ -15,3 +17,52 @@ func TestProvider(t *testing.T) {
 func TestProvider_impl(t *testing.T) {
 	var _ = AzureADProvider()
 }
+
+func TestProvider_cliAuth(t *testing.T) {
+	provider := AzureADProvider().(*schema.Provider)
+	provider.ConfigureFunc = func(d *schema.ResourceData) (interface{}, error) {
+
+		// Support only Azure CLI authentication
+		builder := &authentication.Builder{
+			TenantID:              d.Get("tenant_id").(string),
+			MetadataHost:          d.Get("metadata_host").(string),
+			Environment:           d.Get("environment").(string),
+			SupportsAzureCliToken: true,
+			TenantOnly:            true,
+		}
+
+		return buildClient(provider, builder)
+	}
+
+	err := provider.Configure(terraform.NewResourceConfigRaw(nil))
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+}
+
+func TestProvider_servicePrincipalAuth(t *testing.T) {
+	provider := AzureADProvider().(*schema.Provider)
+	provider.ConfigureFunc = func(d *schema.ResourceData) (interface{}, error) {
+
+		// Support only Service Principal authentication (certificate or secret)
+		builder := &authentication.Builder{
+			ClientID:                 d.Get("client_id").(string),
+			ClientSecret:             d.Get("client_secret").(string),
+			TenantID:                 d.Get("tenant_id").(string),
+			MetadataHost:             d.Get("metadata_host").(string),
+			Environment:              d.Get("environment").(string),
+			ClientCertPassword:       d.Get("client_certificate_password").(string),
+			ClientCertPath:           d.Get("client_certificate_path").(string),
+			SupportsClientCertAuth:   true,
+			SupportsClientSecretAuth: true,
+			TenantOnly:               true,
+		}
+
+		return buildClient(provider, builder)
+	}
+
+	err := provider.Configure(terraform.NewResourceConfigRaw(nil))
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+}