Support for OIDC Authentication

[SudoSpartanDan]

Closes #16554

@manicminer Let me know if this looks good to you

Depends on hashicorp/go-azure-helpers#115

[manicminer]

@SudoSpartanDan Thanks for looking at this! I actually have a working prototype on the oidc-auth branch but I will happily take a look through this and pick up any bits that I might have missed :D

[manicminer]

@SudoSpartanDan Thanks again for the work on this! This is looking great, I've made some suggestions below mostly around naming. If you can take a look at these, this should be good to merge once the corresponding changes to the Azure remote state backend are also readied for release.

[SudoSpartanDan]

@SudoSpartanDan Thanks again for the work on this! This is looking great, I've made some suggestions below mostly around naming. If you can take a look at these, this should be good to merge once the corresponding changes to the Azure remote state backend are also readied for release.

Sounds good! I went ahead and committed your suggestions, I'll keep an eye out for this PR until the azurerm backend changes are ready to go as well.

[manicminer]

@SudoSpartanDan Thanks for updating. You can go ahead and vendor v0.31.1 of go-azure-helpers now, this completes the OIDC support. Thanks!

[SudoSpartanDan]

@manicminer updated!

[sigurdfalk]

@SudoSpartanDan @manicminer I have tracked this issue some time and are very pleased to see you have come up with a solution 👑 🚀 Just wondering if we are still waiting for something since this was added to the "Future" milestone, or if you have some ballpark idea of when we can expect to see this feature released?

[manicminer]

This will be merged when Terraform v1.2 is released, as it requires updates to the Azure remote state backend to support OIDC.

[rhyspaterson]

Terraform 1.2 now released!

https://github.com/hashicorp/terraform/releases/tag/v1.2.0

[tombuildsstuff]

hey @SudoSpartanDan

Thanks for this PR - as has been mentioned above, Terraform Core 1.2 has now been released as such we can look at shipping this in the Provider now 👍

I've taken a look through and left a handful of documentation related comments inline, but if we can fix those up then this otherwise LGTM 👍

Thanks!

[SudoSpartanDan]

@tombuildsstuff Thanks, committed and ready to go! 🚀

dismissing since changes have been pushed

[stevengonsalvez]

When will this appear in a a release ? or is there a clean way to point to "main" (latest) for the provider ?

[github-actions]

This functionality has been released in v3.7.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[ekristen]

Since this was recently merged, I'll ask here, this appears to only implement a specific GitHub Token OIDC implementation not an actual generic OIDC or Kubernetes Federated OIDC that Azure Service Principals support? Can the someone confirm or deny this? If its suppose to be OIDC do we have any working examples that are not GitHub? If not perhaps this needs to be renamed to GitHub Token OIDC Support?

[SudoSpartanDan]

Since this was recently merged, I'll ask here, this appears to only implement a specific GitHub Token OIDC implementation not an actual generic OIDC or Kubernetes Federated OIDC that Azure Service Principals support? Can the someone confirm or deny this? If its suppose to be OIDC do we have any working examples that are not GitHub? If not perhaps this needs to be renamed to GitHub Token OIDC Support?

By design, yes, it uses the GitHub environment variables for this by default, but should be able to support OIDC with other trusted entities. Two variables in the provider configuration are used for this: oidc_request_token and oidc_request_token. Right now, the only use case we have to document is GitHub Actions, but if you have another use case that this can be used by, feel free to drop a PR adding that example in :)

[ekristen]

@SudoSpartanDan I ended up opening up two issues because unfortunately the "but should be able to support OIDC with other trusted entities" isn't correct as far as I can tell, the GitHub implementation only works with GitHub.

I won't re-hash it here, but I opened #16900 and #16901

As for use cases, I'd like to use actual OIDC instead of GitHub Tokens. Specifically Kubernetes Federation.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.