Previously, there are some (though incomplete) authentication related flags, e.g. --env, --use-azure-cli-cred, these flags only affect the behavior of the aztfexport (e.g. listing resources), but won't be passed through to the providers. The providers' behaviors are only affected by either the -provider-config flag or by the environment of their owns.
The reason was there are a bunch of provider level properties (currently there are two providers). It would be a mass if we wrap all these flags and provide a bunch of flags back to users, and probably mentioning which set of flags are only usable for azurerm provider, and which are only for azapi.
However for the standview of the authentication, this separation brings a burden to users who will now need to take care of the two parts: aztfexport and the provider. It would be much easier for them to regard the both as a whole in terms of authentication. By reviewing the authentication flags between azurerm and azapi, they are actually quite the same. Based on this, we created this PR to wrap and expose all these authentication related flags, which will affect both the aztfexport and the providers.
Changes
The new flags (or existing flags but now passed to providers) are listed below:
env
tenant-id
auxiliary-tenant-ids
client-id
client-id-file-path
client-certificate
client-certificate-path
client-certificate-password
client-secret
client-secret-file-path
oidc-request-token
oidc-request-url
oidc-token
oidc-token-file-path
use-managed-identity-cred (defaults to false)
use-azure-cli-cred (defaults to true)
use-oidc-cred (defaults to false)
Note that the flags above are following the naming convention as the azurerm provider. All of them are configurable via environment variables as well, which include the same env var as is defined in the azurerm provider.
The default authentication of the aztfexport will attempt to authenticate with each of the credential types, in the following order, stopping when one provides a token:
Client secret
Client certificate
OIDC
Managed identity
Azure CLI
If one or more use-xxx-cred is not true, then that credential type will be skipped. This behavior is the same as the provider. This changes the old behavior where when any use-xxx-cred is specified, it will only use that credential type exclusively. Also note that the old flag use-environment-cred is now removed.
The last thing to call out is that the priority of these new auth flags have lower priority than what is defined in the provider-config, which means users can override any auth config for the provider in the provider-config. This makes it possible for users to use different credential types between the aztfexport and the provider.
Previously, there are some (though incomplete) authentication related flags, e.g.
--env,--use-azure-cli-cred, these flags only affect the behavior of theaztfexport(e.g. listing resources), but won't be passed through to the providers. The providers' behaviors are only affected by either the-provider-configflag or by the environment of their owns.The reason was there are a bunch of provider level properties (currently there are two providers). It would be a mass if we wrap all these flags and provide a bunch of flags back to users, and probably mentioning which set of flags are only usable for
azurermprovider, and which are only forazapi.However for the standview of the authentication, this separation brings a burden to users who will now need to take care of the two parts:
aztfexportand the provider. It would be much easier for them to regard the both as a whole in terms of authentication. By reviewing the authentication flags betweenazurermandazapi, they are actually quite the same. Based on this, we created this PR to wrap and expose all these authentication related flags, which will affect both theaztfexportand the providers.Changes
The new flags (or existing flags but now passed to providers) are listed below:
envtenant-idauxiliary-tenant-idsclient-idclient-id-file-pathclient-certificateclient-certificate-pathclient-certificate-passwordclient-secretclient-secret-file-pathoidc-request-tokenoidc-request-urloidc-tokenoidc-token-file-pathuse-managed-identity-cred(defaults to false)use-azure-cli-cred(defaults to true)use-oidc-cred(defaults to false)Note that the flags above are following the naming convention as the
azurermprovider. All of them are configurable via environment variables as well, which include the same env var as is defined in theazurermprovider.The default authentication of the
aztfexportwill attempt to authenticate with each of the credential types, in the following order, stopping when one provides a token:If one or more
use-xxx-credis not true, then that credential type will be skipped. This behavior is the same as the provider. This changes the old behavior where when anyuse-xxx-credis specified, it will only use that credential type exclusively. Also note that the old flaguse-environment-credis now removed.The last thing to call out is that the priority of these new auth flags have lower priority than what is defined in the
provider-config, which means users can override any auth config for the provider in theprovider-config. This makes it possible for users to use different credential types between theaztfexportand the provider.Tests
With TF
Without TF
References
Fix #540