SeanC2222
commented
3 years ago Currently the top level module accepts a use_msi_to_authenticate bool to flag if MSI is being used. If we instead allow for an optional map with several optional keys we could support both options 2 and 3 above. The use_msi_to_authenticate bool could be deprecated and we could rely on the presence of the MSI variable to indicate use_msi_to_authenticate. Further, the presence of an object_id in the map would indicate no lookup is necessary. Failing that, if a name/resource group name are provided the module could lookup the identity and provide the object_id from that data block.
Pseudocode of var
msi = {
name = optional(string)
resource_group_name = optional(string)
object_id = optional(string)
validations = (name && resource_group_name) || object_id
}
The azurerm_client_config data block in the top level main of this module potentially creates a keyvault for which we need to allow access by the identity that Terraform is operating under so that it can populate keys/secrets/etc. The current implementation relies on retrieving data from the azurerm_client_config data block in that same module, however when using MSI to authenticate the provider doesn't populate the object_id as noted by https://github.com/terraform-providers/terraform-provider-azurerm/issues/7787 .
There's a few options: 1) Don't support MSI fully in module, and users configure their key vaults manually 2) Optionally receive the object_id as a variable and when present prefer that value 3) Use a data block to look up the MSI in Azure and retrieve the object_id from that data block when using MSI 4) Wait for the provider to fix the issue, if they ever do