[FEATURE] Support authenticating as a service principal using Federated Credentials (OIDC)

databricks / terraform-provider-databricks

Databricks Terraform Provider

https://registry.terraform.io/providers/databricks/databricks/latest

Other

445 stars 383 forks source link

[FEATURE] Support authenticating as a service principal using Federated Credentials (OIDC) #1627

Closed arnemorten closed 2 years ago

arnemorten commented 2 years ago

In order to avoid storing client_secret in github environments it is preferable to use federated credentials.

Right now when you login using the azure/login@v1 action the provider gives an error: "Error: Management API token must be provided for service principal admin user login"

Ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure

yixin19 commented 1 year ago

Hello, i'm also searching for this feature. Any roadmap for this?

arnemorten commented 1 year ago

In order to get this to work I changed the provider from using azure_workspace_resource_id to host with the workspace_url.

yixin19 commented 1 year ago

I got the same error using host and workspace_url

arnemorten commented 1 year ago

Ok not sure why that is. This is the code that works for me.

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.22.0"
    }
    databricks = {
      source  = "databricks/databricks"
      version = "1.6.5"
    }

provider "databricks" {
  host = data.azurerm_databricks_workspace.dbcmn.workspace_url
}    

data "azurerm_databricks_workspace" "dbcmn" {
  name                = local.databricks_workspace_name
  resource_group_name = local.saas_resource_group_name
}

In the github action i have defined env variable: ARM_USE_OIDC: true

larryclaman commented 1 year ago

@arnemorten I tried your syntax but I'm getting the error Error: cannot configure azure-cli auth: cannot get workspace: please setazure_workspace_resource_idprovider argument. Environment variables used: ARM_CLIENT_ID, ARM_TENANT_ID. Please check https://registry.terraform.io/providers/databricks/databricks/latest/docs#authentication for details

OIDC is working in my workflow to deploy my azurerm resources, but it's failing on the databricks resources My provider block:

provider "databricks" {
  host  = azurerm_databricks_workspace.this.workspace_url
}