search

fujiwara / tfstate-lookup

Lookup resource attributes in tfstate.
Mozilla Public License 2.0
97 stars 21 forks source link

Use azidentity for authentication #86

Closed jkroepke closed 1 year ago

jkroepke commented 1 year ago

The allows all currently available authentication methods for tfstate-lookup, includes environment variables, identities and CLI auth by using the newer github.com/Azure/azure-sdk-for-go go SDK.

Additionally allow to define subscription id from env variable.

Tests from my local machine.

i would much appreciate it, if there would be a new release which contains this change, thanks!

fujiwara commented 1 year ago

@jkroepke Thank you!

I confirmed that this PR works fine with

But I couldn't confirm with the AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID environment variables.

I added "Storage Blob Data Owner" permissions to the application registration.

I'm not familiar with Azure, so I can't speculate on the reason for the error that occurred. Could it be due to insufficient permissions?

failed to read tfstate from azurerm://test/tfstatelookup/test/subdir/az-tf.terraform.tfstate: failed to list keys: POST https://management.azure.com/subscriptions/7678a507-b850-4687-b569-3872ac85bbea/resourceGroups/test/providers/Microsoft.Storage/storageAccounts/tfstatelookup/listKeys
--------------------------------------------------------------------------------
RESPONSE 403: 403 Forbidden
ERROR CODE: AuthorizationFailed
--------------------------------------------------------------------------------
{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client '96518d19-2d49-438c-a339-5544d4da9e29' with object id '96518d19-2d49-438c-a339-5544d4da9e29' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/7678a507-b850-4687-b569-3872ac85bbea/resourceGroups/test/providers/Microsoft.Storage/storageAccounts/tfstatelookup' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}
jkroepke commented 1 year ago

The 'problem' is that there are 2 ways of accessing a Storage Account:

Ref: https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal

By default (including Terraform) Key based authorization is used. An Azure AD identity would also list keys first and then use the key to access to blobs. Thats the way how its implemented in tfstate-lookup right now.

In our case, the role Reader and Data Access is need in addition to Storage Blob Data Owner.

The AzureAD Authentication (use_azuread_auth = true at Terraform) is currently not implemented in tfstate-lookup.

Here is an example to initiate a azblob client using AzureAD Authentication. It skips any actions of lists the storage keys here.

cred, err := azidentity.NewDefaultAzureCredential(nil)
client, err := azblob.NewClient(serviceUrl, cred, nil)

Adding support for AzureAD Authentication might be a different PR.

Also getting rid of github.com/Azure/go-autorest/autorest/azure/cli might be a different PR. There is no replacement in github.com/Azure/azure-sdk-for-go, but the Azure/go-autorest libraries are EOL now (March 31, 2023)

jkroepke commented 1 year ago

This is possible to merge and release this PR soon? I need the functionality in helmfile and I also do need to bump the dependency on vals before setup a PR at helmfile.

I have a long road...

fujiwara commented 1 year ago

@jkroepke

Thanks for the detailed explanation!

I have not been able to confirm that the following feature is still functioning, but I have determined that it has not degraded from the current version. Therefore, I will merge this PR and release it.

But I couldn't confirm with the AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID environment variables.

fujiwara commented 1 year ago

v1.1.1 released! https://github.com/fujiwara/tfstate-lookup/releases/tag/v1.1.1

jkroepke commented 1 year ago

But I couldn't confirm with the AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID environment variables.

I re-test this right now can confirm that this works at-least two times now. Additional, I run az account clear to ensure that there are no left overs from CLI.