search

go-acme / lego

Let's Encrypt/ACME client and library written in Go
https://go-acme.github.io/lego/
MIT License
7.58k stars 994 forks source link

azuredns: allow oidc authentication #2036

Closed pchanvallon closed 9 months ago

pchanvallon commented 9 months ago

Hello,

Here is the implementation for the OIDC authentication support (fixes #2027).

I was able to test the integration with GitHub actions workflows, but not with Terraform cloud. @stmcx, can you try that this is also working in your use case ?

Thanks.

stmcx commented 9 months ago

Thanks @pchanvallon

Rebuilt Terraform ACME provider with replace github.com/go-acme/lego/v4 v4.14.2 => github.com/pchanvallon/lego/v4 v4.0.0-20231018073353-c97089b94e14

Did not work and got 401 at first

Then included AZURE_AUTH_METHOD="oidc" and it worked!

* _(Terraform Cloud exports "ARM_USE_OIDC" = "true" instead but that is okay)_

resource "acme_certificate" "certificate" {
  account_key_pem              = acme_registration.registration.account_key_pem
  common_name                  = var.certificate_common_name
  subject_alternative_names    = []
  disable_complete_propagation = true
  dns_challenge {
    provider = "azuredns"
    config = {
      AZURE_RESOURCE_GROUP = var.certificate_dns_challenge_azure_resource_group_name
      AZURE_AUTH_METHOD="oidc"
    }
  }
}

Also, I added these here to the provider since Terraform Cloud exports them as ARM rather than AZURE. I guess the provider maintainers will know more. 

"ARM_OIDC_REQUEST_TOKEN":   "AZURE_OIDC_REQUEST_TOKEN",
"ARM_OIDC_REQUEST_URL":     "AZURE_OIDC_REQUEST_URL",
"ARM_OIDC_TOKEN":           "AZURE_OIDC_TOKEN",
"ARM_OIDC_TOKEN_FILE_PATH": "AZURE_OIDC_TOKEN_FILE_PATH",
pchanvallon commented 9 months ago

Hello @stmcx, Thank you for your feedback. Yes we will have to request this change in acme TF provider after the lib update to finalize the integration.

sdib commented 9 months ago

@ldez @pchanvallon @stmcx do you know when this will be released please ?