search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.34k stars 9.49k forks source link

Support for env var ARM_CLIENT_CERTIFICATE in azure remote state backend #35057

Open andreigorgan opened 4 months ago

andreigorgan commented 4 months ago

Terraform Version

Terraform version: 1.8.1
Go runtime version: go1.22.1

Use Cases

According to azurerm provider docs, the azurerm provider supports service principal authentication with the ARM_CLIENT_CERTIFICATE env var (base64 encoded .pfx file contents).

It would be great if azure remote state backend would support that too.

Attempted Solutions

Here is an example of the backend configuration used:

terraform {
  backend "azurerm" {
    resource_group_name  = "rg-storage-account"
    storage_account_name = "foo"
    container_name       = "foo-tfbackend"
    key                  = "foo-terraform.tfstate"
    use_azuread_auth     = true
  }
}

Example of environment variables used:

# sh
export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000"
export ARM_CLIENT_CERTIFICATE="$(base64 /path/to/my/client/certificate.pfx)"
export ARM_CLIENT_CERTIFICATE_PASSWORD=""
export ARM_TENANT_ID="10000000-0000-0000-0000-000000000000"
export ARM_SUBSCRIPTION_ID="20000000-0000-0000-0000-000000000000"

Outputed logs from terraform init:

...
Initializing the backend...
2024-04-22T08:35:08.491Z [INFO]  Testing if Service Principal / Client Certificate is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Testing if Service Principal / Client Secret is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Testing if OIDC is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Testing if Managed Service Identity is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Testing if Obtaining a Multi-tenant token from the Azure CLI is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Testing if Obtaining a token from the Azure CLI is applicable for Authentication..
2024-04-22T08:35:08.492Z [INFO]  Using Obtaining a token from the Azure CLI for Authentication
.... # More initialization logs
╷
│ Error: Error building ARM Config: obtain subscription(20000000-0000-0000-0000-000000000000) from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.
│ 
│ 
╵

As you can see Service Principal / Client Certificate authentication is not used.

Proposal

I am guessing that the starting point would be to add a property in the schema here: https://github.com/hashicorp/terraform/blob/5868f994139db04a5f6989491f1dbb84486873ac/internal/backend/remote-state/azure/backend.go#L112

References

Same was proposed for azurerm provider: https://github.com/hashicorp/terraform-provider-azurerm/issues/17741

crw commented 4 months ago

Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions.

Note that the Azure backend is maintained by the AzureRM provider team, who primarily work out of the terraform-provider-azurerm repository and have their own prioritization process and schedule.

Thanks again!