internal/backend/remote-state/azure: adding a feature-toggle to use MSAL

This commit is contained in:
tombuildsstuff 2021-11-17 18:40:21 +01:00
parent 27a34d6c2c
commit 9f710558ce
2 changed files with 41 additions and 5 deletions

View File

@ -7,6 +7,8 @@ import (
"os"
"time"
"github.com/manicminer/hamilton/environments"
"github.com/tombuildsstuff/giovanni/storage/2018-11-09/blob/blobs"
"github.com/tombuildsstuff/giovanni/storage/2018-11-09/blob/containers"
@ -84,6 +86,7 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro
SupportsClientCertAuth: true,
SupportsClientSecretAuth: true,
SupportsManagedServiceIdentity: config.UseMsi,
UseMicrosoftGraph: config.UseMicrosoftGraph,
}
armConfig, err := builder.Build()
if err != nil {
@ -95,18 +98,43 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro
return nil, err
}
sender := sender.BuildSender("backend/remote-state/azure")
auth, err := armConfig.GetADALToken(ctx, sender, oauthConfig, env.TokenAudience)
hamiltonEnv, err := environments.EnvironmentFromString(config.Environment)
if err != nil {
return nil, err
}
if config.UseAzureADAuthentication {
storageAuth, err := armConfig.GetADALToken(ctx, sender, oauthConfig, env.ResourceIdentifiers.Storage)
sender := sender.BuildSender("backend/remote-state/azure")
var auth autorest.Authorizer
if builder.UseMicrosoftGraph {
log.Printf("[DEBUG] Obtaining a MSAL / Microsoft Graph token for Resource Manager..")
auth, err = armConfig.GetMSALToken(ctx, hamiltonEnv.ResourceManager, sender, oauthConfig, env.TokenAudience)
if err != nil {
return nil, err
}
client.azureAdStorageAuth = &storageAuth
} else {
log.Printf("[DEBUG] Obtaining a ADAL / Azure Active Directory Graph token for Resource Manager..")
auth, err = armConfig.GetADALToken(ctx, sender, oauthConfig, env.TokenAudience)
if err != nil {
return nil, err
}
}
if config.UseAzureADAuthentication {
if builder.UseMicrosoftGraph {
log.Printf("[DEBUG] Obtaining a MSAL / Microsoft Graph token for Storage..")
storageAuth, err := armConfig.GetMSALToken(ctx, hamiltonEnv.Storage, sender, oauthConfig, env.ResourceIdentifiers.Storage)
if err != nil {
return nil, err
}
client.azureAdStorageAuth = &storageAuth
} else {
log.Printf("[DEBUG] Obtaining a ADAL / Azure Active Directory Graph token for Storage..")
storageAuth, err := armConfig.GetADALToken(ctx, sender, oauthConfig, env.ResourceIdentifiers.Storage)
if err != nil {
return nil, err
}
client.azureAdStorageAuth = &storageAuth
}
}
accountsClient := armStorage.NewAccountsClientWithBaseURI(env.ResourceManagerEndpoint, armConfig.SubscriptionID)

View File

@ -142,6 +142,12 @@ func New() backend.Backend {
Description: "Should Terraform use AzureAD Authentication to access the Blob?",
DefaultFunc: schema.EnvDefaultFunc("ARM_USE_AZUREAD", false),
},
"use_microsoft_graph": {
Type: schema.TypeBool,
Optional: true,
Description: "Should Terraform obtain an auth token from Microsoft Graph rather than Azure Active Directory?",
DefaultFunc: schema.EnvDefaultFunc("ARM_USE_MSGRAPH", false),
},
},
}
@ -181,6 +187,7 @@ type BackendConfig struct {
TenantID string
UseMsi bool
UseAzureADAuthentication bool
UseMicrosoftGraph bool
}
func (b *Backend) configure(ctx context.Context) error {
@ -212,6 +219,7 @@ func (b *Backend) configure(ctx context.Context) error {
TenantID: data.Get("tenant_id").(string),
UseMsi: data.Get("use_msi").(bool),
UseAzureADAuthentication: data.Get("use_azuread_auth").(bool),
UseMicrosoftGraph: data.Get("use_microsoft_graph").(bool),
}
armClient, err := buildArmClient(context.TODO(), config)