internal/backend/remote-state/azure: adding a feature-toggle to use MSAL
This commit is contained in:
tombuildsstuff
parent
27a34d6c2c
commit
9f710558ce
|
|
@ -7,6 +7,8 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/manicminer/hamilton/environments"
|
||||||
|
|
||||||
"github.com/tombuildsstuff/giovanni/storage/2018-11-09/blob/blobs"
|
"github.com/tombuildsstuff/giovanni/storage/2018-11-09/blob/blobs"
|
||||||
"github.com/tombuildsstuff/giovanni/storage/2018-11-09/blob/containers"
|
"github.com/tombuildsstuff/giovanni/storage/2018-11-09/blob/containers"
|
||||||
|
|
||||||
|
|
@ -84,6 +86,7 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro
|
||||||
SupportsClientCertAuth: true,
|
SupportsClientCertAuth: true,
|
||||||
SupportsClientSecretAuth: true,
|
SupportsClientSecretAuth: true,
|
||||||
SupportsManagedServiceIdentity: config.UseMsi,
|
SupportsManagedServiceIdentity: config.UseMsi,
|
||||||
|
UseMicrosoftGraph: config.UseMicrosoftGraph,
|
||||||
}
|
}
|
||||||
armConfig, err := builder.Build()
|
armConfig, err := builder.Build()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -95,18 +98,43 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
sender := sender.BuildSender("backend/remote-state/azure")
|
hamiltonEnv, err := environments.EnvironmentFromString(config.Environment)
|
||||||
auth, err := armConfig.GetADALToken(ctx, sender, oauthConfig, env.TokenAudience)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if config.UseAzureADAuthentication {
|
sender := sender.BuildSender("backend/remote-state/azure")
|
||||||
storageAuth, err := armConfig.GetADALToken(ctx, sender, oauthConfig, env.ResourceIdentifiers.Storage)
|
var auth autorest.Authorizer
|
||||||
|
if builder.UseMicrosoftGraph {
|
||||||
|
log.Printf("[DEBUG] Obtaining a MSAL / Microsoft Graph token for Resource Manager..")
|
||||||
|
auth, err = armConfig.GetMSALToken(ctx, hamiltonEnv.ResourceManager, sender, oauthConfig, env.TokenAudience)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
client.azureAdStorageAuth = &storageAuth
|
} else {
|
||||||
|
log.Printf("[DEBUG] Obtaining a ADAL / Azure Active Directory Graph token for Resource Manager..")
|
||||||
|
auth, err = armConfig.GetADALToken(ctx, sender, oauthConfig, env.TokenAudience)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if config.UseAzureADAuthentication {
|
||||||
|
if builder.UseMicrosoftGraph {
|
||||||
|
log.Printf("[DEBUG] Obtaining a MSAL / Microsoft Graph token for Storage..")
|
||||||
|
storageAuth, err := armConfig.GetMSALToken(ctx, hamiltonEnv.Storage, sender, oauthConfig, env.ResourceIdentifiers.Storage)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
client.azureAdStorageAuth = &storageAuth
|
||||||
|
} else {
|
||||||
|
log.Printf("[DEBUG] Obtaining a ADAL / Azure Active Directory Graph token for Storage..")
|
||||||
|
storageAuth, err := armConfig.GetADALToken(ctx, sender, oauthConfig, env.ResourceIdentifiers.Storage)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
client.azureAdStorageAuth = &storageAuth
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
accountsClient := armStorage.NewAccountsClientWithBaseURI(env.ResourceManagerEndpoint, armConfig.SubscriptionID)
|
accountsClient := armStorage.NewAccountsClientWithBaseURI(env.ResourceManagerEndpoint, armConfig.SubscriptionID)
|
||||||
|
|
|
||||||
|
|
@ -142,6 +142,12 @@ func New() backend.Backend {
|
||||||
Description: "Should Terraform use AzureAD Authentication to access the Blob?",
|
Description: "Should Terraform use AzureAD Authentication to access the Blob?",
|
||||||
DefaultFunc: schema.EnvDefaultFunc("ARM_USE_AZUREAD", false),
|
DefaultFunc: schema.EnvDefaultFunc("ARM_USE_AZUREAD", false),
|
||||||
},
|
},
|
||||||
|
"use_microsoft_graph": {
|
||||||
|
Type: schema.TypeBool,
|
||||||
|
Optional: true,
|
||||||
|
Description: "Should Terraform obtain an auth token from Microsoft Graph rather than Azure Active Directory?",
|
||||||
|
DefaultFunc: schema.EnvDefaultFunc("ARM_USE_MSGRAPH", false),
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -181,6 +187,7 @@ type BackendConfig struct {
|
||||||
TenantID string
|
TenantID string
|
||||||
UseMsi bool
|
UseMsi bool
|
||||||
UseAzureADAuthentication bool
|
UseAzureADAuthentication bool
|
||||||
|
UseMicrosoftGraph bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b *Backend) configure(ctx context.Context) error {
|
func (b *Backend) configure(ctx context.Context) error {
|
||||||
|
|
@ -212,6 +219,7 @@ func (b *Backend) configure(ctx context.Context) error {
|
||||||
TenantID: data.Get("tenant_id").(string),
|
TenantID: data.Get("tenant_id").(string),
|
||||||
UseMsi: data.Get("use_msi").(bool),
|
UseMsi: data.Get("use_msi").(bool),
|
||||||
UseAzureADAuthentication: data.Get("use_azuread_auth").(bool),
|
UseAzureADAuthentication: data.Get("use_azuread_auth").(bool),
|
||||||
|
UseMicrosoftGraph: data.Get("use_microsoft_graph").(bool),
|
||||||
}
|
}
|
||||||
|
|
||||||
armClient, err := buildArmClient(context.TODO(), config)
|
armClient, err := buildArmClient(context.TODO(), config)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue