Add Auth Options: User-Managed Identity, System-Managed Identity, and AzDO Workload Identity Federation #545
Conversation
…om/microsoft/terraform-provider-power-platform into ianjensenisme/243-Managed-Identity
ianjensenisme
requested review from
mawasile,
mattdot,
leighatami,
polatengin and
eduardodfmex
as code owners
I clearly don't understand changie but maybe this will make it happy
| #### System-Managed Identity | ||
|
|
||
| 1. [Enable system-managed identity on an Azure resource](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) | ||
| 1. [Register the managed identity with the Power Platform](https://learn.microsoft.com/en-us/power-platform/admin/powershell-create-service-principal) using the Application ID from the enterprise application for the system-managed identity resource. |
There was a problem hiding this comment.
shouldn't we point to our example how to do it with TF?
There was a problem hiding this comment.
@mawasile which example are you thinking of? The only one I'm aware of is in https://microsoft.github.io/terraform-provider-power-platform/#authentication , but it points at the same link that I've included here.
There was a problem hiding this comment.
|
|
||
| We recomend using Environment Variables to pass the credentials to the provider. | ||
| 1. [Create a User-Managed Identity resource](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) | ||
| 1. [Register the Managed Identity with the Power Platform](https://learn.microsoft.com/en-us/power-platform/admin/powershell-create-service-principal) using the Client ID from the user-managed identity resource. |
There was a problem hiding this comment.
@mawasile which example are you thinking of? The only one I'm aware of is in https://microsoft.github.io/terraform-provider-power-platform/#authentication , but it points at the same link that I've included here.
There was a problem hiding this comment.
| @@ -281,10 +338,16 @@ func (client *Auth) GetTokenForScopes(ctx context.Context, scopes []string) (*st | |||
| token, tokenExpiry, err = client.AuthenticateClientSecret(ctx, scopes) | |||
| case client.config.IsCliProvided(): | |||
| token, tokenExpiry, err = client.AuthenticateUsingCli(ctx, scopes) | |||
| case client.config.IsAzDOWorkloadIdentityFederationProvided(): | |||
There was a problem hiding this comment.
Do I get that right? Now we have a dedicated AzDO setup but for GitHub one has to use generic Oidc auth? Maybe we should mention that somewhere because now it looks that github is not supported at all?
There was a problem hiding this comment.
Yeah I think the core limitation is that azidentity ONLY supports newAzurePipelinesCredential and doesn't have a similar analog for GitHub. I've added a note to the new section in the documentation to explain that we still support hands-off auth for GitHub, you just have to fall back to OIDC.
| client.config.ClientId, | ||
| client.config.AzDOServiceConnectionID, | ||
| client.config.OidcRequestToken, | ||
| &azidentity.AzurePipelinesCredentialOptions{}, // Auxiliary tenants could be defined here |
This pull request introduces new authentication methods for the Power Platform provider in Terraform. The key changes include adding support for Managed Identity and Workload Identity Federation, along with the necessary configuration updates and new methods for handling these authentication mechanisms.
Documentation Updates:
docs/index.md. [1] [2] [3]Codebase Enhancements:
internal/api/auth.goto handle authentication using User-Managed Identity, System-Managed Identity, and Azure DevOps Workload Identity Federation. [1] [2]Configuration Changes:
UseMsiandAzDOServiceConnectionIDto theProviderConfigstruct ininternal/config/config.goand updated related methods to check for these configurations. [1] [2] [3] [4] [5]Environment Variables:
POWER_PLATFORM_USE_MSIandPOWER_PLATFORM_AZDO_SERVICE_CONNECTION_IDininternal/constants/constants.go. (internal/constants/constants.goR112-R117, F52f86bdL162R162)Provider Configuration:
internal/provider/provider.goto include the new authentication options. [1] [2] [3]