wip

henryde · henryde · commit c79ac2b437b9 · 2025-12-09T19:25:22.000+01:00
diff --git a/client/platform_config_azure.go b/client/platform_config_azure.go
@@ -23,26 +23,19 @@ type AzureReplicationConfig struct {
 }
 
 type AzureServicePrincipalConfig struct {
-	ClientId string                              `json:"clientId" tfsdk:"client_id"`
-	Auth     AzureServicePrincipalAuthConfig     `json:"auth" tfsdk:"auth"`
-	ObjectId string                              `json:"objectId" tfsdk:"object_id"`
+	ClientId string          `json:"clientId" tfsdk:"client_id"`
+	ObjectId string          `json:"objectId" tfsdk:"object_id"`
+	Auth     AzureAuthConfig `json:"auth" tfsdk:"auth"`
 }
 
-type AzureServicePrincipalAuthConfig struct {
-	Type             string          `json:"type" tfsdk:"type"`
-	Credential       *SecretEmbedded `json:"credential,omitempty" tfsdk:"credential"`
-	WorkloadIdentity *struct{}       `json:"workloadIdentity,omitempty" tfsdk:"workload_identity"`
+type AzureAuthConfig struct {
+	Type       string          `json:"type" tfsdk:"type"`
+	Credential *SecretEmbedded `json:"credential,omitempty" tfsdk:"credential"`
 }
 
 type AzureGraphApiCredentials struct {
-	ClientId string                     `json:"clientId" tfsdk:"client_id"`
-	Auth     AzureGraphApiAuthConfig    `json:"auth" tfsdk:"auth"`
-}
-
-type AzureGraphApiAuthConfig struct {
-	Type             string          `json:"type" tfsdk:"type"`
-	Credential       *SecretEmbedded `json:"credential,omitempty" tfsdk:"credential"`
-	WorkloadIdentity *struct{}       `json:"workloadIdentity,omitempty" tfsdk:"workload_identity"`
+	ClientId string          `json:"clientId" tfsdk:"client_id"`
+	Auth     AzureAuthConfig `json:"auth" tfsdk:"auth"`
 }
 
 type AzureSubscriptionProvisioningConfig struct {
diff --git a/client/platform_config_azurerg.go b/client/platform_config_azurerg.go
@@ -6,25 +6,14 @@ type AzureRgPlatformConfig struct {
 }
 
 type AzureRgReplicationConfig struct {
-	ServicePrincipal                           AzureRgServicePrincipalConfig `json:"servicePrincipal" tfsdk:"service_principal"`
-	Subscription                               string                        `json:"subscription" tfsdk:"subscription"`
-	ResourceGroupNamePattern                   string                        `json:"resourceGroupNamePattern" tfsdk:"resource_group_name_pattern"`
-	UserGroupNamePattern                       string                        `json:"userGroupNamePattern" tfsdk:"user_group_name_pattern"`
-	B2bUserInvitation                          *AzureInviteB2BUserConfig     `json:"b2bUserInvitation,omitempty" tfsdk:"b2b_user_invitation"`
-	UserLookUpStrategy                         string                        `json:"userLookUpStrategy" tfsdk:"user_look_up_strategy"`
-	TenantTags                                 *MeshTenantTags               `json:"tenantTags,omitempty" tfsdk:"tenant_tags"`
-	SkipUserGroupPermissionCleanup             bool                          `json:"skipUserGroupPermissionCleanup" tfsdk:"skip_user_group_permission_cleanup"`
-	AdministrativeUnitId                       *string                       `json:"administrativeUnitId,omitempty" tfsdk:"administrative_unit_id"`
-	AllowHierarchicalManagementGroupAssignment bool                          `json:"allowHierarchicalManagementGroupAssignment" tfsdk:"allow_hierarchical_management_group_assignment"`
-}
-
-type AzureRgServicePrincipalConfig struct {
-	ClientId string                            `json:"clientId" tfsdk:"client_id"`
-	Auth     AzureRgServicePrincipalAuthConfig `json:"auth" tfsdk:"auth"`
-	ObjectId string                            `json:"objectId" tfsdk:"object_id"`
-}
-
-type AzureRgServicePrincipalAuthConfig struct {
-	Type       string          `json:"type" tfsdk:"type"`
-	Credential *SecretEmbedded `json:"credential,omitempty" tfsdk:"credential"`
+	ServicePrincipal                           AzureServicePrincipalConfig `json:"servicePrincipal" tfsdk:"service_principal"`
+	Subscription                               string                      `json:"subscription" tfsdk:"subscription"`
+	ResourceGroupNamePattern                   string                      `json:"resourceGroupNamePattern" tfsdk:"resource_group_name_pattern"`
+	UserGroupNamePattern                       string                      `json:"userGroupNamePattern" tfsdk:"user_group_name_pattern"`
+	B2bUserInvitation                          *AzureInviteB2BUserConfig   `json:"b2bUserInvitation,omitempty" tfsdk:"b2b_user_invitation"`
+	UserLookUpStrategy                         string                      `json:"userLookUpStrategy" tfsdk:"user_look_up_strategy"`
+	TenantTags                                 *MeshTenantTags             `json:"tenantTags,omitempty" tfsdk:"tenant_tags"`
+	SkipUserGroupPermissionCleanup             bool                        `json:"skipUserGroupPermissionCleanup" tfsdk:"skip_user_group_permission_cleanup"`
+	AdministrativeUnitId                       *string                     `json:"administrativeUnitId,omitempty" tfsdk:"administrative_unit_id"`
+	AllowHierarchicalManagementGroupAssignment bool                        `json:"allowHierarchicalManagementGroupAssignment" tfsdk:"allow_hierarchical_management_group_assignment"`
 }
diff --git a/internal/provider/platform_data_source.go b/internal/provider/platform_data_source.go
@@ -433,16 +433,7 @@ func azureMeteringConfigDataSourceSchema() schema.Attribute {
 								MarkdownDescription: "Authentication type (credential or workloadIdentity)",
 								Computed:            true,
 							},
-							"credential": schema.StringAttribute{
-								MarkdownDescription: "Client secret (if type is CREDENTIALS)",
-								Computed:            true,
-								Sensitive:           true,
-							},
-							"workload_identity": schema.SingleNestedAttribute{
-								MarkdownDescription: "Workload identity configuration (if type is WORKLOAD_IDENTITY)",
-								Computed:            true,
-								Attributes:          map[string]schema.Attribute{},
-							},
+							"credential": secretEmbeddedDataSourceSchema("Client secret (if type is credential)"),
 						},
 					},
 					"object_id": schema.StringAttribute{
@@ -616,11 +607,11 @@ func awsReplicationConfigDataSourceSchema() schema.Attribute {
 						Computed:            true,
 						Attributes: map[string]schema.Attribute{
 							"type": schema.StringAttribute{
-								MarkdownDescription: "Authentication type (CREDENTIALS or WORKLOAD_IDENTITY)",
+								MarkdownDescription: "Authentication type (credential or workloadIdentity)",
 								Computed:            true,
 							},
 							"credential": schema.SingleNestedAttribute{
-								MarkdownDescription: "Service user credential configuration (if type is CREDENTIALS)",
+								MarkdownDescription: "Service user credential configuration (if type is credential)",
 								Computed:            true,
 								Attributes: map[string]schema.Attribute{
 									"access_key": schema.StringAttribute{
@@ -631,7 +622,7 @@ func awsReplicationConfigDataSourceSchema() schema.Attribute {
 								},
 							},
 							"workload_identity": schema.SingleNestedAttribute{
-								MarkdownDescription: "Workload identity configuration (if type is WORKLOAD_IDENTITY)",
+								MarkdownDescription: "Workload identity configuration (if type is workloadIdentity)",
 								Computed:            true,
 								Attributes: map[string]schema.Attribute{
 									"role_arn": schema.StringAttribute{
@@ -787,19 +778,10 @@ func azureReplicationConfigDataSourceSchema() schema.Attribute {
 						Computed:            true,
 						Attributes: map[string]schema.Attribute{
 							"type": schema.StringAttribute{
-								MarkdownDescription: "Authentication type (CREDENTIALS or WORKLOAD_IDENTITY)",
-								Computed:            true,
-							},
-							"credential": schema.StringAttribute{
-								MarkdownDescription: "Client secret (if type is CREDENTIALS)",
-								Computed:            true,
-								Sensitive:           true,
-							},
-							"workload_identity": schema.SingleNestedAttribute{
-								MarkdownDescription: "Workload identity configuration (if type is WORKLOAD_IDENTITY)",
+								MarkdownDescription: "Authentication type (credential or workloadIdentity)",
 								Computed:            true,
-								Attributes:          map[string]schema.Attribute{},
 							},
+							"credential": secretEmbeddedDataSourceSchema("Client secret (if type is credential)"),
 						},
 					},
 					"object_id": schema.StringAttribute{
@@ -856,19 +838,14 @@ func azureReplicationConfigDataSourceSchema() schema.Attribute {
 										Computed:            true,
 										Attributes: map[string]schema.Attribute{
 											"type": schema.StringAttribute{
-												MarkdownDescription: "Must be one of CREDENTIALS or WORKLOAD_IDENTITY. Workload Identity Federation is the one that we recommend as it enables the most secure approach to provide access to your Azure tenant without using long lived credentials. Credential Authentication is an alternative approach where you have to provide a clientSecret manually to meshStack and meshStack stores it encrypted.",
+												MarkdownDescription: "Must be one of credential or workloadIdentity. Workload Identity Federation is the one that we recommend as it enables the most secure approach to provide access to your Azure tenant without using long lived credentials. Credential Authentication is an alternative approach where you have to provide a clientSecret manually to meshStack and meshStack stores it encrypted.",
 												Computed:            true,
 											},
 											"credential": schema.StringAttribute{
-												MarkdownDescription: "Must be set if and only if type is CREDENTIALS. A valid secret for accessing the application. In Azure Portal, this can be configured on the \"App Registration\" under Certificates & secrets. [How is this information secured?](https://docs.meshcloud.io/operations/security-faq/#how-does-meshstack-securely-handle-my-cloud-platform-credentials)",
+												MarkdownDescription: "Must be set if and only if type is credential. A valid secret for accessing the application. In Azure Portal, this can be configured on the \"App Registration\" under Certificates & secrets. [How is this information secured?](https://docs.meshcloud.io/operations/security-faq/#how-does-meshstack-securely-handle-my-cloud-platform-credentials)",
 												Computed:            true,
 												Sensitive:           true,
 											},
-											"workload_identity": schema.SingleNestedAttribute{
-												MarkdownDescription: "Workload identity configuration (if type is WORKLOAD_IDENTITY)",
-												Computed:            true,
-												Attributes:          map[string]schema.Attribute{},
-											},
 										},
 									},
 								},
