azure: pass MSI auth info through to terraform

r4f4 · r4f4 · commit 248f6c3503e8 · 2023-05-31T15:47:17.000+02:00
Configure the managed identity within the provider block as per the provider docs [1] [1] https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/managed_service_identity#configuring-with-the-provider-block
diff --git a/data/data/azure/bootstrap/main.tf b/data/data/azure/bootstrap/main.tf
@@ -13,6 +13,7 @@ provider "azurerm" {
   client_certificate_path     = var.azure_certificate_path
   tenant_id                   = var.azure_tenant_id
   environment                 = var.azure_environment
+  use_msi                     = var.azure_use_msi
 }
 
 data "azurerm_storage_account" "storage_account" {
diff --git a/data/data/azure/cluster/main.tf b/data/data/azure/cluster/main.tf
@@ -12,6 +12,7 @@ provider "azurerm" {
   client_certificate_password = var.azure_certificate_password
   client_certificate_path     = var.azure_certificate_path
   tenant_id                   = var.azure_tenant_id
+  use_msi                     = var.azure_use_msi
   environment                 = var.azure_environment
 }
 
diff --git a/data/data/azure/variables-azure.tf b/data/data/azure/variables-azure.tf
@@ -99,6 +99,7 @@ variable "azure_subscription_id" {
 variable "azure_client_id" {
   type = string
   description = "The app ID that should be used to interact with Azure API"
+  default = ""
 }
 
 variable "azure_client_secret" {
@@ -124,6 +125,12 @@ variable "azure_tenant_id" {
   description = "The tenant ID that should be used to interact with Azure API"
 }
 
+variable "azure_use_msi" {
+  type = bool
+  default = false
+  description = "Specifies if we are to use a managed identity for authentication"
+}
+
 variable "azure_master_availability_zones" {
   type = list(string)
   description = "The availability zones in which to create the masters. The length of this list must match master_count."
diff --git a/data/data/azure/vnet/main.tf b/data/data/azure/vnet/main.tf
@@ -19,6 +19,7 @@ provider "azurerm" {
   client_certificate_password = var.azure_certificate_password
   client_certificate_path     = var.azure_certificate_path
   tenant_id                   = var.azure_tenant_id
+  use_msi                     = var.azure_use_msi
   environment                 = var.azure_environment
 }
 
diff --git a/pkg/asset/cluster/tfvars.go b/pkg/asset/cluster/tfvars.go
@@ -315,13 +315,15 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 		if err != nil {
 			return err
 		}
+
 		auth := azuretfvars.Auth{
 			SubscriptionID:            session.Credentials.SubscriptionID,
 			ClientID:                  session.Credentials.ClientID,
 			ClientSecret:              session.Credentials.ClientSecret,
 			TenantID:                  session.Credentials.TenantID,
 			ClientCertificatePath:     session.Credentials.ClientCertificatePath,
 			ClientCertificatePassword: session.Credentials.ClientCertificatePassword,
+			UseMSI:                    session.AuthType == aztypes.ManagedIdentityAuth,
 		}
 		masters, err := mastersAsset.Machines()
 		if err != nil {
diff --git a/pkg/tfvars/azure/azure.go b/pkg/tfvars/azure/azure.go
@@ -22,6 +22,7 @@ type Auth struct {
 	TenantID                  string `json:"azure_tenant_id,omitempty"`
 	ClientCertificatePath     string `json:"azure_certificate_path,omitempty"`
 	ClientCertificatePassword string `json:"azure_certificate_password,omitempty"`
+	UseMSI                    bool   `json:"azure_use_msi,omitempty"`
 }
 
 type config struct {

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ provider "azurerm" {`
`13`	`13`	`client_certificate_path = var.azure_certificate_path`
`14`	`14`	`tenant_id = var.azure_tenant_id`
`15`	`15`	`environment = var.azure_environment`
	`16`	`+ use_msi = var.azure_use_msi`
`16`	`17`	`}`
`17`	`18`
`18`	`19`	`data "azurerm_storage_account" "storage_account" {`
Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ provider "azurerm" {`
`12`	`12`	`client_certificate_password = var.azure_certificate_password`
`13`	`13`	`client_certificate_path = var.azure_certificate_path`
`14`	`14`	`tenant_id = var.azure_tenant_id`
	`15`	`+ use_msi = var.azure_use_msi`
`15`	`16`	`environment = var.azure_environment`
`16`	`17`	`}`
`17`	`18`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ provider "azurerm" {`
`19`	`19`	`client_certificate_password = var.azure_certificate_password`
`20`	`20`	`client_certificate_path = var.azure_certificate_path`
`21`	`21`	`tenant_id = var.azure_tenant_id`
	`22`	`+ use_msi = var.azure_use_msi`
`22`	`23`	`environment = var.azure_environment`
`23`	`24`	`}`
`24`	`25`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ type Auth struct {`
`22`	`22`	TenantID string `json:"azure_tenant_id,omitempty"`
`23`	`23`	ClientCertificatePath string `json:"azure_certificate_path,omitempty"`
`24`	`24`	ClientCertificatePassword string `json:"azure_certificate_password,omitempty"`
	`25`	+ UseMSI bool `json:"azure_use_msi,omitempty"`
`25`	`26`	`}`
`26`	`27`
`27`	`28`	`type config struct {`