feat: Add Azure Key Vault Variable Provider (#2472)

* feat: Add Azure Key Vault Variable Provider

Signed-off-by: Thorsten Hans <[email protected]>

* chore: Applied feedback and refactored Azure Key Vault variable provider impl

Signed-off-by: Thorsten Hans <[email protected]>

* chore: update cargo locks

Signed-off-by: Thorsten Hans <[email protected]>

* chore: Remove FromStr and From<String> implementations for AzureAuthorityHost

Signed-off-by: Thorsten Hans <[email protected]>

---------

Signed-off-by: Thorsten Hans <[email protected]>

Author: ThorstenHans

Cargo.lock

@@ -1,7 +1,11 @@
 use std::path::PathBuf;
 
 use serde::Deserialize;
-use spin_variables::provider::{env::EnvProvider, vault::VaultProvider};
+use spin_variables::provider::{
+    azure_key_vault::{AzureAuthorityHost, AzureKeyVaultProvider},
+    env::EnvProvider,
+    vault::VaultProvider,
+};
 
 use super::RuntimeConfig;
 
@@ -13,6 +17,7 @@ pub type VariablesProvider = Box<dyn spin_expressions::Provider>;
 pub enum VariablesProviderOpts {
     Env(EnvVariablesProviderOpts),
     Vault(VaultVariablesProviderOpts),
+    AzureKeyVault(AzureKeyVaultVariablesProviderOpts),
 }
 
 impl VariablesProviderOpts {
@@ -26,6 +31,7 @@ impl VariablesProviderOpts {
         match self {
             Self::Env(opts) => opts.build_provider(),
             Self::Vault(opts) => opts.build_provider(),
+            Self::AzureKeyVault(opts) => opts.build_provider(),
         }
     }
 }
@@ -82,3 +88,26 @@ impl VaultVariablesProviderOpts {
         ))
     }
 }
+
+#[derive(Debug, Default, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct AzureKeyVaultVariablesProviderOpts {
+    pub client_id: String,
+    pub client_secret: String,
+    pub tenant_id: String,
+    pub vault_url: String,
+    #[serde(default)]
+    pub authority_host: AzureAuthorityHost,
+}
+
+impl AzureKeyVaultVariablesProviderOpts {
+    pub fn build_provider(&self) -> VariablesProvider {
+        Box::new(AzureKeyVaultProvider::new(
+            &self.client_id,
+            &self.client_secret,
+            &self.tenant_id,
+            &self.vault_url,
+            self.authority_host,
+        ))
+    }
+}

crates/trigger/src/runtime_config/variables_provider.rs

@@ -18,6 +18,9 @@ tokio = { version = "1", features = ["rt-multi-thread"] }
 vaultrs = "0.6.2"
 serde = "1.0.188"
 tracing = { workspace = true }
+azure_security_keyvault = "0.20.0"
+azure_core = "0.20.0"
+azure_identity = "0.20.0"
 
 [dev-dependencies]
 toml = "0.5"

crates/variables/Cargo.toml

@@ -1,2 +1,3 @@
+pub mod azure_key_vault;
 pub mod env;
 pub mod vault;

crates/variables/src/provider.rs

@@ -0,0 +1,84 @@
+use std::sync::Arc;
+
+use anyhow::{Context, Result};
+use async_trait::async_trait;
+use azure_core::Url;
+use azure_security_keyvault::SecretClient;
+use serde::Deserialize;
+use spin_expressions::{Key, Provider};
+use tracing::{instrument, Level};
+
+#[derive(Debug)]
+pub struct AzureKeyVaultProvider {
+    client_id: String,
+    client_secret: String,
+    tenant_id: String,
+    vault_url: String,
+    authority_host: AzureAuthorityHost,
+}
+
+impl AzureKeyVaultProvider {
+    pub fn new(
+        client_id: impl Into<String>,
+        client_secret: impl Into<String>,
+        tenant_id: impl Into<String>,
+        vault_url: impl Into<String>,
+        authority_host: impl Into<AzureAuthorityHost>,
+    ) -> Self {
+        Self {
+            client_id: client_id.into(),
+            client_secret: client_secret.into(),
+            tenant_id: tenant_id.into(),
+            vault_url: vault_url.into(),
+            authority_host: authority_host.into(),
+        }
+    }
+}
+
+#[async_trait]
+impl Provider for AzureKeyVaultProvider {
+    #[instrument(name = "spin_variables.get_from_azure_key_vault", skip(self), err(level = Level::INFO), fields(otel.kind = "client"))]
+    async fn get(&self, key: &Key) -> Result<Option<String>> {
+        let http_client = azure_core::new_http_client();
+        let credential = azure_identity::ClientSecretCredential::new(
+            http_client,
+            self.authority_host.into(),
+            self.tenant_id.to_string(),
+            self.client_id.to_string(),
+            self.client_secret.to_string(),
+        );
+
+        let secret_client = SecretClient::new(&self.vault_url, Arc::new(credential))?;
+        let secret = secret_client
+            .get(key.as_str())
+            .await
+            .context("Failed to read variable from Azure Key Vault")?;
+        Ok(Some(secret.value))
+    }
+}
+
+#[derive(Debug, Copy, Clone, Deserialize)]
+pub enum AzureAuthorityHost {
+    AzurePublicCloud,
+    AzureChina,
+    AzureGermany,
+    AzureGovernment,
+}
+
+impl Default for AzureAuthorityHost {
+    fn default() -> Self {
+        Self::AzurePublicCloud
+    }
+}
+
+impl From<AzureAuthorityHost> for Url {
+    fn from(value: AzureAuthorityHost) -> Self {
+        let url = match value {
+            AzureAuthorityHost::AzureChina => "https://login.chinacloudapi.cn/",
+            AzureAuthorityHost::AzureGovernment => "https://login.microsoftonline.us/",
+            AzureAuthorityHost::AzureGermany => "https://login.microsoftonline.de/",
+            AzureAuthorityHost::AzurePublicCloud => "https://login.microsoftonline.com/",
+        };
+        Url::parse(url).unwrap()
+    }
+}