Refactor Devops Service Connection for ARM and ACR to support all authentication_scheme

[SazniMohamed]

Purpose

This pull request enhances the Azure DevOps Service Endpoint modules by introducing flexible authentication methods. It enables support for Workload Identity Federation and Certificate-based authentication, moving away from a strict requirement for Service Principal secrets.

Authentication Improvements

• Configurable Authentication Schemes: Added support for service_endpoint_authentication_scheme across ACR and ARM service endpoints, allowing users to toggle between ServicePrincipal and WorkloadIdentityFederation.

• Certificate Support: Expanded the ARM Service Endpoint resource to support service_principal_certificate as an alternative to standard password-based authentication.

• Credential Flexibility: Refactored the credentials block into a dynamic configuration. This makes service_principal_key optional and ensures it is only required when the authentication scheme necessitates it.

Summary by CodeRabbit

• New Features
  • Added configurable authentication scheme support for Azure DevOps service endpoints (ACR and ARM).
  • Enabled certificate-based authentication for ARM Service Endpoints.
  • Made service principal credentials optional to support alternative authentication methods.

Summary by CodeRabbit

• New Features
  • Enhanced Azure DevOps service endpoint configuration with flexible authentication scheme support for ACR and ARM endpoints.
  • Added optional certificate-based authentication for ARM service endpoints.
  • Made service principal credentials optional, enabling conditional configuration when not provided.
  • Added outputs exposing workload identity federation issuer and subject when using WorkloadIdentityFederation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 49ec5ea9-b3ef-42fc-babf-7c265bfae740

📥 Commits

Reviewing files that changed from the base of the PR and between 0fa9722 and 20ceafc.

📒 Files selected for processing (2)

• modules/azuredevops/ACR-Service-Endpoint/outputs.tf
• modules/azuredevops/ARM-Service-Endpoint/outputs.tf

✅ Files skipped from review due to trivial changes (1)

• modules/azuredevops/ARM-Service-Endpoint/outputs.tf

---

Walkthrough

ACR and ARM Azure DevOps service endpoint modules now accept a configurable authentication_scheme, introduce optional service principal inputs, conditionally emit credentials blocks when service_principal_id is set, and expose conditional workload identity federation outputs when using the WorkloadIdentityFederation scheme.

Changes

Cohort / File(s)	Summary
ACR Service Endpoint modules/azuredevops/ACR-Service-Endpoint/acr_service_endpoint.tf, modules/azuredevops/ACR-Service-Endpoint/variables.tf, modules/azuredevops/ACR-Service-Endpoint/outputs.tf	Added authentication_scheme and service_principal_id variables; wired authentication_scheme to the azuredevops_serviceendpoint_azurecr resource; emit a dynamic "credentials" block only when service_principal_id != null; added conditional outputs workload_identity_federation_issuer and workload_identity_federation_subject.
ARM Service Endpoint modules/azuredevops/ARM-Service-Endpoint/arm_service_endpoint.tf, modules/azuredevops/ARM-Service-Endpoint/variables.tf, modules/azuredevops/ARM-Service-Endpoint/outputs.tf	Introduced authentication_scheme variable and set service_endpoint_authentication_scheme = var.authentication_scheme; made service_principal_id/service_principal_key optional (default = null), added service_principal_certificate (sensitive, optional); replaced static credentials with dynamic "credentials" emitted only if service_principal_id != null; added conditional workload identity federation outputs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I nibbled at tf and danced on the mesh,

Optional creds tucked in a conditional rest,
Schemes that switch, outputs that sing,
A rabbit's small hop for infra-ing,
🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides Purpose and Goals sections outlining the authentication improvements, but is missing most required template sections like Approach, User stories, Release note, Documentation, Training, Certification, Marketing, Testing, Security checks, Samples, Related PRs, Migrations, and Test environment.	Complete the PR description by adding the required sections from the template: Approach, User stories, Release note, Documentation, Training, Certification, Marketing, Automation tests, Security checks, Samples, Related PRs, Migrations, and Test environment.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: refactoring DevOps service connections for ARM and ACR to support all authentication schemes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

modules/azuredevops/ARM-Service-Endpoint/variables.tf (1)

45-48: ⚠️ Potential issue | 🟡 Minor

Typo in description: "if" should be "of".

📝 Proposed fix

 variable "tenant_id" {
-  description = "The Tenant ID if the service principal."
+  description = "The Tenant ID of the service principal."
   type        = string
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/azuredevops/ARM-Service-Endpoint/variables.tf` around lines 45 - 48,
Fix the typo in the tenant_id variable description: change the string in the
variable declaration for tenant_id (variable "tenant_id") from "The Tenant ID if
the service principal." to "The Tenant ID of the service principal." so the
description reads correctly; update only the description value in the variable
block and keep the variable name and type unchanged.

🧹 Nitpick comments (2)

modules/azuredevops/ARM-Service-Endpoint/variables.tf (1)

60-64: Add validation for authentication_scheme to catch invalid values early.

Without validation, invalid values will only error at apply time. Constraining input improves usability.

✅ Proposed fix

 variable "authentication_scheme" {
   description = "The authentication scheme to use for the service endpoint. Possible values are WorkloadIdentityFederation, ManagedServiceIdentity or ServicePrincipal."
   type        = string
   default     = "ServicePrincipal"
+
+  validation {
+    condition     = contains(["WorkloadIdentityFederation", "ManagedServiceIdentity", "ServicePrincipal"], var.authentication_scheme)
+    error_message = "authentication_scheme must be one of: WorkloadIdentityFederation, ManagedServiceIdentity, ServicePrincipal."
+  }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/azuredevops/ARM-Service-Endpoint/variables.tf` around lines 60 - 64,
Add a Terraform validation block to the variable "authentication_scheme" to
reject values other than the allowed set (WorkloadIdentityFederation,
ManagedServiceIdentity, ServicePrincipal); implement this by adding a validation
{ condition = contains([...], var.authentication_scheme) error_message = "..." }
for the authentication_scheme variable so invalid inputs fail during
plan/validation instead of apply.

modules/azuredevops/ACR-Service-Endpoint/variables.tf (1)

52-56: Add validation for authentication_scheme to catch invalid values early.

Same recommendation as the ARM module for consistency and early error detection.

✅ Proposed fix

 variable "authentication_scheme" {
   description = "The authentication scheme to use for the service endpoint. Possible values are WorkloadIdentityFederation, ManagedServiceIdentity or ServicePrincipal."
   type        = string
   default     = "ServicePrincipal"
+
+  validation {
+    condition     = contains(["WorkloadIdentityFederation", "ManagedServiceIdentity", "ServicePrincipal"], var.authentication_scheme)
+    error_message = "authentication_scheme must be one of: WorkloadIdentityFederation, ManagedServiceIdentity, ServicePrincipal."
+  }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/azuredevops/ACR-Service-Endpoint/variables.tf` around lines 52 - 56,
The variable "authentication_scheme" lacks input validation; add a Terraform
validation block for variable "authentication_scheme" that enforces allowed
values ["WorkloadIdentityFederation", "ManagedServiceIdentity",
"ServicePrincipal"] and provide a clear error_message indicating the permitted
options so invalid values are rejected early (keep the variable name and type
as-is and add the validation stanza to the variable block).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@modules/azuredevops/ACR-Service-Endpoint/acr_service_endpoint.tf`:
- Around line 23-28: The dynamic "credentials" block is gated only by
var.service_principal_id and can be emitted even when authentication is not
service principal; update the for_each condition to also check the chosen
var.authentication_scheme (e.g., only render credentials when
var.authentication_scheme indicates a ServicePrincipal flow) and keep the
existing serviceprincipalid content; reference the dynamic "credentials" block,
var.service_principal_id, and var.authentication_scheme when making the change
so the credentials block is produced only for the proper authentication_scheme.

In `@modules/azuredevops/ARM-Service-Endpoint/variables.tf`:
- Around line 33-43: The Terraform variables service_principal_key and
service_principal_certificate are secrets and must be marked sensitive; update
the variable blocks for service_principal_key and service_principal_certificate
(the variable declarations with those exact names) to include sensitive = true
so their values are redacted in logs/CLI output while keeping the existing
description, type, and default handling.

---

Outside diff comments:
In `@modules/azuredevops/ARM-Service-Endpoint/variables.tf`:
- Around line 45-48: Fix the typo in the tenant_id variable description: change
the string in the variable declaration for tenant_id (variable "tenant_id") from
"The Tenant ID if the service principal." to "The Tenant ID of the service
principal." so the description reads correctly; update only the description
value in the variable block and keep the variable name and type unchanged.

---

Nitpick comments:
In `@modules/azuredevops/ACR-Service-Endpoint/variables.tf`:
- Around line 52-56: The variable "authentication_scheme" lacks input
validation; add a Terraform validation block for variable
"authentication_scheme" that enforces allowed values
["WorkloadIdentityFederation", "ManagedServiceIdentity", "ServicePrincipal"] and
provide a clear error_message indicating the permitted options so invalid values
are rejected early (keep the variable name and type as-is and add the validation
stanza to the variable block).

In `@modules/azuredevops/ARM-Service-Endpoint/variables.tf`:
- Around line 60-64: Add a Terraform validation block to the variable
"authentication_scheme" to reject values other than the allowed set
(WorkloadIdentityFederation, ManagedServiceIdentity, ServicePrincipal);
implement this by adding a validation { condition = contains([...],
var.authentication_scheme) error_message = "..." } for the authentication_scheme
variable so invalid inputs fail during plan/validation instead of apply.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 92a994c3-e170-4fa0-b75e-8bb14432dc71

📥 Commits

Reviewing files that changed from the base of the PR and between 81a7895 and 92b51fa.

📒 Files selected for processing (4)

• modules/azuredevops/ACR-Service-Endpoint/acr_service_endpoint.tf
• modules/azuredevops/ACR-Service-Endpoint/variables.tf
• modules/azuredevops/ARM-Service-Endpoint/arm_service_endpoint.tf
• modules/azuredevops/ARM-Service-Endpoint/variables.tf

[coderabbitai]

🧹 Nitpick comments (1)

modules/azuredevops/ARM-Service-Endpoint/variables.tf (1)

62-66: Add enum validation for authentication_scheme to fail fast.

Currently the variable accepts any string, with invalid values failing only at apply time. Adding validation will constrain the input to the three accepted schemes and catch errors earlier.

♻️ Proposed change

 variable "authentication_scheme" {
   description = "The authentication scheme to use for the service endpoint. Possible values are WorkloadIdentityFederation, ManagedServiceIdentity or ServicePrincipal."
   type        = string
   default     = "ServicePrincipal"
+  validation {
+    condition = contains(
+      ["ServicePrincipal", "WorkloadIdentityFederation", "ManagedServiceIdentity"],
+      var.authentication_scheme
+    )
+    error_message = "authentication_scheme must be one of: ServicePrincipal, WorkloadIdentityFederation, ManagedServiceIdentity."
+  }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/azuredevops/ARM-Service-Endpoint/variables.tf` around lines 62 - 66,
The variable "authentication_scheme" currently allows any string; add a
Terraform validation block to the variable to restrict values to the accepted
enum {"WorkloadIdentityFederation", "ManagedServiceIdentity",
"ServicePrincipal"} so invalid values fail at plan time; specifically, inside
the variable "authentication_scheme" block add validation { condition =
contains(["WorkloadIdentityFederation","ManagedServiceIdentity","ServicePrincipal"],
var.authentication_scheme) error_message = "authentication_scheme must be one
of: WorkloadIdentityFederation, ManagedServiceIdentity, ServicePrincipal" } to
enforce the allowed options.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@modules/azuredevops/ARM-Service-Endpoint/variables.tf`:
- Around line 62-66: The variable "authentication_scheme" currently allows any
string; add a Terraform validation block to the variable to restrict values to
the accepted enum {"WorkloadIdentityFederation", "ManagedServiceIdentity",
"ServicePrincipal"} so invalid values fail at plan time; specifically, inside
the variable "authentication_scheme" block add validation { condition =
contains(["WorkloadIdentityFederation","ManagedServiceIdentity","ServicePrincipal"],
var.authentication_scheme) error_message = "authentication_scheme must be one
of: WorkloadIdentityFederation, ManagedServiceIdentity, ServicePrincipal" } to
enforce the allowed options.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6b255516-e05d-44fe-9d7b-b92f47226f75

📥 Commits

Reviewing files that changed from the base of the PR and between 92b51fa and 0fa9722.

📒 Files selected for processing (1)

• modules/azuredevops/ARM-Service-Endpoint/variables.tf