From 7e2e3385f920d32e6cf6e67185527305e197ab2f Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Fri, 25 Apr 2025 15:47:45 +0100 Subject: [PATCH 1/5] add env vars and update docs --- internal/backend/remote-state/azure/backend.go | 4 ++-- website/docs/language/backend/azurerm.mdx | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/internal/backend/remote-state/azure/backend.go b/internal/backend/remote-state/azure/backend.go index d82e172101ba..ab31b5e40f1a 100644 --- a/internal/backend/remote-state/azure/backend.go +++ b/internal/backend/remote-state/azure/backend.go @@ -102,7 +102,7 @@ func New() backend.Backend { Type: schema.TypeString, Optional: true, Description: "The Client ID to use when authenticating using Azure Active Directory.", - DefaultFunc: schema.EnvDefaultFunc("ARM_CLIENT_ID", ""), + DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_CLIENT_ID_BACKEND", "ARM_CLIENT_ID"}, ""), }, "client_id_file_path": { @@ -166,7 +166,7 @@ func New() backend.Backend { "ado_pipeline_service_connection_id": { Type: schema.TypeString, Optional: true, - DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID", "ARM_OIDC_AZURE_SERVICE_CONNECTION_ID"}, nil), + DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID_BACKEND", "ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID", "ARM_OIDC_AZURE_SERVICE_CONNECTION_ID", "AZURESUBSCRIPTION_SERVICE_CONNECTION_ID"}, nil), Description: "The Azure DevOps Pipeline Service Connection ID.", }, diff --git a/website/docs/language/backend/azurerm.mdx b/website/docs/language/backend/azurerm.mdx index 6237ed3f618e..188765f01964 100644 --- a/website/docs/language/backend/azurerm.mdx +++ b/website/docs/language/backend/azurerm.mdx @@ -70,7 +70,7 @@ These optional configuration options apply when [looking up the data plane URI]( The recommended data plane role assignments required for this method are either one of: -- `Storage Blob Data Owner` on the storage account container (Recommended) +- `Storage Blob Data Contributor` on the storage account container (Recommended) - `Storage Blob Data Contributor` on the storage account The recommended management plane role assignments required for this method are: @@ -339,7 +339,7 @@ These optional configuration options apply when [looking up the data plane URI]( The recommended data plane role assignments required for this method are either one of: -- `Storage Blob Data Owner` on the storage account container (Recommended) +- `Storage Blob Data Contributor` on the storage account container (Recommended) - `Storage Blob Data Contributor` on the storage account The recommended management plane role assignments required for this method are: @@ -548,9 +548,9 @@ The following configuration options are supported: * `use_oidc` - (Optional) Set to `true` to use OpenID Connect / Workload identity federation authentication for authentication to the storage account management and data plane. This can also be sourced from the `ARM_USE_OIDC` environment variable. -* `client_id` - (Optional) The Client ID of the Azure Active Directory Principal required for some authentication sub-types. This can also be sourced from the `ARM_CLIENT_ID` environment variable. +* `client_id` - (Optional) The Client ID of the Azure Active Directory Principal required for some authentication sub-types. This can also be sourced from the `ARM_CLIENT_ID` or `ARM_CLIENT_ID_BACKEND` environment variable. -* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID required for Open ID Connect / Workload identity federation authentication with Azure DevOps. This can also be sourced from the `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID` or `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID` environment variables. The provider will look for values in this order and use the first it finds configured. +* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID required for Open ID Connect / Workload identity federation authentication with Azure DevOps. This can also be sourced from the `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID`, `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` or `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID_BACKEND` environment variables. The provider will look for values in this order and use the first it finds configured. * `oidc_request_url` - (Optional) The URL for the Open ID Connect provider from which to request an ID token. This is only required for advanced scenarios or third party integrations. This can also be sourced from the `ARM_OIDC_REQUEST_URL`, `ACTIONS_ID_TOKEN_REQUEST_URL` or `SYSTEM_OIDCREQUESTURI` environment variables. The provider will look for values in this order and use the first it finds configured. From c6990bf89ef712f4992ccdc0dfd46891df7e04c0 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Fri, 25 Apr 2025 16:00:36 +0100 Subject: [PATCH 2/5] add release note --- .changes/v1.13/ENHANCEMENTS-20250425-160021.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changes/v1.13/ENHANCEMENTS-20250425-160021.yaml diff --git a/.changes/v1.13/ENHANCEMENTS-20250425-160021.yaml b/.changes/v1.13/ENHANCEMENTS-20250425-160021.yaml new file mode 100644 index 000000000000..d7e7c3e74204 --- /dev/null +++ b/.changes/v1.13/ENHANCEMENTS-20250425-160021.yaml @@ -0,0 +1,5 @@ +kind: ENHANCEMENTS +body: 'backend/azurerm: Support Azure DevOps environment variables and backend specific variables' +time: 2025-04-25T16:00:21.8153592+01:00 +custom: + Issue: "36922" From 0f9a91b6f3409353dd934ebe6bafc4c95e75e9d0 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Fri, 25 Apr 2025 18:27:11 +0100 Subject: [PATCH 3/5] fix env var name --- internal/backend/remote-state/azure/backend.go | 2 +- website/docs/language/backend/azurerm.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/backend/remote-state/azure/backend.go b/internal/backend/remote-state/azure/backend.go index ab31b5e40f1a..4c273312ce90 100644 --- a/internal/backend/remote-state/azure/backend.go +++ b/internal/backend/remote-state/azure/backend.go @@ -166,7 +166,7 @@ func New() backend.Backend { "ado_pipeline_service_connection_id": { Type: schema.TypeString, Optional: true, - DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID_BACKEND", "ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID", "ARM_OIDC_AZURE_SERVICE_CONNECTION_ID", "AZURESUBSCRIPTION_SERVICE_CONNECTION_ID"}, nil), + DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_AZURE_SERVICE_CONNECTION_ID_BACKEND", "ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID", "ARM_OIDC_AZURE_SERVICE_CONNECTION_ID", "AZURESUBSCRIPTION_SERVICE_CONNECTION_ID"}, nil), Description: "The Azure DevOps Pipeline Service Connection ID.", }, diff --git a/website/docs/language/backend/azurerm.mdx b/website/docs/language/backend/azurerm.mdx index 188765f01964..1ad94be78271 100644 --- a/website/docs/language/backend/azurerm.mdx +++ b/website/docs/language/backend/azurerm.mdx @@ -550,7 +550,7 @@ The following configuration options are supported: * `client_id` - (Optional) The Client ID of the Azure Active Directory Principal required for some authentication sub-types. This can also be sourced from the `ARM_CLIENT_ID` or `ARM_CLIENT_ID_BACKEND` environment variable. -* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID required for Open ID Connect / Workload identity federation authentication with Azure DevOps. This can also be sourced from the `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID`, `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` or `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID_BACKEND` environment variables. The provider will look for values in this order and use the first it finds configured. +* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID required for Open ID Connect / Workload identity federation authentication with Azure DevOps. This can also be sourced from the `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID`, `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` or `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID_BACKEND` environment variables. The provider will look for values in this order and use the first it finds configured. * `oidc_request_url` - (Optional) The URL for the Open ID Connect provider from which to request an ID token. This is only required for advanced scenarios or third party integrations. This can also be sourced from the `ARM_OIDC_REQUEST_URL`, `ACTIONS_ID_TOKEN_REQUEST_URL` or `SYSTEM_OIDCREQUESTURI` environment variables. The provider will look for values in this order and use the first it finds configured. From 254fc9e4ff0afa3fb4d45d5b40af8681f7c13514 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Thu, 15 May 2025 13:29:03 +0100 Subject: [PATCH 4/5] Fix name of variable --- website/docs/language/backend/azurerm.mdx | 40 +++++++++++------------ 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/website/docs/language/backend/azurerm.mdx b/website/docs/language/backend/azurerm.mdx index 1ad94be78271..59ad2a7674b1 100644 --- a/website/docs/language/backend/azurerm.mdx +++ b/website/docs/language/backend/azurerm.mdx @@ -106,19 +106,19 @@ terraform { #### Example Configuration for Azure DevOps -With Azure DevOps, the ID Token endpoint environment variables are automatically found, but you need to supply the service connection ID in `oidc_azure_service_connection_id`. If you are using the `AzureCLI` or `AzurePowerShell` tasks, the service connection ID is automatically set to the `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` environment variable. +With Azure DevOps, the ID Token endpoint environment variables are automatically found, but you need to supply the service connection ID in `ado_pipeline_service_connection_id`. If you are using the `AzureCLI` or `AzurePowerShell` tasks, the service connection ID is automatically set to the `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` environment variable. ```hcl terraform { backend "azurerm" { - use_oidc = true # Can also be set via `ARM_USE_OIDC` environment variable. - oidc_azure_service_connection_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID` environment variable. - use_azuread_auth = true # Can also be set via `ARM_USE_AZUREAD` environment variable. - tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable. - client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable. - storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name="` in the `init` command. - container_name = "tfstate" # Can be passed via `-backend-config=`"container_name="` in the `init` command. - key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key="` in the `init` command. + use_oidc = true # Can also be set via `ARM_USE_OIDC` environment variable. + ado_pipeline_service_connection_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_OIDC_PIPELIME_SERVICE_CONNECTION_ID` environment variable. + use_azuread_auth = true # Can also be set via `ARM_USE_AZUREAD` environment variable. + tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable. + client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable. + storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name="` in the `init` command. + container_name = "tfstate" # Can be passed via `-backend-config=`"container_name="` in the `init` command. + key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key="` in the `init` command. } } ``` @@ -379,20 +379,20 @@ terraform { #### Example Configuration for Azure DevOps -With Azure DevOps, the ID Token endpoint environment variables are automatically found, but you need to supply the service connection ID in `oidc_azure_service_connection_id`. If you are using the `AzureCLI` or `AzurePowerShell` tasks, the service connection ID is automatically set to the `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` environment variable. +With Azure DevOps, the ID Token endpoint environment variables are automatically found, but you need to supply the service connection ID in `ado_pipeline_service_connection_id`. If you are using the `AzureCLI` or `AzurePowerShell` tasks, the service connection ID is automatically set to the `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` environment variable. ```hcl terraform { backend "azurerm" { - use_oidc = true # Can also be set via `ARM_USE_OIDC` environment variable. - oidc_azure_service_connection_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID` environment variable. - tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable. - subscription_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_SUBSCRIPTION_ID` environment variable. - client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable. - resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name="` in the `init` command. - storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name="` in the `init` command. - container_name = "tfstate" # Can be passed via `-backend-config=`"container_name="` in the `init` command. - key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key="` in the `init` command. + use_oidc = true # Can also be set via `ARM_USE_OIDC` environment variable. + ado_pipeline_service_connection_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_OIDC_PIPELIME_SERVICE_CONNECTION_ID` environment variable. + tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable. + subscription_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_SUBSCRIPTION_ID` environment variable. + client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable. + resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name="` in the `init` command. + storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name="` in the `init` command. + container_name = "tfstate" # Can be passed via `-backend-config=`"container_name="` in the `init` command. + key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key="` in the `init` command. } } ``` @@ -550,7 +550,7 @@ The following configuration options are supported: * `client_id` - (Optional) The Client ID of the Azure Active Directory Principal required for some authentication sub-types. This can also be sourced from the `ARM_CLIENT_ID` or `ARM_CLIENT_ID_BACKEND` environment variable. -* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID required for Open ID Connect / Workload identity federation authentication with Azure DevOps. This can also be sourced from the `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID`, `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` or `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID_BACKEND` environment variables. The provider will look for values in this order and use the first it finds configured. +* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID required for Open ID Connect / Workload identity federation authentication with Azure DevOps. This can also be sourced from the `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID`, `ARM_OIDC_PIPELIME_SERVICE_CONNECTION_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` or `ARM_OIDC_PIPELIME_SERVICE_CONNECTION_ID_BACKEND` environment variables. The provider will look for values in this order and use the first it finds configured. * `oidc_request_url` - (Optional) The URL for the Open ID Connect provider from which to request an ID token. This is only required for advanced scenarios or third party integrations. This can also be sourced from the `ARM_OIDC_REQUEST_URL`, `ACTIONS_ID_TOKEN_REQUEST_URL` or `SYSTEM_OIDCREQUESTURI` environment variables. The provider will look for values in this order and use the first it finds configured. From 0d977f167232ed5a1bd205df704871c955207569 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Thu, 15 May 2025 13:31:28 +0100 Subject: [PATCH 5/5] Update azurerm.mdx --- website/docs/language/backend/azurerm.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/docs/language/backend/azurerm.mdx b/website/docs/language/backend/azurerm.mdx index 59ad2a7674b1..c6e22242525f 100644 --- a/website/docs/language/backend/azurerm.mdx +++ b/website/docs/language/backend/azurerm.mdx @@ -112,7 +112,7 @@ With Azure DevOps, the ID Token endpoint environment variables are automatically terraform { backend "azurerm" { use_oidc = true # Can also be set via `ARM_USE_OIDC` environment variable. - ado_pipeline_service_connection_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_OIDC_PIPELIME_SERVICE_CONNECTION_ID` environment variable. + ado_pipeline_service_connection_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID` environment variable. use_azuread_auth = true # Can also be set via `ARM_USE_AZUREAD` environment variable. tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable. client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable. @@ -385,7 +385,7 @@ With Azure DevOps, the ID Token endpoint environment variables are automatically terraform { backend "azurerm" { use_oidc = true # Can also be set via `ARM_USE_OIDC` environment variable. - ado_pipeline_service_connection_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_OIDC_PIPELIME_SERVICE_CONNECTION_ID` environment variable. + ado_pipeline_service_connection_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID` environment variable. tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable. subscription_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_SUBSCRIPTION_ID` environment variable. client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable. @@ -550,7 +550,7 @@ The following configuration options are supported: * `client_id` - (Optional) The Client ID of the Azure Active Directory Principal required for some authentication sub-types. This can also be sourced from the `ARM_CLIENT_ID` or `ARM_CLIENT_ID_BACKEND` environment variable. -* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID required for Open ID Connect / Workload identity federation authentication with Azure DevOps. This can also be sourced from the `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID`, `ARM_OIDC_PIPELIME_SERVICE_CONNECTION_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` or `ARM_OIDC_PIPELIME_SERVICE_CONNECTION_ID_BACKEND` environment variables. The provider will look for values in this order and use the first it finds configured. +* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID required for Open ID Connect / Workload identity federation authentication with Azure DevOps. This can also be sourced from the `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID`, `ARM_OIDC_PIPELIME_SERVICE_CONNECTION_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` or `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID_BACKEND` environment variables. The provider will look for values in this order and use the first it finds configured. * `oidc_request_url` - (Optional) The URL for the Open ID Connect provider from which to request an ID token. This is only required for advanced scenarios or third party integrations. This can also be sourced from the `ARM_OIDC_REQUEST_URL`, `ACTIONS_ID_TOKEN_REQUEST_URL` or `SYSTEM_OIDCREQUESTURI` environment variables. The provider will look for values in this order and use the first it finds configured.