Azure · jaredfholgate · Dec 12, 2023 · Dec 11, 2023 · Dec 11, 2023 · Dec 11, 2023
diff --git a/bootstrap/modules/azure_devops/locals_files.tf b/bootstrap/modules/azure_devops/locals_files.tf
@@ -33,7 +33,7 @@ locals {
   }
   module_files = { for key, value in var.repository_files : key =>
     {
-      content = replace((file(value.path)), "# backend \"azurerm\" {}", "backend \"azurerm\" {}")
+      content = replace((file(value.path)), "# backend \"azurerm\" {}", "backend \"azurerm\" {\n    ${local.is_authentication_scheme_workload_identity_federation ? "use_oidc         = true" : "use_msi          = true"}\n    use_azuread_auth = true\n  }")
     } if value.flag == "module" || value.flag == "additional"
   }
   repository_files = merge(local.cicd_file, local.module_files, var.use_template_repository ? {} : local.cicd_template_files)

diff --git a/bootstrap/modules/azure_devops/repository_module.tf b/bootstrap/modules/azure_devops/repository_module.tf
@@ -14,7 +14,7 @@ resource "azuredevops_git_repository_file" "alz" {
   file                = each.key
   content             = each.value.content
   branch              = local.default_branch
-  commit_message      = "Add ${each.key} [skip ci]"
+  commit_message      = "[skip ci]"
   overwrite_on_create = true
 }
 

diff --git a/bootstrap/modules/azure_devops/repository_templates.tf b/bootstrap/modules/azure_devops/repository_templates.tf
@@ -14,7 +14,7 @@ resource "azuredevops_git_repository_file" "alz_templates" {
   file                = each.key
   content             = each.value.content
   branch              = local.default_branch
-  commit_message      = "Add ${each.key} [skip ci]"
+  commit_message      = "[skip ci]"
   overwrite_on_create = true
 }
 

diff --git a/templates/ci_cd/azuredevops/templates/helpers/terraform-apply.yaml b/templates/ci_cd/azuredevops/templates/helpers/terraform-apply.yaml
@@ -11,14 +11,27 @@ steps:
       azureSubscription: $${{ parameters.serviceConnection }}
       scriptType: pscore
       scriptLocation: inlineScript
+      addSpnToEnvironment: true
       inlineScript: |
-        # Workaround for MSI authentication
+        # Get settings from service connection
         az account show 2>$null | ConvertFrom-Json | Set-Variable account
-        if($account.user.name -eq 'systemAssignedIdentity') {
-          $env:ARM_USE_CLI = 'false'
+        $clientId = $account.user.name
+        $oidcToken ??= $env:idToken # requires addSpnToEnvironment: true
+        $subscriptionId = $account.id
+        $tenantId = $account.tenantId
+        $isOidc = $oidcToken -ne $null
+
+        $env:ARM_TENANT_ID = $account.tenantId
+        $env:ARM_SUBSCRIPTION_ID = $account.id
+
+        if($isOidc) {
+          # Note: We are using CLI auth for the provider as it caches the access token for us, which helps with edge cases like terraform test.
+          # The backend is hard coded to use OIDC auth as it does not support CLI auth yet.
+          $env:ARM_USE_CLI = 'true'
+          $env:ARM_OIDC_TOKEN = $oidcToken
+          $env:ARM_CLIENT_ID = $clientId
+        } else {
           $env:ARM_USE_MSI = 'true'
-          $env:ARM_TENANT_ID = $account.tenantId
-          $env:ARM_SUBSCRIPTION_ID = $account.id
         }
 
         # Run Terraform Apply
@@ -29,7 +42,3 @@ steps:
         $arguments += "tfplan"
         Write-Host "Running: $command $arguments"
         & $command $arguments
-
-    env:
-      ARM_USE_AZUREAD: true
-      ARM_USE_CLI: true
diff --git a/templates/ci_cd/azuredevops/templates/helpers/terraform-init.yaml b/templates/ci_cd/azuredevops/templates/helpers/terraform-init.yaml
@@ -22,22 +22,22 @@ steps:
         $oidcToken ??= $env:idToken # requires addSpnToEnvironment: true
         $subscriptionId = $account.id
         $tenantId = $account.tenantId
+        $isOidc = $oidcToken -ne $null
 
         $arguments = @()
         $arguments += "init"
         $arguments += "-backend-config=`"storage_account_name=$($env:BACKEND_AZURE_STORAGE_ACCOUNT_NAME)`""
         $arguments += "-backend-config=`"container_name=$($env:BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_NAME)`""
         $arguments += "-backend-config=`"key=$($env:BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_KEY_NAME)`""
         $arguments += "-backend-config=`"resource_group_name=$($env:BACKEND_AZURE_RESOURCE_GROUP_NAME)`""
-        $arguments += "-backend-config=`"subscription_id=$subscriptionId`""
-        $arguments += "-backend-config=`"tenant_id=$tenantId`""
 
-        if($oidcToken -eq $null) {
-          $arguments += '-backend-config="use_msi=true"'
-        } else {
-          $arguments += "-backend-config=`"client_id=$clientId`""
-          $arguments += "-backend-config=`"oidc_token=$oidcToken`""
-          $arguments += '-backend-config="use_oidc=true"'
+        $env:ARM_SUBSCRIPTION_ID = $subscriptionId
+        $env:ARM_TENANT_ID = $tenantId
+
+        # Note: The backend is hardcoded to use oidc or msi auth as we want to use a different auth type for the provider during plan and apply.
+        if($isOidc) {
+          $env:ARM_OIDC_TOKEN = $oidcToken
+          $env:ARM_CLIENT_ID = $clientId
         }
 
         # Run terraform init
@@ -46,7 +46,6 @@ steps:
         & $command $arguments
 
     env:
-      ARM_USE_AZUREAD: true
       BACKEND_AZURE_RESOURCE_GROUP_NAME: $${{ parameters.backendAzureResourceGroupName }}
       BACKEND_AZURE_STORAGE_ACCOUNT_NAME: $${{ parameters.backendAzureStorageAccountName }}
       BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_NAME: $${{ parameters.backendAzureStorageAccountContainerName }}

diff --git a/templates/ci_cd/azuredevops/templates/helpers/terraform-installer.ps1 b/templates/ci_cd/azuredevops/templates/helpers/terraform-installer.ps1
diff --git a/templates/ci_cd/azuredevops/templates/helpers/terraform-plan.yaml b/templates/ci_cd/azuredevops/templates/helpers/terraform-plan.yaml
@@ -11,14 +11,27 @@ steps:
       azureSubscription: $${{ parameters.serviceConnection }}
       scriptType: pscore
       scriptLocation: inlineScript
+      addSpnToEnvironment: true
       inlineScript: |
-        # Workaround for MSI authentication
+        # Get settings from service connection
         az account show 2>$null | ConvertFrom-Json | Set-Variable account
-        if($account.user.name -eq 'systemAssignedIdentity') {
-          $env:ARM_USE_CLI = 'false'
+        $clientId = $account.user.name
+        $oidcToken ??= $env:idToken # requires addSpnToEnvironment: true
+        $subscriptionId = $account.id
+        $tenantId = $account.tenantId
+        $isOidc = $oidcToken -ne $null
+
+        $env:ARM_TENANT_ID = $account.tenantId
+        $env:ARM_SUBSCRIPTION_ID = $account.id
+
+        if($isOidc) {
+          # Note: We are using CLI auth for the provider as it caches the access token for us, which helps with edge cases like terraform test.
+          # The backend is hard coded to use OIDC auth as it does not support CLI auth yet.
+          $env:ARM_USE_CLI = 'true'
+          $env:ARM_OIDC_TOKEN = $oidcToken
+          $env:ARM_CLIENT_ID = $clientId
+        } else {
           $env:ARM_USE_MSI = 'true'
-          $env:ARM_TENANT_ID = $account.tenantId
-          $env:ARM_SUBSCRIPTION_ID = $account.id
         }
 
         # Run Terraform Plan
@@ -36,6 +49,4 @@ steps:
         & $command $arguments
 
     env:
-      ARM_USE_AZUREAD: true
-      ARM_USE_CLI: true
       TERRAFORM_ACTION: $${{ coalesce(parameters.terraform_action, 'apply') }}