Support for v2 auth tokens (i.e. MSAL) #14403
Conversation
manicminer
force-pushed
the
feature/v2-auth-tokens
branch
from
9fa7dad
to
f1e795f
Compare
manicminer
force-pushed
the
feature/v2-auth-tokens
branch
from
f1e795f
to
d8d2998
Compare
manicminer
force-pushed
the
feature/v2-auth-tokens
branch
from
d8d2998
to
b28f86c
Compare
There was a problem hiding this comment.
hey @manicminer
Thanks for this PR - apologies for the delayed review on this one.
I've taken a look through and left a few comments inline, but if we can fix those up then this should otherwise be good to go 👍
Thanks!
- This is opt-in behaviour via the provider property `use_msal`, and
environment variables `ARM_USE_MSAL` / `ARM_USE_MSGRAPH` (the latter
for compatibility with the related backend property
- When `use_msal` is true, do not make any API calls to a graph API
(legacy or current). There are only 2 uses of this at present:
- `data.azurerm_client_config`, which doesn't actually do anything
with the result so this appears to be a vestige anyway
- `azurerm_hdinsight_kafka_cluster`, the API for which requires
both an AAD group ID and name to be specified (?) so currently
this resource looks up the group name from the supplied ID. In
future we'll require that both are specified (e.g. using
`data.azuread_group` for any necessary lookup)
- In v3.0, we'll remove support for graph clients in order to delegate
any required usage to the AzureAD provider.
- Also removes support for Azure Germany, which is now offline
Co-authored-by: Tom Harvey <tombuildsstuff@users.noreply.github.com>
tombuildsstuff
force-pushed
the
feature/v2-auth-tokens
branch
from
20d8390
to
e04f89d
Compare
|
Rebased on top of #15043 / main |
|
@tombuildsstuff Thanks for the review & rebase. I've updated the default value for |
Co-authored-by: Tom Harvey <tombuildsstuff@users.noreply.github.com>
manicminer
force-pushed
the
feature/v2-auth-tokens
branch
from
c7a293f
to
55e6ae6
Compare
|
This functionality has been released in v2.94.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
This is opt-in behavior via the provider property
use_msal, and environment variablesARM_USE_MSAL/ARM_USE_MSGRAPH(the latter for compatibility with the related backend propertyWhen
use_msalis true, do not make any API calls to a graph API (legacy or current). There are only 2 uses of this at present:data.azurerm_client_config, which doesn't actually do anything with the result so this appears to be a vestige anywayazurerm_hdinsight_kafka_cluster, the API for which requires both an AAD group ID and name to be specified (?) so currently this resource looks up the group name from the supplied ID. In future we'll require that both are specified (e.g. usingdata.azuread_groupfor any necessary lookup)In v3.0, we'll enable v2 tokens provider-wide, and remove support for graph clients in order to delegate any required usage to the AzureAD provider.
Also removes support for Azure Germany, which is now offline
This PR depends on hashicorp/go-azure-helpers#90
and should be rebased accordingly.Note: Tests for
azurerm_hdinsight_kafka_clusterare currently failing due to #12417Related: #12443