Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

azuredns: allow oidc authentication #2036

Merged
merged 4 commits into from
Oct 30, 2023
Merged

azuredns: allow oidc authentication #2036

merged 4 commits into from
Oct 30, 2023

Conversation

pchanvallon
Copy link
Contributor

Hello,

Here is the implementation for the OIDC authentication support (fixes #2027).

I was able to test the integration with GitHub actions workflows, but not with Terraform cloud.
@stmcx, can you try that this is also working in your use case ?

Thanks.

@pchanvallon pchanvallon force-pushed the feat/azuredns-allow-oidc-auth branch 3 times, most recently from e319f0b to c97089b Compare October 18, 2023 07:34
@stmcx
Copy link

stmcx commented Oct 20, 2023

Thanks @pchanvallon

Rebuilt Terraform ACME provider with replace github.com/go-acme/lego/v4 v4.14.2 => github.com/pchanvallon/lego/v4 v4.0.0-20231018073353-c97089b94e14

Did not work and got 401 at first

Then included AZURE_AUTH_METHOD="oidc" and it worked!

* (Terraform Cloud exports "ARM_USE_OIDC" = "true" instead but that is okay)

resource "acme_certificate" "certificate" {
  account_key_pem              = acme_registration.registration.account_key_pem
  common_name                  = var.certificate_common_name
  subject_alternative_names    = []
  disable_complete_propagation = true
  dns_challenge {
    provider = "azuredns"
    config = {
      AZURE_RESOURCE_GROUP = var.certificate_dns_challenge_azure_resource_group_name
      AZURE_AUTH_METHOD="oidc"
    }
  }
}

Also, I added these here to the provider since Terraform Cloud exports them as ARM rather than AZURE. I guess the provider maintainers will know more.

"ARM_OIDC_REQUEST_TOKEN":   "AZURE_OIDC_REQUEST_TOKEN",
"ARM_OIDC_REQUEST_URL":     "AZURE_OIDC_REQUEST_URL",
"ARM_OIDC_TOKEN":           "AZURE_OIDC_TOKEN",
"ARM_OIDC_TOKEN_FILE_PATH": "AZURE_OIDC_TOKEN_FILE_PATH",

@pchanvallon
Copy link
Contributor Author

Hello @stmcx,
Thank you for your feedback.
Yes we will have to request this change in acme TF provider after the lib update to finalize the integration.

@ldez ldez added this to the v4.15 milestone Oct 23, 2023
@pchanvallon pchanvallon force-pushed the feat/azuredns-allow-oidc-auth branch from 5aee785 to b975e27 Compare October 26, 2023 08:57
@ldez ldez force-pushed the feat/azuredns-allow-oidc-auth branch from eda3149 to 5b59784 Compare October 30, 2023 13:08
ldez
ldez approved these changes Oct 30, 2023
View reviewed changes
Copy link
Member

@ldez ldez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ldez ldez merged commit 4f242c9 into go-acme:master Oct 30, 2023
@sdib

This comment was marked as abuse.

# to view
@adeturner adeturner mentioned this pull request Dec 21, 2023
Closed
3 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@ldez ldez ldez approved these changes

Assignees
No one assigned
Labels
area/dnsprovider enhancement
Milestone
v4.15
Development

Successfully merging this pull request may close these issues.

Azure DNS OIDC support
4 participants
@pchanvallon @stmcx @sdib @ldez