Backend/azure/update to latest sdks #36258
Conversation
…-11-09 to 2023-11-03
|
The failed "Unit Tests" is not related to this PR. |
|
Thanks for this submission, I let the HashiCorp Azure team know about this PR. |
|
I'll stop resolving the go.mod/sum file conflicts until before the final merge. |
go.mod
Outdated
| @@ -240,9 +239,12 @@ require ( | |||
| github.com/tencentyun/cos-go-sdk-v5 v0.7.42 // indirect | |||
| github.com/thanhpk/randstr v1.0.6 // indirect | |||
| github.com/thlib/go-timezone-local v0.0.3 // indirect | |||
| github.com/tombuildsstuff/giovanni v0.15.1 // indirect | |||
| github.com/tombuildsstuff/giovanni v0.27.0 // indirect | |||
There was a problem hiding this comment.
We're looking to move away from Toms sdk and this should be swapped to https://github.com/jackofallops/giovanni
| t.Fatalf("Missing ARM_TENANT_ID") | ||
| } | ||
|
|
||
| location := os.Getenv("ARM_TEST_LOCATION") |
There was a problem hiding this comment.
To keep this consistent with our current tests, we should swap this to ARM_LOCATION
There was a problem hiding this comment.
Following is the grep from v4.16.0:
terraform-provider-azurerm on HEAD (f54480d) via 🐹 v1.23.3
💤 grep -r "ARM_TEST_LOCATION" .
./DEVELOPER.md:- `ARM_TEST_LOCATION`
./DEVELOPER.md:- `ARM_TEST_LOCATION_ALT`
./DEVELOPER.md:- `ARM_TEST_LOCATION_ALT2`
./vendor/github.com/magodo/terraform-provider-azurerm-example-gen/examplegen/gen.go: // - ARM_TEST_LOCATION
./vendor/github.com/magodo/terraform-provider-azurerm-example-gen/examplegen/gen.go: // - ARM_TEST_LOCATION_ALT1
./vendor/github.com/magodo/terraform-provider-azurerm-example-gen/examplegen/gen.go: // - ARM_TEST_LOCATION_ALT2
./vendor/github.com/magodo/terraform-provider-azurerm-example-gen/examplegen/gen.go: if os.Getenv("ARM_TEST_LOCATION") == "" {
./vendor/github.com/magodo/terraform-provider-azurerm-example-gen/examplegen/gen.go: cmd.Env = append(os.Environ(), "ARM_TEST_LOCATION=WestEurope")
./vendor/github.com/magodo/terraform-provider-azurerm-example-gen/examplegen/gen.go: if os.Getenv("ARM_TEST_LOCATION_ALT1") == "" {
./vendor/github.com/magodo/terraform-provider-azurerm-example-gen/examplegen/gen.go: cmd.Env = append(os.Environ(), "ARM_TEST_LOCATION_ALT1=WestUS")
./vendor/github.com/magodo/terraform-provider-azurerm-example-gen/examplegen/gen.go: if os.Getenv("ARM_TEST_LOCATION_ALT2") == "" {
./vendor/github.com/magodo/terraform-provider-azurerm-example-gen/examplegen/gen.go: cmd.Env = append(os.Environ(), "ARM_TEST_LOCATION_ALT2=WestUS2")
./contributing/topics/running-the-tests.md:* `ARM_TEST_LOCATION`
./contributing/topics/running-the-tests.md:* `ARM_TEST_LOCATION_ALT`
./contributing/topics/running-the-tests.md:* `ARM_TEST_LOCATION_ALT2`
./internal/acceptance/data.go: Primary: os.Getenv("ARM_TEST_LOCATION"),
./internal/acceptance/data.go: Secondary: os.Getenv("ARM_TEST_LOCATION_ALT"),
./internal/acceptance/data.go: Ternary: os.Getenv("ARM_TEST_LOCATION_ALT2"),
./internal/acceptance/testing.go: "ARM_TEST_LOCATION",
./internal/acceptance/testing.go: "ARM_TEST_LOCATION_ALT",
./internal/acceptance/testing.go: "ARM_TEST_LOCATION_ALT2",
./internal/acceptance/locations.go: os.Getenv("ARM_TEST_LOCATION"),
./internal/acceptance/locations.go: os.Getenv("ARM_TEST_LOCATION_ALT"),
./internal/acceptance/locations.go: os.Getenv("ARM_TEST_LOCATION_ALT2"),
./.teamcity/components/build_azure.kt: hiddenVariable("env.ARM_TEST_LOCATION", locationsForEnv.primary, "The Primary region which should be used for testing")
./.teamcity/components/build_azure.kt: hiddenVariable("env.ARM_TEST_LOCATION_ALT", locationsForEnv.secondary, "The Secondary region which should be used for testing")
./.teamcity/components/build_azure.kt: hiddenVariable("env.ARM_TEST_LOCATION_ALT2", locationsForEnv.tertiary, "The Tertiary region which should be used for testing")
terraform-provider-azurerm on HEAD (f54480d) via 🐹 v1.23.3
💤 grep -r "ARM_LOCATION" .
# NothingCould you please double confirm ARM_LOCATION is now used in preference to ARM_TEST_LOCATION?
There was a problem hiding this comment.
I understand that's the way it is in the provider but it's currently ARM_LOCATION in the backend so let's leave it as ARM_LOCATION for consistency with how we're currently testing the backend. We can revisit it when pluggable backends are a thing and the backend has been moved out of the terraform repo
There was a problem hiding this comment.
Assuming this env var is used somewhere else:
terraform on backend/azure/update-to-latest-sdks via 🐹 v1.23.3
💤 grep -r "ARM_LOCATION" .
# NothingI've made the change anyway.
|
|
||
| // newCtx creates a context with a (meaningless) deadline. | ||
| // This is only to make the go-azure-sdk/sdk/client Client happy. | ||
| func newCtx() context.Context { |
There was a problem hiding this comment.
I don't fully understand this change. If I swap this change back to context.TODO() the backend still seems to work. Can you elaborate a bit more on what issues you are seeing with this
There was a problem hiding this comment.
You'll get an error like below:
2025/01/20 13:22:18 Creating Resource Group "acctestRG-backend-25012013221826-9rd0jbe38q"
2025/01/20 13:22:18 [DEBUG] Deleting Resource Group "acctestRG-backend-25012013221826-9rd0jbe38q"..
client_test.go:28: Error creating Test Resources: "failed to create test resource group: the context used must have a deadline attached for polling purposes, but got no deadline"This is derived from, e.g. go-azure-sdk/sdk/client/resourcemanager/client.go:
func (c *Client) NewRequest(ctx context.Context, input client.RequestOptions) (*client.Request, error) {
// TODO move these validations to base client method
if _, ok := ctx.Deadline(); !ok {
return nil, fmt.Errorf("the context used must have a deadline attached for polling purposes, but got no deadline")
}There was a problem hiding this comment.
Great! Thanks for the added info
| "endpoint": { | ||
| Type: schema.TypeString, | ||
| Optional: true, | ||
| Deprecated: "`endpoint` is deprecated and no longer used, it will be removed in a future version of Terraform", |
There was a problem hiding this comment.
This is marked as deprecated when I took over the PR from Tom B. I think the main reason is that this field is not used in the azurerm provider (probably is superseded by the msi_endpoint).
There was a problem hiding this comment.
If we're going to use msi_endpoint over endpoint we should call that out in the deprecation message. Just saying something is deprecated without a clear alternative isn't a good user experience
There was a problem hiding this comment.
Updated the comment, while I guess they are not 100% equivalent..
| return nil, nil | ||
| } | ||
| return nil, err | ||
| } | ||
|
|
||
| if blob.Contents == nil { | ||
| return nil, nil |
There was a problem hiding this comment.
Is this the expected behavior here or should we return an error?
There was a problem hiding this comment.
This one is also taken from the branch of Tom. I think the sanity here is that the Client.Get() accept there is no remote state:
terraform/internal/states/remote/state.go
Lines 138 to 149 in ba8d180
The other implementation of the State do the same thing, e.g.:
terraform/internal/backend/remote-state/consul/client.go
Lines 80 to 87 in ba8d180
terraform/internal/backend/remote-state/cos/client.go
Lines 47 to 54 in ba8d180
There was a problem hiding this comment.
Great! Thanks for the added info
| client.configureClient(client.storageAccountsClient.Client, resourceManagerAuth) | ||
|
|
||
| // Populating the storage account detail | ||
| said := commonids.NewStorageAccountID(config.SubscriptionID, config.ResourceGroupName, client.storageAccountName) |
There was a problem hiding this comment.
said is a word. Could we please make this storageAccountId or something similar
| said := commonids.NewStorageAccountID(config.SubscriptionID, config.ResourceGroupName, client.storageAccountName) | ||
| resp, err := client.storageAccountsClient.GetProperties(ctx, said, storageaccounts.DefaultGetPropertiesOperationOptions()) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("getting %s: %+v", said, err) |
There was a problem hiding this comment.
| return nil, fmt.Errorf("getting %s: %+v", said, err) | |
| return nil, fmt.Errorf("retrieving %s: %+v", said, err) |
| return nil, fmt.Errorf("getting %s: %+v", said, err) | ||
| } | ||
| if resp.Model == nil { | ||
| return nil, fmt.Errorf("unexpected null model of %s", said) |
There was a problem hiding this comment.
| return nil, fmt.Errorf("unexpected null model of %s", said) | |
| return nil, fmt.Errorf("retrieving %s: model was nil", said) |
| log.Printf("[DEBUG] Building the Blob Client from an Access Token (using user credentials)") | ||
| key, err := c.accountDetail.AccountKey(ctx, c.storageAccountsClient) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("Error retrieving key for Storage Account %q: %s", c.storageAccountName, err) |
There was a problem hiding this comment.
| return nil, fmt.Errorf("Error retrieving key for Storage Account %q: %s", c.storageAccountName, err) | |
| return nil, fmt.Errorf("retrieving key for Storage Account %q: %s", c.storageAccountName, err) |
| if err != nil { | ||
| return nil, fmt.Errorf("Error retrieving key for Storage Account %q: %s", c.storageAccountName, err) | ||
| } | ||
| accessKey := *key |
There was a problem hiding this comment.
Does this need to be pulled out this way? I only see it used in one place so we could just point to it there
| if err != nil { | ||
| return fmt.Errorf("getting %s: %+v", said, err) |
There was a problem hiding this comment.
| return fmt.Errorf("getting %s: %+v", said, err) | |
| return fmt.Errorf("retrieving %s: %+v", said, err) |
| @@ -281,3 +295,7 @@ func (c *RemoteClient) Unlock(id string) error { | |||
|
|
|||
| return nil | |||
| } | |||
|
|
|||
| func responseWasNotFound(resp *http.Response) bool { | |||
There was a problem hiding this comment.
We have a helper for this in go-azure-helpers that we can use here. So we can just nil check it and then use the helper rather than define a new helper here
| t.Fatalf("Missing ARM_TENANT_ID") | ||
| } | ||
|
|
||
| location := os.Getenv("ARM_TEST_LOCATION") |
There was a problem hiding this comment.
I understand that's the way it is in the provider but it's currently ARM_LOCATION in the backend so let's leave it as ARM_LOCATION for consistency with how we're currently testing the backend. We can revisit it when pluggable backends are a thing and the backend has been moved out of the terraform repo
|
|
||
| // newCtx creates a context with a (meaningless) deadline. | ||
| // This is only to make the go-azure-sdk/sdk/client Client happy. | ||
| func newCtx() context.Context { |
There was a problem hiding this comment.
Great! Thanks for the added info
| return nil, nil | ||
| } | ||
| return nil, err | ||
| } | ||
|
|
||
| if blob.Contents == nil { | ||
| return nil, nil |
There was a problem hiding this comment.
Great! Thanks for the added info
|
@mbfrahry Thanks for the new round of review! I've updated the code according to all the feedbacks you've provided. Test passed: backend/remote-state/azure on εéá backend/azure/update-to-latest-sdks via Go v1.23.3
$ TF_ACC=1 go test -timeout=20h -parallel=20 ./...
ok github.com/hashicorp/terraform/internal/backend/remote-state/azure 264.298s |
|
@mbfrahry CI passed now. |
| @@ -0,0 +1,5 @@ | |||
| kind: ENHANCEMENTS | |||
| body: Update the `azure` backend authentication mechanisms | |||
There was a problem hiding this comment.
We should make this more descriptive with some of the changes coming into this PR like the new fields and any bug fixes that might be fixed through these changes
There was a problem hiding this comment.
I reviewed the docs and suggested some changes to improve the grammar and consistency with our style guidelines. I am uncertain about the accuracy of the suggestions because the existing description are vague. Please make any necessary corrections following the sentence patterns I added.
| * `endpoint` - (Optional) The Custom Endpoint for Azure Resource Manager. This can also be sourced from the `ARM_ENDPOINT` environment variable. | ||
|
|
||
| ~> **NOTE:** An `endpoint` should only be configured when using Azure Stack. | ||
| * `environment` - (Optional) The Azure Environment which should be used. This can also be sourced from the `ARM_ENVIRONMENT` environment variable. Possible values are `public`, `china` and `usgovernment`. Defaults to `public`. |
There was a problem hiding this comment.
| * `environment` - (Optional) The Azure Environment which should be used. This can also be sourced from the `ARM_ENVIRONMENT` environment variable. Possible values are `public`, `china` and `usgovernment`. Defaults to `public`. | |
| - `environment`: (Optional) Specifies the Azure environment to use. Specify one of the following values: | |
| - `public`, | |
| - `china` | |
| - `usgovernment`. | |
| The default is `public`. | |
| You can set the `ARM_ENVIRONMENT` environment variable to configure this option. |
Addresses grammar issues and writing style violations.
|
|
||
| * `metadata_host` - (Optional) The Hostname of the Azure Metadata Service (for example `management.azure.com`), used to obtain the Cloud Environment when using a Custom Azure Environment. This can also be sourced from the `ARM_METADATA_HOSTNAME` Environment Variable. | ||
|
|
||
| * `snapshot` - (Optional) Should the Blob used to store the Terraform Statefile be snapshotted before use? Defaults to `false`. This value can also be sourced from the `ARM_SNAPSHOT` environment variable. | ||
|
|
||
| * `use_cli` - (Optional) Should Azure CLI be used for authentication? Defaults to `false`. This value can also be sourced from the `ARM_USE_CLI` environment variable. |
There was a problem hiding this comment.
| * `use_cli` - (Optional) Should Azure CLI be used for authentication? Defaults to `false`. This value can also be sourced from the `ARM_USE_CLI` environment variable. | |
| - `use_cli`: (Optional) Enables Terraform to use the Azure CLI for authentication. The default is `false`. You can also set the `ARM_USE_CLI` environment variable to configure this option. |
Not sure why some of these are phrased as questions, but we should directly and concretely state what the option does.
There was a problem hiding this comment.
The question style is what we've been using for the azreurm document all the time, for bools.
| @@ -552,6 +550,8 @@ When authenticating using a Service Principal with OpenID Connect (OIDC / Worklo | |||
|
|
|||
| * `use_oidc` - (Optional) Should OIDC authentication be used? This can also be sourced from the `ARM_USE_OIDC` environment variable. | |||
|
|
|||
| * `use_aks_workload_identity` (Optional) Should Azure AKS Workload Identity be used for Authentication? This can also be sourced from the `ARM_USE_AKS_WORKLOAD_IDENTITY` environment variable. | |||
There was a problem hiding this comment.
| * `use_aks_workload_identity` (Optional) Should Azure AKS Workload Identity be used for Authentication? This can also be sourced from the `ARM_USE_AKS_WORKLOAD_IDENTITY` environment variable. | |
| - `use_aks_workload_identity`: (Optional) Enables Terraform to use the Azure AKS workload identity for authentication. You can set the `ARM_USE_AKS_WORKLOAD_IDENTITY` environment variable to configure this option. |
| @@ -580,10 +580,14 @@ When authenticating using a Service Principal with a Client Certificate - the fo | |||
|
|
|||
| * `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable. | |||
|
|
|||
| * `client_id_file_path` (Optional) The path to a file containing the Client ID which should be used. This can also be sourced from the `ARM_CLIENT_ID_FILE_PATH` Environment Variable. | |||
There was a problem hiding this comment.
| * `client_id_file_path` (Optional) The path to a file containing the Client ID which should be used. This can also be sourced from the `ARM_CLIENT_ID_FILE_PATH` Environment Variable. | |
| - `client_id_file_path`: (Optional) Specifies the path to a file containing the client ID. Terraform presents the client ID when authenticating with Azure. You can set the `ARM_CLIENT_ID_FILE_PATH` environment variable to configure this option. |
What does Terraform do with the client ID? Please correct this suggestion as necessary.
There was a problem hiding this comment.
Terraform presents the client ID when authenticating with Azure
| * `client_certificate_password` - (Optional) The password associated with the Client Certificate specified in `client_certificate_path`. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PASSWORD` environment variable. | ||
|
|
||
| * `client_certificate_path` - (Optional) The path to the PFX file used as the Client Certificate when authenticating as a Service Principal. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PATH` environment variable. | ||
|
|
||
| * `client_certificate` - (Optional) Base64 encoded PKCS#12 certificate bundle to use when authenticating as a Service Principal using a Client Certificate. This can also be sourced from the `ARM_CLIENT_CERTIFICATE` environment variable. |
There was a problem hiding this comment.
| * `client_certificate` - (Optional) Base64 encoded PKCS#12 certificate bundle to use when authenticating as a Service Principal using a Client Certificate. This can also be sourced from the `ARM_CLIENT_CERTIFICATE` environment variable. | |
| - `client_certificate`: (Optional) Specifies a base64-encoded PKCS#12 certificate bundle to use for authenticating as a service principal using a client certificate. You can set the `ARM_CLIENT_CERTIFICATE` environment variable to configure this option. |
| @@ -596,8 +600,12 @@ When authenticating using a Service Principal with a Client Secret - the followi | |||
|
|
|||
| * `client_id` - (Optional) The Client ID of the Service Principal. This can also be sourced from the `ARM_CLIENT_ID` environment variable. | |||
|
|
|||
| * `client_id_file_path` (Optional) The path to a file containing the Client ID which should be used. This can also be sourced from the `ARM_CLIENT_ID_FILE_PATH` Environment Variable. | |||
There was a problem hiding this comment.
| * `client_id_file_path` (Optional) The path to a file containing the Client ID which should be used. This can also be sourced from the `ARM_CLIENT_ID_FILE_PATH` Environment Variable. | |
| - `client_id_file_path`: (Optional) Specifies the path to a file containing the client ID. Terraform presents the file client ID when authenticating with Azure. This can also be sourced from the `ARM_CLIENT_ID_FILE_PATH` Environment Variable. |
Again, not sure if I'm describing the process correctly, but we should use active voice to make this information clear.
| * `client_secret` - (Optional) The Client Secret of the Service Principal. This can also be sourced from the `ARM_CLIENT_SECRET` environment variable. | ||
|
|
||
| * `client_secret_file_path` - (Optional) The path to a file containing the Client Secret which should be used. This can also be sourced from the `ARM_CLIENT_SECRET_FILE_PATH` Environment Variable. |
There was a problem hiding this comment.
| * `client_secret_file_path` - (Optional) The path to a file containing the Client Secret which should be used. This can also be sourced from the `ARM_CLIENT_SECRET_FILE_PATH` Environment Variable. | |
| - `client_secret_file_path`: (Optional) Specifies the path to a file containing the client secret. Terraform must present the client secret to authenticate with Azure. You can set the `ARM_CLIENT_SECRET_FILE_PATH` environment variable to configure this option. |
Thank you for pointing this out! Whilst by scanning the suggested changes, it makes this document a little bit inconsistent itself. I suggest we can create a dedicated PR to rephrase the document here to be consistent with the other docs in this repo. WDYT? |
I don't mind if the styles are a little inconsistent on this page until we can open a new PR to address the rest of it. We do not expect people to read this type of reference information from top to bottom, so the inconsistencies might not even be that noticeable. And besides, progress over perfection :) |
This PR updates the
azurebackend authentication to match theterraform-provider-azurermprovider authentication, in several ways:azurermprovider v4.14.0)The backend configuration logic is updated to match the provider logic. As a result, some new properties are added:
use_cliuse_aks_workload_identityclient_id_file_pathclient_certificateclient_id_file_pathclient_secret_file_pathOne implementation detail is that the using the same Azure storage dataplane SDK, the storage client requires a base URI of the storage account, which is derived by sending a GET to the storage account. This is skipped in case the storage shared access key or sas token is specified, which is to behave identically as the current version.
Also, this PR improves the acctests in following ways:
go testis big enough to avoid env vars clean for the single process (launched bygo test) won't interfere the paused tests.Fixes #34322
Target Release
1.11.0
Draft CHANGELOG entry
ENHANCEMENTS
Test