Docs: Azure OIDC Connection from Github Actions

[istairbn]

As per documentation, auth routes include Service Principal and Shared Keys.

https://docs.digger.dev/azure-specific/azure

It would be preferable from a security perspective to leverage OIDC - since shared keys and connection strings are very powerful & service principal credentials can get lost.

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure

[motatoes]

Hey @istairbn thanks for reporting, these docs are indeed outdated, I believe we do support OIDC for azure at the moment but we need to update the documentation for it to mention that

[0xmrwn]

@motatoes any idea where I can find indications on using OIDC with Azure? Is it similar to the GCP implementation? Also, is it supported for accessing the lock storage account?

[motatoes]

@0xmrwn I'm not sure about OIDC with azure, I haven't tested OIDC for azure yet. I haven't tested it with an azure account yet but based on #572 it should be:

    steps:
      - name: digger run ${{github.event.inputs.id}}
        run: echo digger run ${{ inputs.id }}
        shell: bash      
      - uses: actions/checkout@v4
      - uses: diggerhq/digger@v0.4.17
        with:
          setup-azure: true
          azure-client-id: xxxx
          azure-tenant-id: yyyy
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

You can give it a shot and let me know if it works for you!

[0xmrwn]

Hi @motatoes, haven't tried accessing the lock storage account using OIDC yet, but login works just fine using :

name: Digger CI

on:
  pull_request:
    branches: [ "main" ]
    types: [ closed, opened, synchronize, reopened ]
  issue_comment:
    types: [created]
    if: contains(github.event.comment.body, 'digger')
  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: digger run ${{github.event.inputs.id}}
        run: echo digger run ${{ inputs.id }}
        shell: bash      
      - uses: actions/checkout@v4
      - uses: diggerhq/digger@v0.4.17
        with:
          setup-azure: true
          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Note that azure-subscription-id and id-token: write permission are required.

PS: I'm trying to setup digger to manage IaC repos for a data platform on Azure, I'd be happy to contribute on updating the outdated Azure docs once I have everything running on my end.

[motatoes]

Nice!!! 🔥 Thanks for contributing, that would be so helpful

[0xmrwn]

I think OIDC is not working for managing digger locks on Azure Storage. I have set the service principal used in OIDC with "Storage Blob Data Contributor" role scoped on a storage account dedicated to digger locks, yet I'm getting an error.

It seems digger is defaulting to AWS for lock storage since I didn't provide DIGGER_AZURE_AUTH_METHOD ; is it just a documentation issue and the "OIDC" method is supported on this input parameter? Thanks in advance for your help.

Error logs from Action :

Running Azure CLI Login.
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Federated token details:
 issuer - https://token.actions.githubusercontent.com/
 subject claim - *************
Attempting Azure CLI login by using OIDC...
Subscription is set successfully.
Azure CLI login succeeds by using OIDC.
Run actions/github-script@v7
  
Run mkdir -p $GITHUB_WORKSPACE/cache
Run curl -sL [https://github.com/diggerhq/digger/releases/download/${actionref}/digger-cli-Linux-X64](https://github.com/diggerhq/digger/releases/download/$%7Bactionref%7D/digger-cli-Linux-X64) -o digger
Using AWS lock provider.
Using keyless aws digger_config
Failed to create lock provider. failed to connect to AWS account. operation error STS: GetCallerIdentity, get identity: get credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, failed to get API token, operation error ec2imds: getToken, http response error StatusCode: 400, request to EC2 IMDS failed
Error: Process completed with exit code 2.

Using this run-digger.yml workflow :

name: Digger CI

on:
  pull_request:
    branches: [ "main" ]
    types: [ closed, opened, synchronize, reopened ]
  issue_comment:
    types: [created]
    if: contains(github.event.comment.body, 'digger')
  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: digger run ${{github.event.inputs.id}}
        run: echo digger run ${{ inputs.id }}
        shell: bash      
      - uses: actions/checkout@v4
      - uses: diggerhq/digger@v0.4.20
        with:
          upload-plan-destination: github
          setup-azure: true
          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

And this config in digger.yml :

auto_merge: true
projects:
- name: dummy_project
  dir: dummytf
  workflow: dummy_workflow
workflows:
  dummy_workflow:
    env_vars:
        - name: TF_VAR_azure_client_id
          value_from: AZURE_CLIENT_ID
        - name: TF_VAR_azure_tenant_id
          value_from: AZURE_TENANT_ID
        - name: TF_VAR_azure_subscription_id
          value_from: AZURE_SUBSCRIPTION_ID
      commands:
        - name: TF_VAR_azure_client_id
          value_from: AZURE_CLIENT_ID
        - name: TF_VAR_azure_tenant_id
          value_from: AZURE_TENANT_ID
        - name: TF_VAR_azure_subscription_id
          value_from: AZURE_SUBSCRIPTION_ID
    workflow_configuration:
      on_pull_request_pushed: ["digger plan"]
      on_pull_request_closed: ["digger unlock"]
      on_commit_to_default: [digger unlock]