From 7e2e3385f920d32e6cf6e67185527305e197ab2f Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Fri, 25 Apr 2025 15:47:45 +0100 Subject: [PATCH 1/3] add env vars and update docs --- internal/backend/remote-state/azure/backend.go | 4 ++-- website/docs/language/backend/azurerm.mdx | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/internal/backend/remote-state/azure/backend.go b/internal/backend/remote-state/azure/backend.go index d82e172101ba..ab31b5e40f1a 100644 --- a/internal/backend/remote-state/azure/backend.go +++ b/internal/backend/remote-state/azure/backend.go @@ -102,7 +102,7 @@ func New() backend.Backend { Type: schema.TypeString, Optional: true, Description: "The Client ID to use when authenticating using Azure Active Directory.", - DefaultFunc: schema.EnvDefaultFunc("ARM_CLIENT_ID", ""), + DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_CLIENT_ID_BACKEND", "ARM_CLIENT_ID"}, ""), }, "client_id_file_path": { @@ -166,7 +166,7 @@ func New() backend.Backend { "ado_pipeline_service_connection_id": { Type: schema.TypeString, Optional: true, - DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID", "ARM_OIDC_AZURE_SERVICE_CONNECTION_ID"}, nil), + DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID_BACKEND", "ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID", "ARM_OIDC_AZURE_SERVICE_CONNECTION_ID", "AZURESUBSCRIPTION_SERVICE_CONNECTION_ID"}, nil), Description: "The Azure DevOps Pipeline Service Connection ID.", }, diff --git a/website/docs/language/backend/azurerm.mdx b/website/docs/language/backend/azurerm.mdx index 6237ed3f618e..188765f01964 100644 --- a/website/docs/language/backend/azurerm.mdx +++ b/website/docs/language/backend/azurerm.mdx @@ -70,7 +70,7 @@ These optional configuration options apply when [looking up the data plane URI]( The recommended data plane role assignments required for this method are either one of: -- `Storage Blob Data Owner` on the storage account container (Recommended) +- `Storage Blob Data Contributor` on the storage account container (Recommended) - `Storage Blob Data Contributor` on the storage account The recommended management plane role assignments required for this method are: @@ -339,7 +339,7 @@ These optional configuration options apply when [looking up the data plane URI]( The recommended data plane role assignments required for this method are either one of: -- `Storage Blob Data Owner` on the storage account container (Recommended) +- `Storage Blob Data Contributor` on the storage account container (Recommended) - `Storage Blob Data Contributor` on the storage account The recommended management plane role assignments required for this method are: @@ -548,9 +548,9 @@ The following configuration options are supported: * `use_oidc` - (Optional) Set to `true` to use OpenID Connect / Workload identity federation authentication for authentication to the storage account management and data plane. This can also be sourced from the `ARM_USE_OIDC` environment variable. -* `client_id` - (Optional) The Client ID of the Azure Active Directory Principal required for some authentication sub-types. This can also be sourced from the `ARM_CLIENT_ID` environment variable. +* `client_id` - (Optional) The Client ID of the Azure Active Directory Principal required for some authentication sub-types. This can also be sourced from the `ARM_CLIENT_ID` or `ARM_CLIENT_ID_BACKEND` environment variable. -* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID required for Open ID Connect / Workload identity federation authentication with Azure DevOps. This can also be sourced from the `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID` or `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID` environment variables. The provider will look for values in this order and use the first it finds configured. +* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID required for Open ID Connect / Workload identity federation authentication with Azure DevOps. This can also be sourced from the `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID`, `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` or `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID_BACKEND` environment variables. The provider will look for values in this order and use the first it finds configured. * `oidc_request_url` - (Optional) The URL for the Open ID Connect provider from which to request an ID token. This is only required for advanced scenarios or third party integrations. This can also be sourced from the `ARM_OIDC_REQUEST_URL`, `ACTIONS_ID_TOKEN_REQUEST_URL` or `SYSTEM_OIDCREQUESTURI` environment variables. The provider will look for values in this order and use the first it finds configured. From c6990bf89ef712f4992ccdc0dfd46891df7e04c0 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Fri, 25 Apr 2025 16:00:36 +0100 Subject: [PATCH 2/3] add release note --- .changes/v1.13/ENHANCEMENTS-20250425-160021.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changes/v1.13/ENHANCEMENTS-20250425-160021.yaml diff --git a/.changes/v1.13/ENHANCEMENTS-20250425-160021.yaml b/.changes/v1.13/ENHANCEMENTS-20250425-160021.yaml new file mode 100644 index 000000000000..d7e7c3e74204 --- /dev/null +++ b/.changes/v1.13/ENHANCEMENTS-20250425-160021.yaml @@ -0,0 +1,5 @@ +kind: ENHANCEMENTS +body: 'backend/azurerm: Support Azure DevOps environment variables and backend specific variables' +time: 2025-04-25T16:00:21.8153592+01:00 +custom: + Issue: "36922" From 0f9a91b6f3409353dd934ebe6bafc4c95e75e9d0 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Fri, 25 Apr 2025 18:27:11 +0100 Subject: [PATCH 3/3] fix env var name --- internal/backend/remote-state/azure/backend.go | 2 +- website/docs/language/backend/azurerm.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/backend/remote-state/azure/backend.go b/internal/backend/remote-state/azure/backend.go index ab31b5e40f1a..4c273312ce90 100644 --- a/internal/backend/remote-state/azure/backend.go +++ b/internal/backend/remote-state/azure/backend.go @@ -166,7 +166,7 @@ func New() backend.Backend { "ado_pipeline_service_connection_id": { Type: schema.TypeString, Optional: true, - DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID_BACKEND", "ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID", "ARM_OIDC_AZURE_SERVICE_CONNECTION_ID", "AZURESUBSCRIPTION_SERVICE_CONNECTION_ID"}, nil), + DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_AZURE_SERVICE_CONNECTION_ID_BACKEND", "ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID", "ARM_OIDC_AZURE_SERVICE_CONNECTION_ID", "AZURESUBSCRIPTION_SERVICE_CONNECTION_ID"}, nil), Description: "The Azure DevOps Pipeline Service Connection ID.", }, diff --git a/website/docs/language/backend/azurerm.mdx b/website/docs/language/backend/azurerm.mdx index 188765f01964..1ad94be78271 100644 --- a/website/docs/language/backend/azurerm.mdx +++ b/website/docs/language/backend/azurerm.mdx @@ -550,7 +550,7 @@ The following configuration options are supported: * `client_id` - (Optional) The Client ID of the Azure Active Directory Principal required for some authentication sub-types. This can also be sourced from the `ARM_CLIENT_ID` or `ARM_CLIENT_ID_BACKEND` environment variable. -* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID required for Open ID Connect / Workload identity federation authentication with Azure DevOps. This can also be sourced from the `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID`, `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` or `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID_BACKEND` environment variables. The provider will look for values in this order and use the first it finds configured. +* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID required for Open ID Connect / Workload identity federation authentication with Azure DevOps. This can also be sourced from the `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID`, `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` or `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID_BACKEND` environment variables. The provider will look for values in this order and use the first it finds configured. * `oidc_request_url` - (Optional) The URL for the Open ID Connect provider from which to request an ID token. This is only required for advanced scenarios or third party integrations. This can also be sourced from the `ARM_OIDC_REQUEST_URL`, `ACTIONS_ID_TOKEN_REQUEST_URL` or `SYSTEM_OIDCREQUESTURI` environment variables. The provider will look for values in this order and use the first it finds configured.