diff --git a/internal/backend/remote-state/azure/arm_client.go b/internal/backend/remote-state/azure/arm_client.go index c517c44bf7..85bbc4c5fa 100644 --- a/internal/backend/remote-state/azure/arm_client.go +++ b/internal/backend/remote-state/azure/arm_client.go @@ -7,6 +7,8 @@ import ( "os" "time" + "github.com/manicminer/hamilton/environments" + "github.com/tombuildsstuff/giovanni/storage/2018-11-09/blob/blobs" "github.com/tombuildsstuff/giovanni/storage/2018-11-09/blob/containers" @@ -84,6 +86,7 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro SupportsClientCertAuth: true, SupportsClientSecretAuth: true, SupportsManagedServiceIdentity: config.UseMsi, + UseMicrosoftGraph: config.UseMicrosoftGraph, } armConfig, err := builder.Build() if err != nil { @@ -95,18 +98,43 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro return nil, err } - sender := sender.BuildSender("backend/remote-state/azure") - auth, err := armConfig.GetADALToken(ctx, sender, oauthConfig, env.TokenAudience) + hamiltonEnv, err := environments.EnvironmentFromString(config.Environment) if err != nil { return nil, err } - if config.UseAzureADAuthentication { - storageAuth, err := armConfig.GetADALToken(ctx, sender, oauthConfig, env.ResourceIdentifiers.Storage) + sender := sender.BuildSender("backend/remote-state/azure") + var auth autorest.Authorizer + if builder.UseMicrosoftGraph { + log.Printf("[DEBUG] Obtaining a MSAL / Microsoft Graph token for Resource Manager..") + auth, err = armConfig.GetMSALToken(ctx, hamiltonEnv.ResourceManager, sender, oauthConfig, env.TokenAudience) if err != nil { return nil, err } - client.azureAdStorageAuth = &storageAuth + } else { + log.Printf("[DEBUG] Obtaining a ADAL / Azure Active Directory Graph token for Resource Manager..") + auth, err = armConfig.GetADALToken(ctx, sender, oauthConfig, env.TokenAudience) + if err != nil { + return nil, err + } + } + + if config.UseAzureADAuthentication { + if builder.UseMicrosoftGraph { + log.Printf("[DEBUG] Obtaining a MSAL / Microsoft Graph token for Storage..") + storageAuth, err := armConfig.GetMSALToken(ctx, hamiltonEnv.Storage, sender, oauthConfig, env.ResourceIdentifiers.Storage) + if err != nil { + return nil, err + } + client.azureAdStorageAuth = &storageAuth + } else { + log.Printf("[DEBUG] Obtaining a ADAL / Azure Active Directory Graph token for Storage..") + storageAuth, err := armConfig.GetADALToken(ctx, sender, oauthConfig, env.ResourceIdentifiers.Storage) + if err != nil { + return nil, err + } + client.azureAdStorageAuth = &storageAuth + } } accountsClient := armStorage.NewAccountsClientWithBaseURI(env.ResourceManagerEndpoint, armConfig.SubscriptionID) diff --git a/internal/backend/remote-state/azure/backend.go b/internal/backend/remote-state/azure/backend.go index 889b1f7f82..682e35427e 100644 --- a/internal/backend/remote-state/azure/backend.go +++ b/internal/backend/remote-state/azure/backend.go @@ -142,6 +142,12 @@ func New() backend.Backend { Description: "Should Terraform use AzureAD Authentication to access the Blob?", DefaultFunc: schema.EnvDefaultFunc("ARM_USE_AZUREAD", false), }, + "use_microsoft_graph": { + Type: schema.TypeBool, + Optional: true, + Description: "Should Terraform obtain an auth token from Microsoft Graph rather than Azure Active Directory?", + DefaultFunc: schema.EnvDefaultFunc("ARM_USE_MSGRAPH", false), + }, }, } @@ -181,6 +187,7 @@ type BackendConfig struct { TenantID string UseMsi bool UseAzureADAuthentication bool + UseMicrosoftGraph bool } func (b *Backend) configure(ctx context.Context) error { @@ -212,6 +219,7 @@ func (b *Backend) configure(ctx context.Context) error { TenantID: data.Get("tenant_id").(string), UseMsi: data.Get("use_msi").(bool), UseAzureADAuthentication: data.Get("use_azuread_auth").(bool), + UseMicrosoftGraph: data.Get("use_microsoft_graph").(bool), } armClient, err := buildArmClient(context.TODO(), config)