diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d640b59..a07e73ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ BREAKING CHANGES: - The `ignore_body_changes` field is removed. Please use the `lifecyle.ignore_changes` to ignore some properties when comparing the resource with its current state. - The `body` field now only accepts an HCL object. Please remove the `jsondecode` function when using the `body` field. - The `output` field now only exports an HCL object. Please remove the `jsondecode` function when using the `output` field. +- The `use_msi` field now defaults to `false`, please set it to `true` explicitly if you want to authenticate using Managed Service Identity. FEATURES: - **New Provider Function**: build_resource_id diff --git a/docs/index.md b/docs/index.md index 34a001a2..3a2f3630 100644 --- a/docs/index.md +++ b/docs/index.md @@ -54,40 +54,40 @@ provider "azapi" { ### Optional -- `auxiliary_tenant_ids` (List of String) The Auxiliary Tenant IDs which should be used. -- `client_certificate` (String) A base64-encoded PKCS#12 bundle to be used as the client certificate for authentication. -- `client_certificate_password` (String) The password associated with the Client Certificate. For use when authenticating as a Service Principal using a Client Certificate -- `client_certificate_path` (String) The path to the Client Certificate associated with the Service Principal for use when authenticating as a Service Principal using a Client Certificate. -- `client_id` (String) The Client ID which should be used. -- `client_id_file_path` (String) The path to a file containing the Client ID which should be used. -- `client_secret` (String) The Client Secret which should be used. For use When authenticating as a Service Principal using a Client Secret. -- `client_secret_file_path` (String) The path to a file containing the Client Secret which should be used. For use When authenticating as a Service Principal using a Client Secret. -- `custom_correlation_request_id` (String) The value of the x-ms-correlation-request-id header (otherwise an auto-generated UUID will be used). -- `default_location` (String) The default location which should be used for resources. -- `default_name` (String) The default name which should be used for resources. -- `default_tags` (Map of String) The default tags which should be used for resources. +- `auxiliary_tenant_ids` (List of String) List of auxiliary Tenant IDs required for multi-tenancy and cross-tenant scenarios. This can also be sourced from the `ARM_AUXILIARY_TENANT_IDS` Environment Variable. +- `client_certificate` (String) A base64-encoded PKCS#12 bundle to be used as the client certificate for authentication. This can also be sourced from the `ARM_CLIENT_CERTIFICATE` environment variable. +- `client_certificate_password` (String) The password associated with the Client Certificate. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PASSWORD` Environment Variable. +- `client_certificate_path` (String) The path to the Client Certificate associated with the Service Principal which should be used. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PATH` Environment Variable. +- `client_id` (String) The Client ID which should be used. This can also be sourced from the `ARM_CLIENT_ID` Environment Variable. +- `client_id_file_path` (String) The path to a file containing the Client ID which should be used. This can also be sourced from the `ARM_CLIENT_ID_FILE_PATH` Environment Variable. +- `client_secret` (String) The Client Secret which should be used. This can also be sourced from the `ARM_CLIENT_SECRET` Environment Variable. +- `client_secret_file_path` (String) The path to a file containing the Client Secret which should be used. For use When authenticating as a Service Principal using a Client Secret. This can also be sourced from the `ARM_CLIENT_SECRET_FILE_PATH` Environment Variable. +- `custom_correlation_request_id` (String) The value of the `x-ms-correlation-request-id` header, otherwise an auto-generated UUID will be used. This can also be sourced from the `ARM_CORRELATION_REQUEST_ID` environment variable. +- `default_location` (String) The default Azure Region where the azure resource should exist. The `location` in each resource block can override the `default_location`. Changing this forces new resources to be created. +- `default_name` (String) The default name to create the azure resource. The `name` in each resource block can override the `default_name`. Changing this forces new resources to be created. +- `default_tags` (Map of String) A mapping of tags which should be assigned to the azure resource as default tags. The`tags` in each resource block can override the `default_tags`. - `disable_correlation_request_id` (Boolean) This will disable the x-ms-correlation-request-id header. -- `disable_terraform_partner_id` (Boolean) This will disable the Terraform Partner ID which is used if a custom `partner_id` isn't specified. -- `endpoint` (Attributes List) (see [below for nested schema](#nestedatt--endpoint)) -- `environment` (String) The Cloud Environment which should be used. Possible values are public, usgovernment and china. Defaults to public. -- `oidc_request_token` (String) The bearer token for the request to the OIDC provider. For use When authenticating as a Service Principal using OpenID Connect. -- `oidc_request_url` (String) The URL for the OIDC provider from which to request an ID token. For use When authenticating as a Service Principal using OpenID Connect. -- `oidc_token` (String) The OIDC ID token for use when authenticating as a Service Principal using OpenID Connect. -- `oidc_token_file_path` (String) The path to a file containing an OIDC ID token for use when authenticating as a Service Principal using OpenID Connect. -- `partner_id` (String) A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution. -- `skip_provider_registration` (Boolean) Should the Provider skip registering all of the Resource Providers that it supports, if they're not already registered? -- `subscription_id` (String) The Subscription ID which should be used. -- `tenant_id` (String) The Tenant ID which should be used. +- `disable_terraform_partner_id` (Boolean) Disable sending the Terraform Partner ID if a custom `partner_id` isn't specified, which allows Microsoft to better understand the usage of Terraform. The Partner ID does not give HashiCorp any direct access to usage information. This can also be sourced from the `ARM_DISABLE_TERRAFORM_PARTNER_ID` environment variable. Defaults to `false`. +- `endpoint` (Attributes List) The Azure API Endpoint Configuration. (see [below for nested schema](#nestedatt--endpoint)) +- `environment` (String) The Cloud Environment which should be used. Possible values are `public`, `usgovernment` and `china`. Defaults to `public`. This can also be sourced from the `ARM_ENVIRONMENT` Environment Variable. +- `oidc_request_token` (String) The bearer token for the request to the OIDC provider. This can also be sourced from the `ARM_OIDC_REQUEST_TOKEN` or `ACTIONS_ID_TOKEN_REQUEST_TOKEN` Environment Variables. +- `oidc_request_url` (String) The URL for the OIDC provider from which to request an ID token. This can also be sourced from the `ARM_OIDC_REQUEST_URL` or `ACTIONS_ID_TOKEN_REQUEST_URL` Environment Variables. +- `oidc_token` (String) The ID token when authenticating using OpenID Connect (OIDC). This can also be sourced from the `ARM_OIDC_TOKEN` environment Variable. +- `oidc_token_file_path` (String) The path to a file containing an ID token when authenticating using OpenID Connect (OIDC). This can also be sourced from the `ARM_OIDC_TOKEN_FILE_PATH` environment Variable. +- `partner_id` (String) A GUID/UUID that is [registered](https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution#register-guids-and-offers) with Microsoft to facilitate partner resource usage attribution. This can also be sourced from the `ARM_PARTNER_ID` Environment Variable. +- `skip_provider_registration` (Boolean) Should the Provider skip registering the Resource Providers it supports? This can also be sourced from the `ARM_SKIP_PROVIDER_REGISTRATION` Environment Variable. Defaults to `false`. +- `subscription_id` (String) The Subscription ID which should be used. This can also be sourced from the `ARM_SUBSCRIPTION_ID` Environment Variable. +- `tenant_id` (String) The Tenant ID should be used. This can also be sourced from the `ARM_TENANT_ID` Environment Variable. - `use_aks_workload_identity` (Boolean) Should AKS Workload Identity be used for Authentication? This can also be sourced from the `ARM_USE_AKS_WORKLOAD_IDENTITY` Environment Variable. Defaults to `false`. When set, `client_id`, `tenant_id` and `oidc_token_file_path` will be detected from the environment and do not need to be specified. -- `use_cli` (Boolean) Allow Azure CLI to be used for Authentication. -- `use_msi` (Boolean) Allow Managed Service Identity to be used for Authentication. -- `use_oidc` (Boolean) Allow OpenID Connect to be used for authentication +- `use_cli` (Boolean) Should Azure CLI be used for authentication? This can also be sourced from the `ARM_USE_CLI` environment variable. Defaults to `true`. +- `use_msi` (Boolean) Should Managed Identity be used for Authentication? This can also be sourced from the `ARM_USE_MSI` Environment Variable. Defaults to `false`. +- `use_oidc` (Boolean) Should OIDC be used for Authentication? This can also be sourced from the `ARM_USE_OIDC` Environment Variable. Defaults to `false`. ### Nested Schema for `endpoint` Optional: -- `active_directory_authority_host` (String) The Active Directory login endpoint which should be used. -- `resource_manager_audience` (String) The resource ID to obtain AD tokens for. -- `resource_manager_endpoint` (String) The Resource Manager Endpoint which should be used. +- `active_directory_authority_host` (String) The Azure Resource Manager endpoint to use. This can also be sourced from the `ARM_RESOURCE_MANAGER_ENDPOINT` Environment Variable. Defaults to `https://management.azure.com/` for public cloud. +- `resource_manager_audience` (String) The Azure Active Directory login endpoint to use. This can also be sourced from the `ARM_ACTIVE_DIRECTORY_AUTHORITY_HOST` Environment Variable. Defaults to `https://login.microsoftonline.com/` for public cloud. +- `resource_manager_endpoint` (String) The resource ID to obtain AD tokens for. This can also be sourced from the `ARM_RESOURCE_MANAGER_AUDIENCE` Environment Variable. Defaults to `https://management.core.windows.net/` for public cloud. diff --git a/internal/provider/provider.go b/internal/provider/provider.go index 6e453229..eb0ec564 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -147,50 +147,51 @@ func (p Provider) Schema(ctx context.Context, request provider.SchemaRequest, re Description: "The Azure API Provider", Attributes: map[string]schema.Attribute{ "subscription_id": schema.StringAttribute{ - Optional: true, - Description: "The Subscription ID which should be used.", + Optional: true, + MarkdownDescription: "The Subscription ID which should be used. This can also be sourced from the `ARM_SUBSCRIPTION_ID` Environment Variable.", }, "client_id": schema.StringAttribute{ - Optional: true, - Description: "The Client ID which should be used.", + Optional: true, + MarkdownDescription: "The Client ID which should be used. This can also be sourced from the `ARM_CLIENT_ID` Environment Variable.", }, "client_id_file_path": schema.StringAttribute{ - Optional: true, - Description: "The path to a file containing the Client ID which should be used.", + Optional: true, + MarkdownDescription: "The path to a file containing the Client ID which should be used. This can also be sourced from the `ARM_CLIENT_ID_FILE_PATH` Environment Variable.", }, "tenant_id": schema.StringAttribute{ - Optional: true, - Description: "The Tenant ID which should be used.", + Optional: true, + MarkdownDescription: "The Tenant ID should be used. This can also be sourced from the `ARM_TENANT_ID` Environment Variable.", }, "auxiliary_tenant_ids": schema.ListAttribute{ - ElementType: types.StringType, - Optional: true, - Validators: []validator.List{listvalidator.SizeAtMost(3)}, - Description: "The Auxiliary Tenant IDs which should be used.", + ElementType: types.StringType, + Optional: true, + Validators: []validator.List{listvalidator.SizeAtMost(3)}, + MarkdownDescription: "List of auxiliary Tenant IDs required for multi-tenancy and cross-tenant scenarios. This can also be sourced from the `ARM_AUXILIARY_TENANT_IDS` Environment Variable.", }, "endpoint": schema.ListNestedAttribute{ - Optional: true, - Validators: []validator.List{listvalidator.SizeAtMost(1)}, + Optional: true, + Validators: []validator.List{listvalidator.SizeAtMost(1)}, + MarkdownDescription: "The Azure API Endpoint Configuration.", NestedObject: schema.NestedAttributeObject{ Attributes: map[string]schema.Attribute{ "active_directory_authority_host": schema.StringAttribute{ - Optional: true, - Description: "The Active Directory login endpoint which should be used.", + Optional: true, + MarkdownDescription: "The Azure Resource Manager endpoint to use. This can also be sourced from the `ARM_RESOURCE_MANAGER_ENDPOINT` Environment Variable. Defaults to `https://management.azure.com/` for public cloud.", }, "resource_manager_endpoint": schema.StringAttribute{ - Optional: true, - Description: "The Resource Manager Endpoint which should be used.", + Optional: true, + MarkdownDescription: "The resource ID to obtain AD tokens for. This can also be sourced from the `ARM_RESOURCE_MANAGER_AUDIENCE` Environment Variable. Defaults to `https://management.core.windows.net/` for public cloud.", }, "resource_manager_audience": schema.StringAttribute{ - Optional: true, - Description: "The resource ID to obtain AD tokens for.", + Optional: true, + MarkdownDescription: "The Azure Active Directory login endpoint to use. This can also be sourced from the `ARM_ACTIVE_DIRECTORY_AUTHORITY_HOST` Environment Variable. Defaults to `https://login.microsoftonline.com/` for public cloud.", }, }, }, @@ -201,7 +202,7 @@ func (p Provider) Schema(ctx context.Context, request provider.SchemaRequest, re Validators: []validator.String{ stringvalidator.OneOfCaseInsensitive("public", "usgovernment", "china"), }, - Description: "The Cloud Environment which should be used. Possible values are public, usgovernment and china. Defaults to public.", + MarkdownDescription: "The Cloud Environment which should be used. Possible values are `public`, `usgovernment` and `china`. Defaults to `public`. This can also be sourced from the `ARM_ENVIRONMENT` Environment Variable.", }, // TODO@mgd: the metadata_host is used to retrieve metadata from Azure to identify current environment, this is used to eliminate Azure Stack usage, in which case the provider doesn't support. @@ -214,77 +215,77 @@ func (p Provider) Schema(ctx context.Context, request provider.SchemaRequest, re // Client Certificate specific fields "client_certificate_path": schema.StringAttribute{ - Optional: true, - Description: "The path to the Client Certificate associated with the Service Principal for use when authenticating as a Service Principal using a Client Certificate.", + Optional: true, + MarkdownDescription: "The path to the Client Certificate associated with the Service Principal which should be used. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PATH` Environment Variable.", }, "client_certificate": schema.StringAttribute{ - Optional: true, - Description: "A base64-encoded PKCS#12 bundle to be used as the client certificate for authentication.", + Optional: true, + MarkdownDescription: "A base64-encoded PKCS#12 bundle to be used as the client certificate for authentication. This can also be sourced from the `ARM_CLIENT_CERTIFICATE` environment variable.", }, "client_certificate_password": schema.StringAttribute{ - Optional: true, - Description: "The password associated with the Client Certificate. For use when authenticating as a Service Principal using a Client Certificate", + Optional: true, + MarkdownDescription: "The password associated with the Client Certificate. This can also be sourced from the `ARM_CLIENT_CERTIFICATE_PASSWORD` Environment Variable.", }, // Client Secret specific fields "client_secret": schema.StringAttribute{ - Optional: true, - Description: "The Client Secret which should be used. For use When authenticating as a Service Principal using a Client Secret.", + Optional: true, + MarkdownDescription: "The Client Secret which should be used. This can also be sourced from the `ARM_CLIENT_SECRET` Environment Variable.", }, "client_secret_file_path": schema.StringAttribute{ - Optional: true, - Description: "The path to a file containing the Client Secret which should be used. For use When authenticating as a Service Principal using a Client Secret.", + Optional: true, + MarkdownDescription: "The path to a file containing the Client Secret which should be used. For use When authenticating as a Service Principal using a Client Secret. This can also be sourced from the `ARM_CLIENT_SECRET_FILE_PATH` Environment Variable.", }, "skip_provider_registration": schema.BoolAttribute{ - Optional: true, - Description: "Should the Provider skip registering all of the Resource Providers that it supports, if they're not already registered?", + Optional: true, + MarkdownDescription: "Should the Provider skip registering the Resource Providers it supports? This can also be sourced from the `ARM_SKIP_PROVIDER_REGISTRATION` Environment Variable. Defaults to `false`.", }, // OIDC specific fields "oidc_request_token": schema.StringAttribute{ - Optional: true, - Description: "The bearer token for the request to the OIDC provider. For use When authenticating as a Service Principal using OpenID Connect.", + Optional: true, + MarkdownDescription: "The bearer token for the request to the OIDC provider. This can also be sourced from the `ARM_OIDC_REQUEST_TOKEN` or `ACTIONS_ID_TOKEN_REQUEST_TOKEN` Environment Variables.", }, "oidc_request_url": schema.StringAttribute{ - Optional: true, - Description: "The URL for the OIDC provider from which to request an ID token. For use When authenticating as a Service Principal using OpenID Connect.", + Optional: true, + MarkdownDescription: "The URL for the OIDC provider from which to request an ID token. This can also be sourced from the `ARM_OIDC_REQUEST_URL` or `ACTIONS_ID_TOKEN_REQUEST_URL` Environment Variables.", }, "oidc_token": schema.StringAttribute{ - Optional: true, - Description: "The OIDC ID token for use when authenticating as a Service Principal using OpenID Connect.", + Optional: true, + MarkdownDescription: "The ID token when authenticating using OpenID Connect (OIDC). This can also be sourced from the `ARM_OIDC_TOKEN` environment Variable.", }, "oidc_token_file_path": schema.StringAttribute{ - Optional: true, - Description: "The path to a file containing an OIDC ID token for use when authenticating as a Service Principal using OpenID Connect.", + Optional: true, + MarkdownDescription: "The path to a file containing an ID token when authenticating using OpenID Connect (OIDC). This can also be sourced from the `ARM_OIDC_TOKEN_FILE_PATH` environment Variable.", }, "use_oidc": schema.BoolAttribute{ - Optional: true, - Description: "Allow OpenID Connect to be used for authentication", + Optional: true, + MarkdownDescription: "Should OIDC be used for Authentication? This can also be sourced from the `ARM_USE_OIDC` Environment Variable. Defaults to `false`.", }, // Azure CLI specific fields "use_cli": schema.BoolAttribute{ - Optional: true, - Description: "Allow Azure CLI to be used for Authentication.", + Optional: true, + MarkdownDescription: "Should Azure CLI be used for authentication? This can also be sourced from the `ARM_USE_CLI` environment variable. Defaults to `true`.", }, // Managed Service Identity specific fields "use_msi": schema.BoolAttribute{ - Optional: true, - Description: "Allow Managed Service Identity to be used for Authentication.", + Optional: true, + MarkdownDescription: "Should Managed Identity be used for Authentication? This can also be sourced from the `ARM_USE_MSI` Environment Variable. Defaults to `false`.", }, "use_aks_workload_identity": schema.BoolAttribute{ - Optional: true, - Description: "Should AKS Workload Identity be used for Authentication? This can also be sourced from the `ARM_USE_AKS_WORKLOAD_IDENTITY` Environment Variable. Defaults to `false`. When set, `client_id`, `tenant_id` and `oidc_token_file_path` will be detected from the environment and do not need to be specified.", + Optional: true, + MarkdownDescription: "Should AKS Workload Identity be used for Authentication? This can also be sourced from the `ARM_USE_AKS_WORKLOAD_IDENTITY` Environment Variable. Defaults to `false`. When set, `client_id`, `tenant_id` and `oidc_token_file_path` will be detected from the environment and do not need to be specified.", }, // TODO@mgd: azidentity doesn't support msi_endpoint @@ -301,32 +302,32 @@ func (p Provider) Schema(ctx context.Context, request provider.SchemaRequest, re Validators: []validator.String{ stringvalidator.Any(myvalidator.StringIsUUID(), myvalidator.StringIsEmpty()), }, - Description: "A GUID/UUID that is registered with Microsoft to facilitate partner resource usage attribution.", + MarkdownDescription: "A GUID/UUID that is [registered](https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution#register-guids-and-offers) with Microsoft to facilitate partner resource usage attribution. This can also be sourced from the `ARM_PARTNER_ID` Environment Variable.", }, "custom_correlation_request_id": schema.StringAttribute{ - Optional: true, - Description: "The value of the x-ms-correlation-request-id header (otherwise an auto-generated UUID will be used).", + Optional: true, + MarkdownDescription: "The value of the `x-ms-correlation-request-id` header, otherwise an auto-generated UUID will be used. This can also be sourced from the `ARM_CORRELATION_REQUEST_ID` environment variable.", }, "disable_correlation_request_id": schema.BoolAttribute{ - Optional: true, - Description: "This will disable the x-ms-correlation-request-id header.", + Optional: true, + MarkdownDescription: "This will disable the x-ms-correlation-request-id header.", }, "disable_terraform_partner_id": schema.BoolAttribute{ - Optional: true, - Description: "This will disable the Terraform Partner ID which is used if a custom `partner_id` isn't specified.", + Optional: true, + MarkdownDescription: "Disable sending the Terraform Partner ID if a custom `partner_id` isn't specified, which allows Microsoft to better understand the usage of Terraform. The Partner ID does not give HashiCorp any direct access to usage information. This can also be sourced from the `ARM_DISABLE_TERRAFORM_PARTNER_ID` environment variable. Defaults to `false`.", }, "default_name": schema.StringAttribute{ - Optional: true, - Description: "The default name which should be used for resources.", + Optional: true, + MarkdownDescription: "The default name to create the azure resource. The `name` in each resource block can override the `default_name`. Changing this forces new resources to be created.", }, "default_location": schema.StringAttribute{ - Optional: true, - Description: "The default location which should be used for resources.", + Optional: true, + MarkdownDescription: " The default Azure Region where the azure resource should exist. The `location` in each resource block can override the `default_location`. Changing this forces new resources to be created.", }, "default_tags": schema.MapAttribute{ @@ -335,7 +336,7 @@ func (p Provider) Schema(ctx context.Context, request provider.SchemaRequest, re Validators: []validator.Map{ tags.Validator(), }, - Description: "The default tags which should be used for resources.", + MarkdownDescription: "A mapping of tags which should be assigned to the azure resource as default tags. The`tags` in each resource block can override the `default_tags`.", }, }, } @@ -501,7 +502,7 @@ func (p Provider) Configure(ctx context.Context, request provider.ConfigureReque if v := os.Getenv("ARM_USE_MSI"); v != "" { model.UseMSI = types.BoolValue(v == "true") } else { - model.UseMSI = types.BoolValue(true) + model.UseMSI = types.BoolValue(false) } }