Setting Up OIDC Auth For Azure Login and Terraform

Description

So almost every example you will see online for connecting to Azure or Terraform is to use a Service Principal. I have shown this a couple times, but here is one I point people to often. Anways, there appears to be multiple ways you can authenticate with Azure/Terraform and I want to go through what I did to setup OIDC Auth.

To Resolve:

1. First, let’s tackle azure login because that is straight forward:

   • Basically, they list the ways to connect via OIDC auth but to summarize:
   • Create a Service Principal
   • Navigate to it in Azure AD
   • Go to “Federated Credentials” blade
   • Click Add
   • For organization, choose your org: AutomationAdmin-Com in my case
   • For repo, choose your repo: sic.template in my case
   • For Entity type, you have a few options like Environment, branch, PR, Tag, I always choose Environment
   • For Github Name you have to specify from the previous selection the selector. For example, environement has to match the Github Environment you will deploy from in your workflow, branch has to match a branch, etc. I chose production which I will show you shortly.
   • For name, you just give a unique name for the credential: I chose sic-template-env-prod.

2. Next, inside my sic.template repo, I added these 3 required secrets for the action: ${/{ secrets.CLIENT_ID }}, ${/{ secrets.TENANT_ID }}, and ${/{ secrets.SUB_ID }} where SUB_ID is just one of my Azure Subscriptions id property, it doesn’t matter which one.

   • NOTE: Jekyll Liquid Filters clash with Github Variables so replace all instances of ${/{ by removing the forward slash :)
3. Next, in my Github Actions workflow, I had to enable 2 things:
   • First, I had to set id-token: write permission
   • Next, I had to set environment to production even though my deployments won’t always target production as seen in my main template post ( or part 2 ).

4. OK, so we can now get past Azure Login as seen in the logs from a most recent run:

   Run azure/login@v1
   Using OIDC authentication...
   Federated token details: 
   issuer - https://token.actions.githubusercontent.com 
   subject claim - repo:AutomationAdmin-Com/sic.template:environment:production
   /usr/bin/az cloud set -n azurecloud
   Done setting cloud: "azurecloud"
   Login successful.
   

5. Next, we need to set Terraform to know about OIDC Auth. Thankfully, this is documented well in the provider docs. To summarize:

   • Remove any passing of client_secret as a secret to terraform and remove the variable altogether from variables.tf or any other place.
   • Next, in your providers, just replace that reference with use_oidc = true everywhere you would have used client_secret. That’s it!
   • You can verify by going to any of my backend.tf files
6. What I haven’t tested yet is verifying the providers that get built get passed correctly but I know terraform doesn’t error so I assume the providers build correctly. Will need to remember to update this later once I test!