Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add support for GitHub Actions OIDC via oidc_request_url and oidc_request_token fields #421

Merged
merged 9 commits into from
Jun 5, 2024

Conversation

JenGoldstrich
Copy link
Contributor

@JenGoldstrich JenGoldstrich commented Jun 4, 2024

Add oidc_request_url and oidc_request_token fields, I used the same field names https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc here in the TF Provider, but its worth noting that these fields are primarily for GitHub OIDC authentication, if other OIDC providers mirror GH's OIDC setup this should work but it is mainly supported from an sdk perspective on GitHub

Closes #385 -> This issue had to do with OIDC token expiration, from chatting with the go-azure-sdk maintainers this is cause we were providing a one time JWT, rather than providing the authorizer with the URL/request token that allows them to request their own access tokens, so the SDK couldn't refresh the token, example run in CI here https://github.com/hashicorp/packer-plugin-azure/actions/runs/9370160599/job/25796435754

Because the client config was shared with the chroot builder and DTL builder it made sense to just add support for this to the those builders too, but I did not heavily test it due to the relatively much lower usage of DTL/chroot

@JenGoldstrich JenGoldstrich changed the title wip feat: ARM Builder Add support for GitHub Actions OIDC, add oidc_request_url and oidc_request_token fields Jun 4, 2024
…st pass through these values to be consistent, its feasible that someone would run the chroot builder in GHA to be fair, but I am not spending too much time testing it
@JenGoldstrich JenGoldstrich changed the title feat: ARM Builder Add support for GitHub Actions OIDC, add oidc_request_url and oidc_request_token fields feat: Add support for GitHub Actions OIDC, add oidc_request_url and oidc_request_token fields Jun 4, 2024
@JenGoldstrich JenGoldstrich marked this pull request as ready for review June 4, 2024 19:48
@JenGoldstrich JenGoldstrich requested a review from a team as a code owner June 4, 2024 19:48
@JenGoldstrich JenGoldstrich changed the title feat: Add support for GitHub Actions OIDC, add oidc_request_url and oidc_request_token fields feat: Add support for GitHub Actions OIDC via oidc_request_url and oidc_request_token fields Jun 4, 2024
Copy link
Contributor

@lbajolet-hashicorp lbajolet-hashicorp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On a surface level, LGTM! I left a couple comments on the organisation of the code, but this looks good to me

.web-docs/README.md Outdated Show resolved Hide resolved
@@ -98,6 +98,8 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook)
ClientCertPassword: b.config.ClientConfig.ClientCertPassword,
TenantID: b.config.ClientConfig.TenantID,
SubscriptionID: b.config.ClientConfig.SubscriptionID,
OidcRequestUrl: b.config.ClientConfig.OidcRequestURL,
OidcRequestToken: b.config.ClientConfig.OidcRequestToken,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder, why aren't we using the azure_client_set.go's New function for this? It seems those options are reified in this place

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

azure_client_set is only used by chroot, each builder needs to pass the options into the AuthOptions block

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is slightly confusing given the fact that it was created in the common package, I imagine the idea was to eventually migrate to that but I kind of like having the clients separate personally

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess given both builders are using the same SDK, if the code is the same, might as well use the common implementation. Or if there's a good reason to keep them separate, drop the common one as it's not used

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense to me, like we talked about off GitHub I'll follow up with this change on another PR, thanks for this suggestion, we'll unify everything to use the common azure client

builder/azure/common/client/config.go Show resolved Hide resolved
builder/azure/common/client/config_test.go Outdated Show resolved Hide resolved
Copy link
Contributor

@lbajolet-hashicorp lbajolet-hashicorp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@JenGoldstrich JenGoldstrich merged commit 738e7ae into main Jun 5, 2024
12 checks passed
@JenGoldstrich JenGoldstrich deleted the github_oidc branch June 5, 2024 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

OIDC token expiration problem - Add support for OIDC Request Token/url
2 participants