SDK - Support MSI authentication in Azure Container App and App Service like environments

[vermacodes]

Fixes #1054

Pull Request: Enhanced Support for Azure App Service Like Environments

This pull request updates managed_identity_authorizer.go to improve support for Azure App Service like environments. Key changes include:

• Environment Check: Now checks for MSI_ENDPOINT and MSI_SECRET environment variables to detect App Service like environments.
• MSI Endpoint Update: Uses MSI_ENDPOINT as the default instead of the well-known endpoint.
• API Version Change: Switches to the 2019-08-01 API version, which requires the IDENTITY_HEADER in the HTTP request.
• Endpoint Override: Users can still override the default endpoint if needed.

These changes ensure better compatibility with Azure's managed identity in App Service like environments.

[hashicorp-cla-app]

All committers have signed the CLA.

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[hen-den]

This is awesome for the last months we had to use a proxy to rewrite the endpoint versions. Great work.

[vermacodes]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

Have you signed the CLA already but the status is still pending? Recheck it.

This has been signed, not sure why its not updating.

[kabal2010]

@vermacodes
Nice one. Will really love this pushed to production as this has been a blocker running Terraform on Azure Container Apps when authenticating with Managed Identity

[kabal2010]

Any update on when this PR is scheduled to go live?

[josh-martin-1]

@vermacodes, any updates on getting this merged to the main branch?

[vermacodes]

I am not sure; it was never picked for review. May be @stephybun or @jackofallops knows.

[bprathap104]

Any update on when this PR is scheduled to go live?

[jackofallops]

Update: We're following up with the Azure IMDS service team on this to ensure that any change we make will actually be supported in all regions / clouds. Please bear with us.

[aibi12]

Thanks for the update. Could you share an approximate timeline for going live with the feature? Our application depends on it. Also, could you explain why the API version isn't configurable via an environment variable?

[matray]

Out of curiosity, did Azure IMDS end up responding with this as fully available? This appears to be exactly what is defined in their official Azure Container App documentation for MSIs https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=cli%2Chttp#connect-to-azure-services-in-app-code

[josh-martin-1]

@jackofallops, do you have any updates on this?

[jackofallops]

Hi all - Thanks for the patience on this while we worked with the IMDS team (and other service teams) to get to a path forward.

I'm closing this PR for an alternative implementation that avoids adding another hard-coded value, and allows for flexibility for API versions to change and for other special cases that don't use either of the current default api version, or the customised API version in use by Container Apps.

The new PR will be open shortly and will expose a new provider configuration property (specifically msi_api_version) (and env var ARM_MSI_API_VERSION) to define the API version to use.