Backend azurerm: support for MSI in Azure Container Apps

[lyceus]

Terraform Version

Terraform v1.12.2
on linux_amd64

Use Cases

Allow a configurable api-version and identity header parameter for the azurerm backend when using a Managed Identity for authentication. This will allow terraform to run inside Azure Container Apps when using a Managed Identity to authenticate with the backend Azure Storage Account. Container Apps can be used to run CI/CD jobs on self-hosted auto-scaling infrastructure.

Attempted Solutions

When running in Azure Container Apps and using an Azure Managed Identity to authenticate with the storage account for the azurerm backend, the default metadata endpoint (http://169.254.169.254) does not work. This can be overridden using the msi_endpoint parameter, but the token endpoint for Container Apps does not support the default api-version (2018-02-01), and requires an additional HTTP header. I have set the following configuration for my backend :

terraform {
  backend "azurerm" {
    use_azuread_auth = true
    use_msi = true
    msi_endpoint = "http://localhost:42356/msi/token"
    tenant_id = "<removed>"
    client_id = "<removed>"
    storage_account_name = "<removed>"
    container_name = "tfstate"
    key = "main.tfstate"
  }
}

The following error is returned:
Error: Failed to get existing workspaces: listing blobs: executing request: authorizing request: ManagedIdentityAuthorizer: failed to request token from metadata endpoint: received HTTP status 400 with body: {"error":{"code":"UnsupportedApiVersion","message":"The HTTP resource that matches the request URI 'http://localhost:42356/msi/token' does not support the API version '2018-02-01'.","innerError":null}}

Proposal

Add msi_endpoint_api_version and msi_endpoint_header as optional parameters for the azurerm backend block, and support the IDENTITY_ENDPOINT and IDENTITY_HEADER environment variables for these values. It may also be useful to include support for ARM_MSI_API_VERSION as an additional environment variable for msi_endpoint_api_version since this is the environment variable name used by the azurerm provider, and add ARM_MSI_HEADER for msi_endpoint_header but the IDENTITY_x environment variables would be the preference I think.

References

• Azure documentation regarding using Managed Identities in Azure Container Apps and getting tokens from the metadata service: Managed identities in Azure Container Apps
• See recent addition to azurerm provider that adds the capability to set api-version: add configurable IMDS API version
• azurerm provider documentation for this parameter: Azure Provider: Authenticating using managed identities
• Documentation for running self-hosted CI/CD pipelines on Azure Container Apps: Deploy self-hosted CI/CD runners and agents with Azure Container Apps

[crw]

Thanks for filing this request! The Azure backend is maintained by the Azure provider team at HashiCorp as well as the Azure Provider team at Microsoft (as opposed to the core team who supports the Terraform language and CLI). These teams have been notified of this request. Thanks again!

[lyceus]

In case others come across this issue, I have found a work-around until this feature is implemented in terraform...

The Azure CLI does work correctly in Container Apps using Managed Identities (as of azcli v2.74.0; see azure-cli issue 22677 for a work-around prior to that version), so the work-around is to login with azcli using the managed identity (works for both system- and user-assigned managed identities), and then set Terraform to use azcli by setting the variable ARM_USE_CLI=true. This works for both azurerm backend and provider.

Obviously it is desirable to not have to have azcli installed or loaded at runtime in a container if it can be avoided, so the feature in terraform is still desired.