terraform-provider-kubernetes icon indicating copy to clipboard operation
terraform-provider-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

environment variable access in the exec plugin authentication flow

Open pszypowicz opened this issue 3 years ago • 0 comments

Description

I'm trying to authenticate to aks with kubelogin. I want to use the same SPN credentials I'm using for the tf execution. I do not want to store client_secret in the tf state

Env variables used by azurerm providers are already exported as

ARM_CLIENT_ID=
ARM_TENANT_ID=
ARM_SUBSCRIPTION_ID=
ARM_CLIENT_SECRET=

Then when I initialize the kubernetes provider I would like to do:

provider "kubernetes" {
  host                   = data.azurerm_kubernetes_cluster.aks.kube_config.0.host
  cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.aks.kube_config.0.cluster_ca_certificate)

  # Using kubelogin to get an AAD token for the cluster.
  exec {
    api_version = "client.authentication.k8s.io/v1beta1"
    command     = "kubelogin"
    args = [
      "get-token",
      "--environment",
      "AzurePublicCloud",
      "--server-id",
      data.azuread_service_principal.aks_aad_server.application_id, # Application Id of the Azure Kubernetes Service AAD Server.
       "--client-id",
       "$ARM_CLIENT_ID",
       "--client-secret",
       "$ARM_CLIENT_SECRET",
      "-t",
      data.azurerm_subscription.current.tenant_id, // The AAD Tenant Id.
      "-l",
      "spn" // Login using a Service Principal..
    ]
  }
}

But that does not work.

Instead, before running tf I can do:

export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=$ARM_CLIENT_SECRET 
export AAD_SERVICE_PRINCIPAL_CLIENT_ID=$ARM_CLIENT_ID

and in the the provider:

provider "kubernetes" {
  host                   = data.azurerm_kubernetes_cluster.aks.kube_config.0.host
  cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.aks.kube_config.0.cluster_ca_certificate)

  # Using kubelogin to get an AAD token for the cluster.
  exec {
    api_version = "client.authentication.k8s.io/v1beta1"
    command     = "kubelogin"
    args = [
      "get-token",
      "--environment",
      "AzurePublicCloud",
      "--server-id",
      data.azuread_service_principal.aks_aad_server.application_id, # Application Id of the Azure Kubernetes Service AAD Server.
      "-t",
      data.azurerm_subscription.current.tenant_id, // The AAD Tenant Id.
      "-l",
      "spn" // Login using a Service Principal..
    ]
  }
}

env variable works in the local-exec providers already.

resource "null_resource" "echo" {
  provisioner "local-exec" {
    command = "echo $ARM_CLIENT_ID"
  }
}

Would it be possible to support it the exec plugin as well?

Potential Terraform Configuration

terraform 1.2.2 azurerm provider: 3.11 kubernetes provider: 2.11

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

pszypowicz avatar Jun 28 '22 08:06 pszypowicz