docs: azurerm backend updates for 1.11 release

[jaredfholgate]

This PR is to update the azurerm backend docs for correctness following the 1.11 release.

Related: https://github.com/hashicorp/terraform/pull/36623

Target Release

1.11.1

CHANGELOG entry

• [ ] This change is user-facing and I added a changelog entry.
• [ ] This change is not user-facing.

[jaredfholgate]

@magodo Thanks for your feedback. I decided to completely refactor the docs in an attempt to make them more understandable. I'm hoping this is an improvement and fits better with your advice?

[jaredfholgate]

Hi @jaredfholgate, thanks for the effort to refactor the document! I've left some minor comments about the wording, then I noticed the overall structure of the sections is like below:

1. Direct AAD (i.e. AAD Auth Storage API)

• 5 subtypes

2. Indirect AAD with URI lookup

• 5 subtypes

3. Indirect Access Key Lookup

• 5 subtypes

4. Direct Access Key
5. Direct SAS Token

Besides the non-necessary repeating of the 5 AAD auth sub types, the first level of category seems not correct. The 2nd point is actually something can apply to every other categories, meaning it is not fit to put along with the others.

Ideally, can we re-organize as below (I know that's a lot of efforts, appreciate your patience :)):

Required Config

• storage_account_name
• container_name
• key_name

The other configs depends on the auth method you've chosen. See below.

Auth

1. AAD Auth (recommended)

• reference to AAD auth (5 subtypes)
• config: use_azuread_auth=true and attributes in AAD Auth section
• permission: Storage Blob Data Reader/Contributor

2. Access Key

• config: access_key

3. SAS Token

• config: sas_token

4. Access Key (lookup)

• reference to AAD auth (5 subtypes)
• config: subscription_id, resource_group_name and attributes in AAD Auth section
• permission: storageAccounts/listKeys, storageAccounts/read

AAD Auth

Listing the detailed configs for the 5 subtypes AAD auth methods:

1. OIDC (recommended)
2. MI (recommended)
3. Client secret
4. Client certificate
5. Azure CLI: Mention that tenant_id and subscription_id are optional and can be inferred

Optional Arguments

Listing the remaining arguments:

• ...
• lookup_blob_endpoint: This requires AAD Auth setting (See AAD Auth), and requires permission storageAccounts/read
• ...

Thanks, I have made these changes now.

[magodo]

@jaredfholgate Fantastic! Thanks for updating this, it LGTM!

[jaredfholgate]

@crw This PR is ready for review and release in 1.11.1. It is a sister PR for: #36623

Thanks

[dbanck]

@jaredfholgate thanks a lot for your contribution! We don't need a changelog for docs-related changes, so I've added the no-changelog-needed label. Can you please delete the changelog file?

[jaredfholgate]

@jaredfholgate thanks a lot for your contribution! We don't need a changelog for docs-related changes, so I've added the no-changelog-needed label. Can you please delete the changelog file?

@dbanck Done and rebased onto main

[jaredfholgate]

Thanks @jaredfholgate! Just some feedback to bring it in line with HashiCorp's style guide and consistency across backend documentation. There's a few places where I wanted to verify that my suggestion didn't change the intention of the original wording. I left a comment on the first instance of it, but it's the places we document the trio of the storage_account_name, container_name, and key configuration options.

Otherwise the rest should just be style tweaks, and this LGTM! Thanks again!

Hi @BrianMMcClain. Thanks for the comprehensive review. I have merged all those changes now.

[github-actions[bot]]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.