hamilton
hamilton copied to clipboard
manicminer
Support Additional Azure Environments
EnvironmentFromString hardcodes a list of supported environments. The Hashicorp Terraform Provider for AzureRM makes use of EnvironmentFromString here
Because the list is hardcoded, the terraform provider is useless for Azure environments whose URLs cannot be publicly published. Azure provides a method to discover the URLs for all the endpoints referenced in the Environment structure by using the metadata URL. A sample implementation of using this URL is located here
Please add EnvironmentFromMetadataUrl(url string) (Environment, error) to support additional Azure environments and make hamilton more globally useful.
Thanks!
Hi @blheatwole, thanks for requesting. We have actually previously implemented a function to look up the MS Graph URL from an ARM metadata service - however to my knowledge MS Graph endpoints are still not published this way, making it impossible for us to support private/custom clouds.
I'm happy to leave this issue open to track this, although it is blocked at present until someone can demonstrate that an MS Graph endpoint is being published in a custom cloud. Ideally, it should be published for all clouds.
Related issue: https://github.com/hashicorp/terraform-provider-azurerm/issues/15743
Running curl https://management.azure.com/metadata/endpoints?api-version=latest returns the following JSON:
[
{
"portal": "https://portal.azure.com",
"authentication": {
"loginEndpoint": "https://login.microsoftonline.com/",
"audiences": [
"https://management.core.windows.net/",
"https://management.azure.com/"
],
"tenant": "common",
"identityProvider": "AAD"
},
"media": "https://rest.media.azure.net",
"graphAudience": "https://graph.windows.net/",
"graph": "https://graph.windows.net/",
"name": "AzureCloud",
"suffixes": {
"azureDataLakeStoreFileSystem": "azuredatalakestore.net",
"acrLoginServer": "azurecr.io",
"sqlServerHostname": "database.windows.net",
"azureDataLakeAnalyticsCatalogAndJob": "azuredatalakeanalytics.net",
"keyVaultDns": "vault.azure.net",
"storage": "core.windows.net",
"azureFrontDoorEndpointSuffix": "azurefd.net"
},
"batch": "https://batch.core.windows.net/",
"resourceManager": "https://management.azure.com/",
"vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json",
"activeDirectoryDataLake": "https://datalake.azure.net/",
"sqlManagement": "https://management.core.windows.net:8443/",
"gallery": "https://gallery.azure.com/"
},
{
"portal": "https://portal.azure.cn",
"authentication": {
"loginEndpoint": "https://login.chinacloudapi.cn",
"audiences": [
"https://management.core.chinacloudapi.cn",
"https://management.chinacloudapi.cn"
],
"tenant": "common",
"identityProvider": "AAD"
},
"media": "https://rest.media.chinacloudapi.cn",
"graphAudience": "https://graph.chinacloudapi.cn",
"graph": "https://graph.chinacloudapi.cn",
"name": "AzureChinaCloud",
"suffixes": {
"acrLoginServer": "azurecr.cn",
"sqlServerHostname": "database.chinacloudapi.cn",
"keyVaultDns": "vault.azure.cn",
"storage": "core.chinacloudapi.cn",
"azureFrontDoorEndpointSuffix": ""
},
"batch": "https://batch.chinacloudapi.cn",
"resourceManager": "https://management.chinacloudapi.cn",
"vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json",
"sqlManagement": "https://management.core.chinacloudapi.cn:8443",
"gallery": "https://gallery.chinacloudapi.cn"
},
{
"portal": "https://portal.azure.us",
"authentication": {
"loginEndpoint": "https://login.microsoftonline.us",
"audiences": [
"https://management.core.usgovcloudapi.net",
"https://management.usgovcloudapi.net"
],
"tenant": "common",
"identityProvider": "AAD"
},
"media": "https://rest.media.usgovcloudapi.net",
"graphAudience": "https://graph.windows.net",
"graph": "https://graph.windows.net",
"name": "AzureUSGovernment",
"suffixes": {
"acrLoginServer": "azurecr.us",
"sqlServerHostname": "database.usgovcloudapi.net",
"keyVaultDns": "vault.usgovcloudapi.net",
"storage": "core.usgovcloudapi.net",
"azureFrontDoorEndpointSuffix": ""
},
"batch": "https://batch.core.usgovcloudapi.net",
"resourceManager": "https://management.usgovcloudapi.net",
"vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json",
"sqlManagement": "https://management.core.usgovcloudapi.net:8443",
"gallery": "https://gallery.usgovcloudapi.net"
},
{
"portal": "https://portal.microsoftazure.de",
"authentication": {
"loginEndpoint": "https://login.microsoftonline.de",
"audiences": [
"https://management.core.cloudapi.de",
"https://management.microsoftazure.de"
],
"tenant": "common",
"identityProvider": "AAD"
},
"media": "https://rest.media.cloudapi.de",
"graphAudience": "https://graph.cloudapi.de",
"graph": "https://graph.cloudapi.de",
"name": "AzureGermanCloud",
"suffixes": {
"sqlServerHostname": "database.cloudapi.de",
"keyVaultDns": "vault.microsoftazure.de",
"storage": "core.cloudapi.de",
"azureFrontDoorEndpointSuffix": ""
},
"batch": "https://batch.cloudapi.de",
"resourceManager": "https://management.microsoftazure.de",
"vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json",
"sqlManagement": "https://management.core.cloudapi.de:8443",
"gallery": "https://gallery.cloudapi.de"
}
]
Does the "graph" entry not have the correct endpoint? I note in some other environments that there is also a "microsoftGraphResourceId" field that contains the same URL as the "graph" field.
Unfortunately all those "graph" endpoints are for the legacy AAD Graph API and not Microsoft Graph. These are very different API services.
Microsoft is working on updating the output of the metadata/endpoints api to include the Microsoft Graph endpoints. As soon as I get a sample of the new output, I will share that so that you can confirm whether it is useful to solve the issue.
I've gotten two different sample outputs. The first had a new key for Microsoft Graph:
{
...
"graph": "https://graph.windows.net/",
"microsoftGraphResourceId": "https://graph.microsoft.com/",
...
}
In the second, the 'graph' key was updated from AAD to Microsoft Graph
{
...
"graph": "https://graph.microsoft.com/",
...
}
I'm not sure which of these they will eventually settle on. This update is currently planned to hit all clouds in less than two months, but that date could change.
At the point where they do release this, you should be able to discover the Microsoft Graph URL from the metadata endpoint. Does that give you what you need to provide a code-path for clouds whose URLs can't be publicly published?
Thanks @blheatwole, it's good to know this is planned! Once this hits the major public clouds and/or we get confirmation this is stable in private clouds, we'll be able to support this fairly quickly and easily.
This change is currently being rolled out. Not all regions have it yet, but some do. You can test against this one already: https://eastus2euap.management.azure.com/metadata/endpoints?api-version=2022-09-01
Thanks!
Due to an unrelated bug in the build, Microsoft is rolling back the build that contains this change. I will let you know when they release a build that contains the new endpoint code again.