Adding azd as auth Authorizer

[vhvb1989]

Adding azd as auth Authorizer.

This allows folks using azd-terraform templates to use azd as authentication source.

fix: Azure/azure-dev#1530

[vhvb1989]

ping

[manicminer]

Hi @vhvb1989, thanks for this suggestion. Sorry for the delay in reviewing, we've spent some time discussing and experimenting with the Azure Developer CLI to get a better feel for it and to evaluate whether this is something we could support.

Unfortunately, at this time we won't be able to add support for authenticating a user using azd. The configuration interface and behavior of authentication in the provider is mature and the bar for changing it is particularly high. It is not only relied on by users locally, but also carefully configured in many automated pipelines, invoked via wrapper scripts, and generally well understood by practitioners. We cannot therefore add an additional 'external' authentication method, or one that works in a fallback-type manner (e.g. is enabled and attempted by default) - which would limit the usefulness of supporting any such additional auth method.

I liked using azd and I can see potential value for users in offering some form of authentication bridge here. If we were to look at adding explicit support in the provider, we'd only be able to do this in a major release of the provider for the aforementioned reasons of continuity for all users. Have you considered whether azd could bridge this gap? Perhaps our OIDC/assertion support could be useful here? Alternatively, you could set up an application & service principal with short lived credentials and configure the provider to use that?

[github-actions]

This PR is being labeled as "stale" because it has not been updated for 30 or more days.

If this PR is still valid, please remove the "stale" label. If this PR is blocked, please add it to the "Blocked" milestone.

If you need some help completing this PR, please leave a comment letting us know. Thank you!

[tombuildsstuff]

hey @vhvb1989

As @manicminer has mentioned above, whilst we can see the value in this functionality, unfortunately we're not planning to support using additional CLI tooling to authenticate at this point in time due to complexities with testing the current scenarios.

However it should be possible for azd to implement support for this using an MSI Endpoint - which (since azd is calling Terraform here) would allow azd to handle the authentication internally and expose a regular MSI endpoint, which the Provider (and Terraform Core) can then consume.

As such whilst I'd like to thank you for this contribution, since we're not planning on supporting authenticating using additional CLI tooling at this point in time - I'm going to close this PR for the moment - but as mentioned above I believe it should be possible to solve this in a slightly different manner on the azd side instead.

Thanks!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.