Allow authentication via managed service identity

azurerm/config.go

@@ -228,6 +228,15 @@ func getAuthorizationToken(c *authentication.Config, oauthConfig *adal.OAuthConf
 		return auth, nil
 	}
 
+	if c.UseMsi {
+		spt, err := adal.NewServicePrincipalTokenFromMSI(c.MsiEndpoint, endpoint)
+		if err != nil {
+			return nil, err
+		}
+		auth := autorest.NewBearerAuthorizer(spt)
+		return auth, nil
+	}
+
 	if c.IsCloudShell {
 		// load the refreshed tokens from the Azure CLI
 		err := c.LoadTokensFromAzureCLI()

azurerm/helpers/authentication/config.go

@@ -28,6 +28,8 @@ type Config struct {
 	// Bearer Auth
 	AccessToken  *adal.Token
 	IsCloudShell bool
+	UseMsi       bool
+	MsiEndpoint  string
 }
 
 func (c *Config) LoadTokensFromAzureCLI() error {

azurerm/helpers/authentication/validation.go

@@ -49,3 +49,22 @@ func (c *Config) ValidateServicePrincipal() error {
 
 	return err.ErrorOrNil()
 }
+
+func (c *Config) ValidateMsi() error {
+	var err *multierror.Error
+
+	if c.SubscriptionID == "" {
+		err = multierror.Append(err, fmt.Errorf("Subscription ID must be configured for the AzureRM provider"))
+	}
+	if c.TenantID == "" {
+		err = multierror.Append(err, fmt.Errorf("Tenant ID must be configured for the AzureRM provider"))
+	}
+	if c.Environment == "" {
+		err = multierror.Append(err, fmt.Errorf("Environment must be configured for the AzureRM provider"))
+	}
+	if c.MsiEndpoint == "" {
+		err = multierror.Append(err, fmt.Errorf("MSI endpoint must be configured for the AzureRM provider"))
+	}
+
+	return err.ErrorOrNil()
+}

azurerm/helpers/authentication/validation_test.go

@@ -164,3 +164,75 @@ func TestAzureValidateServicePrincipal(t *testing.T) {
 		}
 	}
 }
+
+func TestAzureValidateMsi(t *testing.T) {
+	cases := []struct {
+		Description string
+		Config      Config
+		ExpectError bool
+	}{
+		{
+			Description: "Empty Configuration",
+			Config:      Config{},
+			ExpectError: true,
+		},
+		{
+			Description: "Missing Subscription ID",
+			Config: Config{
+				MsiEndpoint: "http://localhost:50342/oauth2/token",
+				TenantID:    "9834f8d0-24b3-41b7-8b8d-c611c461a129",
+				Environment: "public",
+			},
+			ExpectError: true,
+		},
+		{
+			Description: "Missing Tenant ID",
+			Config: Config{
+				MsiEndpoint:    "http://localhost:50342/oauth2/token",
+				SubscriptionID: "8e8b5e02-5c13-4822-b7dc-4232afb7e8c2",
+				Environment:    "public",
+			},
+			ExpectError: true,
+		},
+		{
+			Description: "Missing Environment",
+			Config: Config{
+				MsiEndpoint:    "http://localhost:50342/oauth2/token",
+				SubscriptionID: "8e8b5e02-5c13-4822-b7dc-4232afb7e8c2",
+				TenantID:       "9834f8d0-24b3-41b7-8b8d-c611c461a129",
+			},
+			ExpectError: true,
+		},
+		{
+			Description: "Missing MSI Endpoint",
+			Config: Config{
+				SubscriptionID: "8e8b5e02-5c13-4822-b7dc-4232afb7e8c2",
+				TenantID:       "9834f8d0-24b3-41b7-8b8d-c611c461a129",
+				Environment:    "public",
+			},
+			ExpectError: true,
+		},
+		{
+			Description: "Valid Configuration",
+			Config: Config{
+				MsiEndpoint:    "http://localhost:50342/oauth2/token",
+				SubscriptionID: "8e8b5e02-5c13-4822-b7dc-4232afb7e8c2",
+				TenantID:       "9834f8d0-24b3-41b7-8b8d-c611c461a129",
+				Environment:    "public",
+			},
+			ExpectError: false,
+		},
+	}
+
+	for _, v := range cases {
+		err := v.Config.ValidateMsi()
+
+		if v.ExpectError && err == nil {
+			t.Fatalf("Expected an error for %q: didn't get one", v.Description)
+		}
+
+		if !v.ExpectError && err != nil {
+			t.Fatalf("Expected there to be no error for %q - but got: %v", v.Description, err)
+		}
+	}
+}

azurerm/provider.go

@@ -10,6 +10,7 @@ import (
 	"sync"
 
 	"github.com/Azure/azure-sdk-for-go/arm/resources/resources"
+	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/hashicorp/terraform/helper/mutexkv"
 	"github.com/hashicorp/terraform/helper/schema"
 	"github.com/hashicorp/terraform/terraform"
@@ -62,6 +63,16 @@ func Provider() terraform.ResourceProvider {
 				Optional:    true,
 				DefaultFunc: schema.EnvDefaultFunc("ARM_SKIP_PROVIDER_REGISTRATION", false),
 			},
+			"use_msi": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("ARM_USE_MSI", false),
+			},
+			"msi_endpoint": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("ARM_MSI_ENDPOINT", ""),
+			},
 		},
 
 		DataSourcesMap: map[string]*schema.Resource{
@@ -188,11 +199,27 @@ func providerConfigure(p *schema.Provider) schema.ConfigureFunc {
 			ClientSecret:              d.Get("client_secret").(string),
 			TenantID:                  d.Get("tenant_id").(string),
 			Environment:               d.Get("environment").(string),
+			UseMsi:                    d.Get("use_msi").(bool),
+			MsiEndpoint:               d.Get("msi_endpoint").(string),
 			SkipCredentialsValidation: d.Get("skip_credentials_validation").(bool),
 			SkipProviderRegistration:  d.Get("skip_provider_registration").(bool),
 		}
 
-		if config.ClientSecret != "" {
+		if config.UseMsi {
+			log.Printf("[DEBUG] use_msi specified - using MSI Authentication")
+			if config.MsiEndpoint == "" {
+				msiEndpoint, err := adal.GetMSIVMEndpoint()
+				if err != nil {
+					return nil, fmt.Errorf("Could not retrieve MSI endpoint from VM settings."+
+						"Ensure the VM has MSI enabled, or try setting msi_endpoint. Error: %s", err)
+				}
+				config.MsiEndpoint = msiEndpoint
+			}
+			log.Printf("[DEBUG] Using MSI endpoint %s", config.MsiEndpoint)
+			if err := config.ValidateMsi(); err != nil {
+				return nil, err
+			}
+		} else if config.ClientSecret != "" {
 			log.Printf("[DEBUG] Client Secret specified - using Service Principal for Authentication")
 			if err := config.ValidateServicePrincipal(); err != nil {
 				return nil, err

website/azurerm.erb

@@ -17,6 +17,10 @@
                 <li<%= sidebar_current("docs-azurerm-index-authentication-service-principal") %>>
                     <a href="/docs/providers/azurerm/authenticating_via_service_principal.html">Authenticating via a Service Principal (Shared Account)</a>
                 </li>
+
+                <li<%= sidebar_current("docs-azurerm-index-authentication-msi") %>>
+                    <a href="/docs/providers/azurerm/authenticating_via_msi.html">Authenticating via Managed Service Identity</a>
+                </li>
               </ul>
             </li>
 

website/docs/authenticating_via_msi.html.markdown

@@ -0,0 +1,97 @@
+---
+layout: "azurerm"
+page_title: "AzureRM: Authenticating via Managed Service Identity"
+sidebar_current: "docs-azurerm-index-authentication-msi"
+description: |-
+  The Azure Resource Manager provider supports authenticating via multiple means. This guide will cover configuring a Managed Service Identity which can be used to access Azure Resource Manager.
+
+---
+
+# Authenticating to Azure Resource Manager using Managed Service Identity
+
+Terraform supports authenticating to Azure through Managed Service Identity, Service Principal or the Azure CLI.
+
+We recommend using Managed Service Identity when running in a Shared Environment (such as within a CI server/automation) that you do not wish to configure credentials for - and [authenticating via the Azure CLI](authenticating_via_azure_cli.html) when you're running Terraform locally. Note that managed service identity is only available for virtual machines within Azure.
+
+## Configuring Managed Service Identity
+
+Managed Service Identity allows an Azure virtual machine to retrieve a token to access the Azure API without needing to pass in credentials. This works by creating a service principal in Azure Active Directory that is associated to a virtual machine. This service principal can then be granted permissions to Azure resources.
+There are various ways to configure managed service identity - see the [Microsoft documentation](https://docs.microsoft.com/en-us/azure/active-directory/msi-overview) for details.
+You can then run Terraform from the MSI enabled virtual machine by setting the use_msi provider option to true.
+
+### Configuring Managed Service Identity using Terraform
+
+Managed service identity can also be configured using Terraform. The following template shows how. Note that for a Linux VM you must use the ManagedIdentityExtensionForLinux.
+
+```hcl
+resource "azurerm_virtual_machine" "virtual_machine" {
+  name                  = "test"
+  location              = "${var.location}"
+  resource_group_name   = "test"
+  network_interface_ids = ["${azurerm_network_interface.test.id}"]
+  vm_size               = "Standard_DS1_v2"
+
+  identity = {
+    type = "SystemAssigned"
+  }
+
+  storage_image_reference {
+    publisher = "MicrosoftWindowsServer"
+    offer     = "WindowsServer"
+    sku       = "2016-Datacenter-smalldisk"
+    version   = "latest"
+  }
+
+  storage_os_disk {
+    name              = "test"
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+    managed_disk_type = "Standard_LRS"
+  }
+
+  os_profile {
+    computer_name  = "test"
+    admin_username = "username"
+    admin_password = "password"
+  }
+
+  os_profile_windows_config {
+    provision_vm_agent        = true
+    enable_automatic_upgrades = false
+  }
+}
+
+resource "azurerm_virtual_machine_extension" "virtual_machine_extension" {
+  name                 = "test"
+  location             = "${var.location}"
+  resource_group_name  = "test"
+  virtual_machine_name = "${azurerm_virtual_machine.virtual_machine.name}"
+  publisher            = "Microsoft.ManagedIdentity"
+  type                 = "ManagedIdentityExtensionForWindows"
+  type_handler_version = "1.0"
+
+  settings = <<SETTINGS
+    {
+        "port": 50342
+    }
+SETTINGS
+}
+
+data "azurerm_subscription" "subscription" {}
+
+data "azurerm_builtin_role_definition" "builtin_role_definition" {
+  name = "Contributor"
+}
+
+# Grant the VM identity contributor rights to the current subscription
+resource "azurerm_role_assignment" "role_assignment" {
+  name               = "${uuid()}"
+  scope              = "${data.azurerm_subscription.subscription.id}"
+  role_definition_id = "${data.azurerm_subscription.subscription.id}${data.azurerm_builtin_role_definition.builtin_role_definition.id}"
+  principal_id       = "${lookup(azurerm_virtual_machine.virtual_machine.identity[0], "principal_id")}"
+
+  lifecycle {
+    ignore_changes = ["name"]
+  }
+}
+```

website/docs/index.html.markdown

@@ -77,6 +77,13 @@ The following arguments are supported:
 * `tenant_id` - (Optional) The tenant ID to use. It can also be sourced from the
   `ARM_TENANT_ID` environment variable.
 
+* `use_msi` - (Optional) Set to true to authenticate using managed service identity.
+  It can also be sourced from the `ARM_USE_MSI` environment variable.
+
+* `msi_endpoint` - (Optional) The REST endpoint to retrieve an MSI token from. Terraform
+  will attempt to discover this automatically but it can be specified manually here.
+  It can also be sourced from the `ARM_MSI_ENDPOINT` environment variable.
+
 * `environment` - (Optional) The cloud environment to use. It can also be sourced
   from the `ARM_ENVIRONMENT` environment variable. Supported values are:
   * `public` (default)