Replace Azure Service Principal auth with Azure Workload Identity auth in functional tests

.github/workflows/functional-test-cloud.yaml

@@ -63,7 +63,7 @@ env:
   # Azure Keyvault CSI driver chart version
   AZURE_KEYVAULT_CSI_DRIVER_VER: "1.4.2"
   # Azure workload identity webhook chart version
-  AZURE_WORKLOAD_IDENTITY_WEBHOOK_VER: "1.1.0"
+  AZURE_WORKLOAD_IDENTITY_WEBHOOK_VER: "1.3.0"
   # Container registry for storing container images
   CONTAINER_REGISTRY: ghcr.io/radius-project/dev
   # Container registry for storing Bicep recipe artifacts
@@ -95,7 +95,7 @@ jobs:
   build:
     name: Build Radius for test
     runs-on: ubuntu-latest
-    if: github.event_name == 'repository_dispatch' || (github.event_name == 'schedule' && github.repository == 'radius-project/radius') || github.event_name == 'workflow_run'
+    if: github.event_name == 'repository_dispatch' || (github.event_name == 'schedule' && github.repository == 'radius-project/radius') || github.event_name == 'workflow_run' || github.event_name == 'workflow_dispatch'
     env:
       DE_IMAGE: "ghcr.io/radius-project/deployment-engine"
       DE_TAG: "latest"
@@ -117,7 +117,13 @@ jobs:
           private_key: ${{ secrets.FUNCTIONAL_TEST_APP_PRIVATE_KEY }}
 
       - name: Set up checkout target (scheduled)
-        if: github.event_name == 'schedule' || github.event_name == 'repository_dispatch'
+        if: github.event_name == 'schedule'
+        run: |
+          echo "CHECKOUT_REPO=${{ github.repository }}" >> $GITHUB_ENV
+          echo "CHECKOUT_REF=refs/heads/main" >> $GITHUB_ENV
+
+      - name: Set up checkout target (repository_dispatch)
+        if: github.event_name == 'repository_dispatch'
         run: |
           echo "CHECKOUT_REPO=${{ github.repository }}" >> $GITHUB_ENV
           echo "CHECKOUT_REF=refs/heads/main" >> $GITHUB_ENV
@@ -352,7 +358,7 @@ jobs:
   tests:
     name: Run ${{ matrix.name }} functional tests
     needs: build
-    if: github.event_name == 'repository_dispatch' || (github.event_name == 'schedule' && github.repository == 'radius-project/radius') || github.event_name == 'workflow_run'
+    if: github.event_name == 'repository_dispatch' || (github.event_name == 'schedule' && github.repository == 'radius-project/radius') || github.event_name == 'workflow_run' || github.event_name == 'workflow_dispatch'
     strategy:
       fail-fast: true
       matrix:
@@ -431,9 +437,9 @@ jobs:
       - name: Login to Azure
         uses: azure/login@v2
         with:
-          client-id: ${{ secrets.AZURE_SP_TESTS_APPID }}
-          tenant-id: ${{ secrets.AZURE_SP_TESTS_TENANTID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }}
+          client-id: ${{ secrets.AZURE_TEST_APPID }}
+          tenant-id: ${{ secrets.AZURE_TEST_TENANTID }}
+          subscription-id: ${{ secrets.AZURE_TEST_SUBSCRIPTIONID }}
 
       - uses: marocchino/sticky-pull-request-comment@v2
         continue-on-error: true
@@ -451,7 +457,7 @@ jobs:
           az group create \
             --location ${{ env.AZURE_LOCATION }} \
             --name $RESOURCE_GROUP \
-            --subscription ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \
+            --subscription ${{ secrets.AZURE_TEST_SUBSCRIPTIONID }} \
             --tags creationTime=$current_time
           while [ $(az group exists --name $RESOURCE_GROUP) = false ]; do sleep 2; done
         env:
@@ -516,7 +522,7 @@ jobs:
       - name: Install azure workload identity webhook chart
         run: |
           helm repo add azure-workload-identity https://azure.github.io/azure-workload-identity/charts
-          helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook --namespace radius-default --create-namespace --version ${{ env.AZURE_WORKLOAD_IDENTITY_WEBHOOK_VER }} --set azureTenantID=${{ secrets.AZURE_SP_TESTS_TENANTID }}
+          helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook --namespace radius-default --create-namespace --version ${{ env.AZURE_WORKLOAD_IDENTITY_WEBHOOK_VER }} --set azureTenantID=${{ secrets.AZURE_TEST_TENANTID }}
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
@@ -556,7 +562,7 @@ jobs:
           echo "*** Installing Radius to Kubernetes ***"
           rad install kubernetes \
             --chart ${{ env.RADIUS_CHART_LOCATION }} \
-            --set rp.image=${{ env.CONTAINER_REGISTRY }}/applications-rp,rp.tag=${{ env.REL_VERSION }},controller.image=${{ env.CONTAINER_REGISTRY }}/controller,controller.tag=${{ env.REL_VERSION }},ucp.image=${{ env.CONTAINER_REGISTRY }}/ucpd,ucp.tag=${{ env.REL_VERSION }},de.image=${{ env.DE_IMAGE }},de.tag=${{ env.DE_TAG }}
+            --set rp.image=${{ env.CONTAINER_REGISTRY }}/applications-rp,rp.tag=${{ env.REL_VERSION }},controller.image=${{ env.CONTAINER_REGISTRY }}/controller,controller.tag=${{ env.REL_VERSION }},ucp.image=${{ env.CONTAINER_REGISTRY }}/ucpd,ucp.tag=${{ env.REL_VERSION }},de.image=${{ env.DE_IMAGE }},de.tag=${{ env.DE_TAG }},global.azureWorkloadIdentity.enabled=true
 
           echo "*** Create workspace, group and environment for test ***"
           rad workspace create kubernetes
@@ -568,11 +574,11 @@ jobs:
           rad env switch kind-radius
 
           echo "*** Configuring Azure provider ***"
-          rad env update kind-radius --azure-subscription-id ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \
+          rad env update kind-radius --azure-subscription-id ${{ secrets.AZURE_TEST_SUBSCRIPTIONID }} \
             --azure-resource-group ${{ env.AZURE_TEST_RESOURCE_GROUP }}
-          rad credential register azure sp --client-id ${{ secrets.AZURE_SP_TESTS_APPID }} \
-            --client-secret ${{ secrets.INTEGRATION_TEST_SP_PASSWORD }} \
-            --tenant-id ${{ secrets.AZURE_SP_TESTS_TENANTID }}
+          rad credential register azure wi \
+            --client-id ${{ secrets.AZURE_TEST_APPID }} \
+            --tenant-id ${{ secrets.AZURE_TEST_TENANTID }}
 
           echo "*** Configuring AWS provider ***"
           rad env update kind-radius --aws-region ${{ env.AWS_REGION }} --aws-account-id ${{ secrets.FUNCTEST_AWS_ACCOUNT_ID }}
@@ -719,7 +725,7 @@ jobs:
         run: |
           # if deletion fails, purge workflow will purge the resource group and its resources later.
           az group delete \
-            --subscription ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \
+            --subscription ${{ secrets.AZURE_TEST_SUBSCRIPTIONID }} \
             --name ${{ env.AZURE_TEST_RESOURCE_GROUP }} \
             --yes --verbose
 

pkg/azure/credential/ucpcredentials.go

@@ -171,14 +171,21 @@ func refreshAzureWorkloadIdentityCredentials(ctx context.Context, c *UCPCredenti
 
 	logger.Info("Retrieved Azure Credential - ClientID: " + azureWorkloadIdentityCredential.ClientID)
 
-	var opt *azidentity.DefaultAzureCredentialOptions
+	var opt *azidentity.WorkloadIdentityCredentialOptions
 	if c.options.ClientOptions != nil {
-		opt = &azidentity.DefaultAzureCredentialOptions{
+		opt = &azidentity.WorkloadIdentityCredentialOptions{
+			ClientID:      azureWorkloadIdentityCredential.ClientID,
+			TenantID:      azureWorkloadIdentityCredential.TenantID,
 			ClientOptions: *c.options.ClientOptions,
 		}
+	} else {
+		opt = &azidentity.WorkloadIdentityCredentialOptions{
+			ClientID: azureWorkloadIdentityCredential.ClientID,
+			TenantID: azureWorkloadIdentityCredential.TenantID,
+		}
 	}
 
-	azCred, err := azidentity.NewDefaultAzureCredential(opt)
+	azCred, err := azidentity.NewWorkloadIdentityCredential(opt)
 	if err != nil {
 		return err
 	}

pkg/corerp/handlers/azure_userassigned_managedidentity.go

@@ -97,7 +97,7 @@ func (handler *azureUserAssignedManagedIdentityHandler) Put(ctx context.Context,
 
 	identity, err := msiClient.CreateOrUpdate(ctx, rgName, identityName, armmsi.Identity{Location: &resourceLocation}, nil)
 	if err != nil {
-		return properties, fmt.Errorf("failed to create user assigned managed identity: %w", err)
+		return properties, fmt.Errorf("failed to create user-assigned managed identity: %w", err)
 	}
 
 	properties[UserAssignedIdentityIDKey] = to.String(identity.ID)
@@ -111,7 +111,7 @@ func (handler *azureUserAssignedManagedIdentityHandler) Put(ctx context.Context,
 	}
 
 	options.Resource.ID = id
-	logger.Info("Created managed identity for KeyVault access", logging.LogFieldLocalID, rpv1.LocalIDUserAssignedManagedIdentity)
+	logger.Info("Created user-assigned managed identity", logging.LogFieldLocalID, rpv1.LocalIDUserAssignedManagedIdentity)
 
 	return properties, nil
 }

pkg/recipes/terraform/config/providers/azure.go

@@ -39,13 +39,20 @@ import (
 const (
 	AzureProviderName = "azurerm"
 
-	azureFeaturesParam               = "features"
-	azureSubIDParam                  = "subscription_id"
-	azureClientIDParam               = "client_id"
-	azureClientSecretParam           = "client_secret"
-	azureTenantIDParam               = "tenant_id"
-	azureUseAKSWorkloadIdentityParam = "use_aks_workload_identity"
-	azureUseCLIParam                 = "use_cli"
+	azureFeaturesParam          = "features"
+	azureSubIDParam             = "subscription_id"
+	azureClientIDParam          = "client_id"
+	azureClientSecretParam      = "client_secret"
+	azureTenantIDParam          = "tenant_id"
+	azureUseOIDCParam           = "use_oidc"
+	azureUseCLIParam            = "use_cli"
+	azureOIDCTokenFilePathParam = "oidc_token_file_path"
+
+	// The Azure AD Workload Identity Mutating Admission Webhook projects a signed service account token to
+	// this well known path.
+	// https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html
+	// https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#argument-reference
+	azureOIDCTokenFilePath = "/var/run/secrets/azure/tokens/azure-identity-token"
 )
 
 var _ Provider = (*azureProvider)(nil)
@@ -175,13 +182,14 @@ func (p *azureProvider) generateProviderConfigMap(configMap map[string]any, cred
 		if credentials.WorkloadIdentity != nil &&
 			credentials.WorkloadIdentity.ClientID != "" &&
 			credentials.WorkloadIdentity.TenantID != "" {
+
+			// Use OIDC for Workload Identity
+			// https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc
 			configMap[azureClientIDParam] = credentials.WorkloadIdentity.ClientID
 			configMap[azureTenantIDParam] = credentials.WorkloadIdentity.TenantID
-
-			// Use AKS Workload Identity for Azure provider
-			// https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/aks_workload_identity#configuring-with-environment-variables
-			configMap[azureUseAKSWorkloadIdentityParam] = true
 			configMap[azureUseCLIParam] = false
+			configMap[azureUseOIDCParam] = true
+			configMap[azureOIDCTokenFilePathParam] = azureOIDCTokenFilePath
 		}
 	}
 

pkg/recipes/terraform/config/providers/azure_test.go

@@ -314,12 +314,13 @@ func TestAzureProvider_generateProviderConfigMap(t *testing.T) {
 			subscription: testSubscription,
 			credentials:  testAzureWorkloadIdentityCredential,
 			expectedConfig: map[string]any{
-				azureFeaturesParam:               map[string]any{},
-				azureSubIDParam:                  testSubscription,
-				azureTenantIDParam:               testAzureWorkloadIdentityCredential.WorkloadIdentity.TenantID,
-				azureClientIDParam:               testAzureWorkloadIdentityCredential.WorkloadIdentity.ClientID,
-				azureUseAKSWorkloadIdentityParam: true,
-				azureUseCLIParam:                 false,
+				azureFeaturesParam:          map[string]any{},
+				azureSubIDParam:             testSubscription,
+				azureTenantIDParam:          testAzureWorkloadIdentityCredential.WorkloadIdentity.TenantID,
+				azureClientIDParam:          testAzureWorkloadIdentityCredential.WorkloadIdentity.ClientID,
+				azureUseCLIParam:            false,
+				azureUseOIDCParam:           true,
+				azureOIDCTokenFilePathParam: "/var/run/secrets/azure/tokens/azure-identity-token",
 			},
 		},
 		{
@@ -369,6 +370,9 @@ func TestAzureProvider_generateProviderConfigMap(t *testing.T) {
 			require.Equal(t, tt.expectedConfig[azureClientIDParam], config[azureClientIDParam])
 			require.Equal(t, tt.expectedConfig[azureClientSecretParam], config[azureClientSecretParam])
 			require.Equal(t, tt.expectedConfig[azureTenantIDParam], config[azureTenantIDParam])
+			require.Equal(t, tt.expectedConfig[azureUseOIDCParam], config[azureUseOIDCParam])
+			require.Equal(t, tt.expectedConfig[azureUseCLIParam], config[azureUseCLIParam])
+			require.Equal(t, tt.expectedConfig[azureOIDCTokenFilePathParam], config[azureOIDCTokenFilePathParam])
 		})
 	}
 }

test/functional-portable/corerp/cloud/resources/storage_test.go

@@ -25,7 +25,7 @@ import (
 	"github.com/radius-project/radius/test/validation"
 )
 
-// Test_Storage tests if a container can be created and then deleted by the magpiego with the workload identity.
+// Test_Storage tests if a container on an Azure Storage Account can be created and then deleted by the magpiego with the workload identity.
 func Test_Storage(t *testing.T) {
 	template := "testdata/corerp-resources-container-workload.bicep"
 	name := "corerp-resources-container-workload"

test/magpiego/go.mod

@@ -1,6 +1,6 @@
 module github.com/radius-project/radius/test/magpiego
 
-go 1.22
+go 1.22.0
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0

test/testrecipes/test-terraform-recipes/azure-storage/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source = "hashicorp/azurerm"
-      version = "~> 3.0.0"
+      version = "~> 3.114.0"
     }
   }
 }