syepes
December 22, 2023, 1:24pm
1
I have started to investigate the possibility of using terraspace with our Aruze deployments and have started seeing the below errors in the logs when using the helper azure_secret.
"AKV10022: Invalid audience. Expected https://vault.azure.net, found: https://management.core.windows.net/
Do you have any plans of moving away from the already deprecated SDK’s? this will help future proofing terraspace with in the Azure environments. This kind of situation does not really encourage newcomers to invest in the ecosystem.
https://azure.microsoft.com/en-us/updates/retirement-notice-the-azure-storage-ruby-client-libraries-will-be-retired-on-13-september-2024/
https://github.com/Azure/azure-sdk-for-ruby (retired on February 2021)
https://github.com/Azure/azure-storage-ruby (retired on 13 September 2024)
tung
December 22, 2023, 11:00pm
2
Yes. Would like to move off the deprecated SDK. It may have to be a part of https://github.com/boltops-tools/armrest
Will consider PRs. Of course, no sweat either way. Thanks!
FWIW, would really like to dig into this one. Unsure when though. Thanks!
tung
January 5, 2024, 7:06pm
3
I see the error above was a red herring. And was actually fixed by cli auth scope for vault secrets by tongueroo · Pull Request #8 · boltops-tools/armrest · GitHub
Remembering this now. Noting for posterity. Actually, the terraspace_plugin_azurerm moved off of the deprecated SDK to a the lightweight GitHub - boltops-tools/armrest a while ago
PR
boltops-tools:master ← boltops-tools:armrest
opened 04:49AM - 20 Jan 22 UTC
* auth provider chain
* clean up secrets
* remove deprecated azure mgmt sdk
…
Closes #6
**Notes**
This was doozy 🤣
Dug into it and the ruby azure sdk was able to auth via MSI and CLI. Sadly, the azure ruby sdk has been deprecated:
https://github.com/Azure/azure-sdk-for-ruby/blob/master/docs/README.md
Have been able to get by still using the deprecated sdk for the terraspace_plugin_azurerm. Running into a few annoying issues with it though. IE: Its gemspec pins faraday and other dependencies down, and microsoft is not updating the ruby gems. 🤦🏻♂️
Resorted to writing a ruby gem that uses the Azure REST API https://github.com/boltops-tools/armrest It was a bit of an effort 💪
The armrest gem will automatically check a few credentials in the credentials provider chain lookup logic:
Environment -> MSI -> CLI
Note: Had some mixed feelings about the order of the auth provider chain. With AWS, the credentials provider chain puts the InstanceProfile, similar to MSI, at the end. See: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence Feel this makes more sense since guessing it makes a network call to see if the metadata endpoint is available.
Studied the .net DefaultAzureCredential chain and based the armrest auth chain on that. See: https://docs.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme#defaultazurecredential
Also, added docs: https://terraspace.cloud/docs/plugins/azure/auth/
And diff
committed 04:48AM - 20 Jan 22 UTC
* auth provider chain
* clean up secrets
* remove deprecated azure mgmt sdk