Add Azure AD authentication support

Author: younux

.gitignore

@@ -33,3 +33,6 @@ data/
 postgresql/pwfile
 tests/docker-compose.*.yml
 terraform-provider-postgresql
+
+
+examples

go.mod

@@ -3,6 +3,8 @@ module github.com/terraform-providers/terraform-provider-postgresql
 go 1.14
 
 require (
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v0.13.4
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.7.1
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/hashicorp/terraform-plugin-sdk v1.0.0
 	github.com/lib/pq v1.9.0

go.sum

@@ -10,6 +10,8 @@ import (
 	"sync"
 	"unicode"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/blang/semver"
 	_ "github.com/lib/pq" //PostgreSQL db
 	"gocloud.dev/postgres"
@@ -125,6 +127,10 @@ type Config struct {
 	Password          string
 	DatabaseUsername  string
 	Superuser         bool
+	AadAuthEnabled    bool
+	AadSpClientId     string
+	AadSpClientSecret string
+	AadSpTenantId     string
 	SSLMode           string
 	ApplicationName   string
 	Timeout           int
@@ -135,6 +141,34 @@ type Config struct {
 	SSLRootCertPath   string
 }
 
+// Interface to Azure identity provider
+type AzureIdentiferInterface interface {
+	GetAccessToken() (string, error)
+}
+
+type AzureIdentifier struct {
+	tenantID     string
+	clientID     string
+	clientSecret string
+}
+
+func (a *AzureIdentifier) GetAccessToken() (string, error) {
+	clientSecretCredentialOptions := azidentity.DefaultClientSecretCredentialOptions()
+	clientCredential, err := azidentity.NewClientSecretCredential(a.tenantID, a.clientID, a.clientSecret, &clientSecretCredentialOptions)
+	if err != nil {
+		return "", fmt.Errorf("Error getting access token from Azure AD with client id (%s) in tenant (%s) (NewClientSecretCredential) : %w", a.clientID, a.tenantID, err)
+	}
+	ctx := context.Background()
+	tokenOptions := azcore.TokenRequestOptions{
+		Scopes: []string{"https://ossrdbms-aad.database.windows.net/.default"},
+	}
+	token, err := clientCredential.GetToken(ctx, tokenOptions)
+	if err != nil {
+		return "", fmt.Errorf("Error getting access token from Azure AD with client id (%s) in tenant (%s) (GetToken) : %w", a.clientID, a.tenantID, err)
+	}
+	return token.Token, nil
+}
+
 // Client struct holding connection string
 type Client struct {
 	// Configuration for the client
@@ -148,13 +182,16 @@ type Client struct {
 	// catalogs look like tables, but are not in-fact able to be
 	// concurrently updated.
 	catalogLock sync.RWMutex
+
+	azIdentifer AzureIdentiferInterface
 }
 
 // NewClient returns client config for the specified database.
 func (c *Config) NewClient(database string) *Client {
 	return &Client{
 		config:       *c,
 		databaseName: database,
+		azIdentifer:  &AzureIdentifier{c.AadSpTenantId, c.AadSpClientId, c.AadSpClientSecret},
 	}
 }
 
@@ -236,6 +273,15 @@ func (c *Config) getDatabaseUsername() string {
 // Callers must return their database resources. Use of QueryRow() or Exec() is encouraged.
 // Query() must have their rows.Close()'ed.
 func (c *Client) Connect() (*DBConnection, error) {
+	// Fetch AAD access token and use it as a password if AAD authentication is enabled
+	if c.config.AadAuthEnabled {
+		pass, err := c.azIdentifer.GetAccessToken()
+		if err != nil {
+			return nil, err
+		}
+		c.config.Password = pass
+	}
+
 	dbRegistryLock.Lock()
 	defer dbRegistryLock.Unlock()
 

postgresql/config.go

@@ -75,6 +75,32 @@ func Provider() terraform.ResourceProvider {
 					"If not, some feature might be disabled (e.g.: Refreshing state password from Postgres)",
 			},
 
+			"aad_auth_enabled": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("PG_AAD_AUTH_ENABLED", false),
+				Description: "Specify if AAD authentication is used or not",
+			},
+			"aad_sp_client_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("PG_AAD_SP_CLIENT_ID", nil),
+				Description: "Client id of the service principal used when connecting with Azure AD",
+			},
+			"aad_sp_client_secret": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("PG_AAD_SP_CLIENT_SECRET", nil),
+				Description: "Client secret of the service principal used when connecting with Azure AD",
+				Sensitive:   true,
+			},
+			"aad_sp_tenant_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("PG_AAD_SP_TENANT_ID", nil),
+				Description: "Tenant of the service principal used when connecting with Azure AD",
+			},
+
 			"sslmode": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -177,6 +203,10 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		Password:          d.Get("password").(string),
 		DatabaseUsername:  d.Get("database_username").(string),
 		Superuser:         d.Get("superuser").(bool),
+		AadAuthEnabled:    d.Get("aad_auth_enabled").(bool),
+		AadSpClientId:     d.Get("aad_sp_client_id").(string),
+		AadSpClientSecret: d.Get("aad_sp_client_secret").(string),
+		AadSpTenantId:     d.Get("aad_sp_tenant_id").(string),
 		SSLMode:           sslMode,
 		ApplicationName:   "Terraform provider",
 		ConnectTimeoutSec: d.Get("connect_timeout").(int),