feat: add Azure DevOps Pipelines support

Author: ldez

providers/dns/azuredns/azuredns.go

@@ -34,6 +34,14 @@ const (
 	EnvOIDCRequestToken       = envNamespace + "OIDC_REQUEST_TOKEN"
 	EnvGitHubOIDCRequestToken = "ACTIONS_ID_TOKEN_REQUEST_TOKEN"
 
+	EnvServiceConnectionID                  = envNamespace + "SERVICE_CONNECTION_ID"
+	altEnvServiceConnectionID               = "SERVICE_CONNECTION_ID"
+	altEnvArmAdoPipelineServiceConnectionID = "ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID"
+	altEnvArmOIDCAzureServiceConnectionID   = "ARM_OIDC_AZURE_SERVICE_CONNECTION_ID"
+	EnvSystemAccessToken                    = envNamespace + "SYSTEM_ACCESS_TOKEN"
+	altEnvSystemAccessToken                 = "SYSTEM_ACCESSTOKEN"
+	altEnvArmOIDCRequestToken               = "ARM_OIDC_REQUEST_TOKEN"
+
 	EnvAuthMethod     = envNamespace + "AUTH_METHOD"
 	EnvAuthMSITimeout = envNamespace + "AUTH_MSI_TIMEOUT"
 
@@ -66,6 +74,9 @@ type Config struct {
 	OIDCRequestURL    string
 	OIDCRequestToken  string
 
+	ServiceConnectionID string
+	SystemAccessToken   string
+
 	AuthMethod     string
 	AuthMSITimeout time.Duration
 
@@ -134,6 +145,15 @@ func NewDNSProvider() (*DNSProvider, error) {
 	config.OIDCRequestURL = oidcValues[EnvOIDCRequestURL]
 	config.OIDCRequestToken = oidcValues[EnvOIDCRequestToken]
 
+	// https://registry.terraform.io/providers/hashicorp/Azurerm/latest/docs/guides/service_principal_oidc
+	pipelineValues, _ := env.GetWithFallback(
+		[]string{EnvServiceConnectionID, altEnvServiceConnectionID, altEnvArmAdoPipelineServiceConnectionID, altEnvArmOIDCAzureServiceConnectionID},
+		[]string{EnvSystemAccessToken, altEnvSystemAccessToken, altEnvArmOIDCRequestToken},
+	)
+
+	config.ServiceConnectionID = pipelineValues[EnvServiceConnectionID]
+	config.SystemAccessToken = pipelineValues[EnvSystemAccessToken]
+
 	config.AuthMethod = env.GetOrFile(EnvAuthMethod)
 	config.AuthMSITimeout = env.GetOrDefaultSecond(EnvAuthMSITimeout, 2*time.Second)
 

providers/dns/azuredns/azuredns.toml

@@ -174,6 +174,10 @@ This authentication method can be specifically used by setting the `AZURE_AUTH_M
 Open ID Connect is a mechanism that establish a trust relationship between a running environment and the Azure AD identity provider.
 It can be enabled by setting the `AZURE_AUTH_METHOD` environment variable to `oidc`.
 
+### Azure DevOps Pipelines
+
+It can be enabled by setting the `AZURE_AUTH_METHOD` environment variable to `pipeline`.
+
 '''
 
 [Configuration]

providers/dns/azuredns/credentials.go

@@ -13,44 +13,68 @@ import (
 	"github.com/go-acme/lego/v4/challenge/dns01"
 )
 
+const (
+	authMethodEnv      = "env"
+	authMethodWLI      = "wli"
+	authMethodMSI      = "msi"
+	authMethodCLI      = "cli"
+	authMethodOIDC     = "oidc"
+	authMethodPipeline = "pipeline"
+)
+
+//nolint:gocyclo // The complexity is related to the number of possible configurations.
 func getCredentials(config *Config) (azcore.TokenCredential, error) {
 	clientOptions := azcore.ClientOptions{Cloud: config.Environment}
 
 	switch strings.ToLower(config.AuthMethod) {
-	case "env":
+	case authMethodEnv:
 		if config.ClientID != "" && config.ClientSecret != "" && config.TenantID != "" {
 			return azidentity.NewClientSecretCredential(config.TenantID, config.ClientID, config.ClientSecret,
 				&azidentity.ClientSecretCredentialOptions{ClientOptions: clientOptions})
 		}
 
 		return azidentity.NewEnvironmentCredential(&azidentity.EnvironmentCredentialOptions{ClientOptions: clientOptions})
 
-	case "wli":
+	case authMethodWLI:
 		return azidentity.NewWorkloadIdentityCredential(&azidentity.WorkloadIdentityCredentialOptions{ClientOptions: clientOptions})
 
-	case "msi":
+	case authMethodMSI:
 		cred, err := azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{ClientOptions: clientOptions})
 		if err != nil {
 			return nil, err
 		}
 
 		return &timeoutTokenCredential{cred: cred, timeout: config.AuthMSITimeout}, nil
 
-	case "cli":
+	case authMethodCLI:
 		var credOptions *azidentity.AzureCLICredentialOptions
 		if config.TenantID != "" {
 			credOptions = &azidentity.AzureCLICredentialOptions{TenantID: config.TenantID}
 		}
 		return azidentity.NewAzureCLICredential(credOptions)
 
-	case "oidc":
+	case authMethodOIDC:
 		err := checkOIDCConfig(config)
 		if err != nil {
 			return nil, err
 		}
 
 		return azidentity.NewClientAssertionCredential(config.TenantID, config.ClientID, getOIDCAssertion(config), &azidentity.ClientAssertionCredentialOptions{ClientOptions: clientOptions})
 
+	case authMethodPipeline:
+		err := checkPipelineConfig(config)
+		if err != nil {
+			return nil, err
+		}
+
+		// Uses the env var `SYSTEM_OIDCREQUESTURI`,
+		// but the constant is not exported,
+		// and there is no way to set it programmatically.
+		// https://github.com/Azure/azure-sdk-for-go/blob/aae2fb75ffccafc669db72bebc3c1a66332f48d7/sdk/azidentity/azure_pipelines_credential.go#L22
+		// https://github.com/Azure/azure-sdk-for-go/blob/aae2fb75ffccafc669db72bebc3c1a66332f48d7/sdk/azidentity/azure_pipelines_credential.go#L79
+
+		return azidentity.NewAzurePipelinesCredential(config.TenantID, config.ClientID, config.ServiceConnectionID, config.SystemAccessToken, &azidentity.AzurePipelinesCredentialOptions{ClientOptions: clientOptions})
+
 	default:
 		return azidentity.NewDefaultAzureCredential(&azidentity.DefaultAzureCredentialOptions{ClientOptions: clientOptions})
 	}
@@ -97,3 +121,15 @@ func getZoneName(config *Config, fqdn string) (string, error) {
 
 	return authZone, nil
 }
+
+func checkPipelineConfig(config *Config) error {
+	if config.ServiceConnectionID == "" {
+		return errors.New("azuredns: ServiceConnectionID is missing")
+	}
+
+	if config.SystemAccessToken == "" {
+		return errors.New("azuredns: SystemAccessToken is missing")
+	}
+
+	return nil
+}