From 341479087c8de35c71a700ef8001e71c0a229784 Mon Sep 17 00:00:00 2001
From: Matthew Frahry <mbfrahry@gmail.com>
Date: Mon, 22 Mar 2021 10:15:41 -0700
Subject: [PATCH] backend/azurerm: adding support for azuread authentication

---
 backend/remote-state/azure/arm_client.go | 29 +++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/backend/remote-state/azure/arm_client.go b/backend/remote-state/azure/arm_client.go
index 81c6d2a91..a407b785b 100644
--- a/backend/remote-state/azure/arm_client.go
+++ b/backend/remote-state/azure/arm_client.go
@@ -26,6 +26,9 @@ type ArmClient struct {
 	containersClient      *containers.Client
 	blobsClient           *blobs.Client
 
+	// azureAdStorageAuth is only here if we're using AzureAD Authentication but is an Authorizer for Storage
+	azureAdStorageAuth *autorest.Authorizer
+
 	accessKey          string
 	environment        azure.Environment
 	resourceGroupName  string
@@ -92,11 +95,20 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro
 		return nil, err
 	}
 
-	auth, err := armConfig.GetAuthorizationToken(sender.BuildSender("backend/remote-state/azure"), oauthConfig, env.TokenAudience)
+	sender := sender.BuildSender("backend/remote-state/azure")
+	auth, err := armConfig.GetAuthorizationToken(sender, oauthConfig, env.TokenAudience)
 	if err != nil {
 		return nil, err
 	}
 
+	if config.UseAzureADAuthentication {
+		storageAuth, err := armConfig.GetAuthorizationToken(sender, oauthConfig, env.ResourceIdentifiers.Storage)
+		if err != nil {
+			return nil, err
+		}
+		client.azureAdStorageAuth = &storageAuth
+	}
+
 	accountsClient := armStorage.NewAccountsClientWithBaseURI(env.ResourceManagerEndpoint, armConfig.SubscriptionID)
 	client.configureClient(&accountsClient.Client, auth)
 	client.storageAccountsClient = &accountsClient
@@ -109,6 +121,8 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro
 }
 
 func buildArmEnvironment(config BackendConfig) (*azure.Environment, error) {
+	// TODO: can we remove this?
+	// https://github.com/hashicorp/terraform/issues/27156
 	if config.CustomResourceManagerEndpoint != "" {
 		log.Printf("[DEBUG] Loading Environment from Endpoint %q", config.CustomResourceManagerEndpoint)
 		return authentication.LoadEnvironmentFromUrl(config.CustomResourceManagerEndpoint)
@@ -131,6 +145,12 @@ func (c ArmClient) getBlobClient(ctx context.Context) (*blobs.Client, error) {
 		return &blobsClient, nil
 	}
 
+	if c.azureAdStorageAuth != nil {
+		blobsClient := blobs.NewWithEnvironment(c.environment)
+		c.configureClient(&blobsClient.Client, *c.azureAdStorageAuth)
+		return &blobsClient, nil
+	}
+
 	accessKey := c.accessKey
 	if accessKey == "" {
 		log.Printf("[DEBUG] Building the Blob Client from an Access Token (using user credentials)")
@@ -169,6 +189,13 @@ func (c ArmClient) getContainersClient(ctx context.Context) (*containers.Client,
 		c.configureClient(&containersClient.Client, storageAuth)
 		return &containersClient, nil
 	}
+
+	if c.azureAdStorageAuth != nil {
+		containersClient := containers.NewWithEnvironment(c.environment)
+		c.configureClient(&containersClient.Client, *c.azureAdStorageAuth)
+		return &containersClient, nil
+	}
+
 	accessKey := c.accessKey
 	if accessKey == "" {
 		log.Printf("[DEBUG] Building the Container Client from an Access Token (using user credentials)")