internal/backend/remote-state/azure: adding a feature-toggle to use MSAL

internal/backend/remote-state/azure/arm_client.go

@@ -7,6 +7,8 @@ import (
 	"os"
 	"time"
 
+	"github.com/manicminer/hamilton/environments"
+
 	"github.com/tombuildsstuff/giovanni/storage/2018-11-09/blob/blobs"
 	"github.com/tombuildsstuff/giovanni/storage/2018-11-09/blob/containers"
 
@@ -84,6 +86,7 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro
 		SupportsClientCertAuth:         true,
 		SupportsClientSecretAuth:       true,
 		SupportsManagedServiceIdentity: config.UseMsi,
+		UseMicrosoftGraph:              config.UseMicrosoftGraph,
 	}
 	armConfig, err := builder.Build()
 	if err != nil {
@@ -95,18 +98,43 @@ func buildArmClient(ctx context.Context, config BackendConfig) (*ArmClient, erro
 		return nil, err
 	}
 
-	sender := sender.BuildSender("backend/remote-state/azure")
-	auth, err := armConfig.GetADALToken(ctx, sender, oauthConfig, env.TokenAudience)
+	hamiltonEnv, err := environments.EnvironmentFromString(config.Environment)
 	if err != nil {
 		return nil, err
 	}
 
-	if config.UseAzureADAuthentication {
-		storageAuth, err := armConfig.GetADALToken(ctx, sender, oauthConfig, env.ResourceIdentifiers.Storage)
+	sender := sender.BuildSender("backend/remote-state/azure")
+	var auth autorest.Authorizer
+	if builder.UseMicrosoftGraph {
+		log.Printf("[DEBUG] Obtaining a MSAL / Microsoft Graph token for Resource Manager..")
+		auth, err = armConfig.GetMSALToken(ctx, hamiltonEnv.ResourceManager, sender, oauthConfig, env.TokenAudience)
 		if err != nil {
 			return nil, err
 		}
-		client.azureAdStorageAuth = &storageAuth
+	} else {
+		log.Printf("[DEBUG] Obtaining a ADAL / Azure Active Directory Graph token for Resource Manager..")
+		auth, err = armConfig.GetADALToken(ctx, sender, oauthConfig, env.TokenAudience)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if config.UseAzureADAuthentication {
+		if builder.UseMicrosoftGraph {
+			log.Printf("[DEBUG] Obtaining a MSAL / Microsoft Graph token for Storage..")
+			storageAuth, err := armConfig.GetMSALToken(ctx, hamiltonEnv.Storage, sender, oauthConfig, env.ResourceIdentifiers.Storage)
+			if err != nil {
+				return nil, err
+			}
+			client.azureAdStorageAuth = &storageAuth
+		} else {
+			log.Printf("[DEBUG] Obtaining a ADAL / Azure Active Directory Graph token for Storage..")
+			storageAuth, err := armConfig.GetADALToken(ctx, sender, oauthConfig, env.ResourceIdentifiers.Storage)
+			if err != nil {
+				return nil, err
+			}
+			client.azureAdStorageAuth = &storageAuth
+		}
 	}
 
 	accountsClient := armStorage.NewAccountsClientWithBaseURI(env.ResourceManagerEndpoint, armConfig.SubscriptionID)

internal/backend/remote-state/azure/backend.go

@@ -142,6 +142,12 @@ func New() backend.Backend {
 				Description: "Should Terraform use AzureAD Authentication to access the Blob?",
 				DefaultFunc: schema.EnvDefaultFunc("ARM_USE_AZUREAD", false),
 			},
+			"use_microsoft_graph": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "Should Terraform obtain an auth token from Microsoft Graph rather than Azure Active Directory?",
+				DefaultFunc: schema.EnvDefaultFunc("ARM_USE_MSGRAPH", false),
+			},
 		},
 	}
 
@@ -181,6 +187,7 @@ type BackendConfig struct {
 	TenantID                      string
 	UseMsi                        bool
 	UseAzureADAuthentication      bool
+	UseMicrosoftGraph             bool
 }
 
 func (b *Backend) configure(ctx context.Context) error {
@@ -212,6 +219,7 @@ func (b *Backend) configure(ctx context.Context) error {
 		TenantID:                      data.Get("tenant_id").(string),
 		UseMsi:                        data.Get("use_msi").(bool),
 		UseAzureADAuthentication:      data.Get("use_azuread_auth").(bool),
+		UseMicrosoftGraph:             data.Get("use_microsoft_graph").(bool),
 	}
 
 	armClient, err := buildArmClient(context.TODO(), config)