#azure cli auth in a daggerized terraform module

Has anybody created a dagger function that uses azure CLI authorization without a managed service identity? I haven't found anything about what specifically I can mount.

Terraform has a provider authorization waterfall and that call to the Azure CLI for running plans locally based on current dev credentials won't work with my current approach. Haven't found any env var equivalent like AWS allows for this.

Ideally, I have authorization for the Dev using their az login credentials, and then in CI I use the managed service identity credentials.

Not specific to dagger but more working on a dagger module that this becomes a blocker on since I didn't want to embed credentials.

going to look at this... possible I can just grab this myself and then just run it. i see they said it's just shelled out, but i haven't looked to see if this is cached in a file or in keychain https://github.com/hashicorp/terraform-provider-azurerm/issues/3686#issuecomment-523983734

and more details usefully are here https://github.com/hashicorp/terraform-provider-azurerm/issues/3781

ARGGGH. This is the kind of thing that freaking sucks as containerized run with tooling like dagger is not supported.

When running Terraform in automation (such as within Docker) we only support using a Service Principal for authentication - rather than the Azure CLI, which means unfortunately this use-case is unsupported (which is why this unintentionally stopped working in v1.20).

Now here's where I'd ask...

• traditionally I have mage in a project and would wrap up az login or other command and invoke CLI locally.
• dagger is a "black box" in comparison.
• I'm assuming there's no equivalent of local command exec in a dagger function, as everything is meant to be sandboxed right? Is it possible for me to have a function in the local machine scope when a developer or does this defeat the whole point (I'm assuming but figured the pros here would confirm).

There's a lot I don't miss about AWS, but kinda stuff is not one of them

Anyone currently doing azure automation in a local way and not just CI? The only thing I can think of around this is to build a custom dagger image for terraform and other automation that could cache the folder the creds are saved too and use the interactive terminal feature for prompting for signin.

I am not sure that would work because the interactive feature is designed for debugging, not prompting for user input. My concern is there is no way to "continue" past the input

Note that a secret command can be the result of a command call like this:

dagger call github-api --endpoint=https://api.github.com/repos/dagger/dagger/issues --token=cmd:"gh auth token"

https://docs.dagger.io/manuals/developer/secrets/

I am curious is there an equivalent using some azure cli?

With terminal debugging you can pass files via cache volumes which is what you want in this case as the az login command doesn't output any credentials but creates a file with them in it

Interesting, but can we continue a pipeline after the debugging has completed? I thought it was a one way door. Maybe I am thinking about it wrong

So yes @inner granite , using Terminal will allow you to implement this even though it's not specifically what it has been designed for

Yes, Terminal currently continues executing the pipeline after it exits

That is amazing

It is indeed

Anyone know what to mount for az to just work? No need to dig I can do that again just checking in case it's solved already. Freaking annoying that no equivalent to how AWS makes this much easier.
Appreciate all the dialogue.