diff options
Diffstat (limited to 'ansible_collections/azure/azcollection/plugins/module_utils')
-rw-r--r-- | ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py | 266 | ||||
-rw-r--r-- | ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common_rest.py | 2 |
2 files changed, 99 insertions, 169 deletions
diff --git a/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py b/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py index 9c0e6e839..79b5167b1 100644 --- a/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py +++ b/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py @@ -15,10 +15,6 @@ import inspect import traceback import json -try: - from azure.graphrbac import GraphRbacManagementClient -except Exception: - pass from os.path import expanduser from ansible.module_utils.basic import \ @@ -53,6 +49,7 @@ AZURE_COMMON_ARGS = dict( log_path=dict(type='str', no_log=True), x509_certificate_path=dict(type='path', no_log=True), thumbprint=dict(type='str', no_log=True), + disable_instance_discovery=dict(type='bool', default=False), ) AZURE_CREDENTIAL_ENV_MAPPING = dict( @@ -67,7 +64,8 @@ AZURE_CREDENTIAL_ENV_MAPPING = dict( cert_validation_mode='AZURE_CERT_VALIDATION_MODE', adfs_authority_url='AZURE_ADFS_AUTHORITY_URL', x509_certificate_path='AZURE_X509_CERTIFICATE_PATH', - thumbprint='AZURE_THUMBPRINT' + thumbprint='AZURE_THUMBPRINT', + disable_instance_discovery='AZURE_DISABLE_INSTANCE_DISCOVERY' ) @@ -114,7 +112,28 @@ AZURE_API_PROFILES = { 'ManagementLockClient': '2016-09-01', 'DataLakeStoreAccountManagementClient': '2016-11-01', 'NotificationHubsManagementClient': '2016-03-01', - 'EventHubManagementClient': '2018-05-04' + 'EventHubManagementClient': '2021-11-01', + 'GenericRestClient': 'latest', + 'DnsManagementClient': '2018-05-01', + 'PrivateDnsManagementClient': 'latest', + 'ContainerServiceClient': '2022-02-01', + 'SqlManagementClient': 'latest', + 'ContainerRegistryManagementClient': '2021-09-01', + 'MarketplaceOrderingAgreements': 'latest', + 'TrafficManagerManagementClient': 'latest', + 'MonitorManagementClient': '2016-03-01', + 'LogAnalyticsManagementClient': 'latest', + 'ServiceBusManagementClient': 'latest', + 'AutomationClient': 'latest', + 'IotHubClient': 'latest', + 'RecoveryServicesBackupClient': 'latest', + 'DataFactoryManagementClient': 'latest', + 'KeyVaultManagementClient': '2021-10-01', + 'HDInsightManagementClient': 'latest', + 'DevTestLabsClient': 'latest', + 'CosmosDBManagementClient': 'latest', + 'CdnManagementClient': '2017-04-02', + 'BatchManagementClient': 'latest', }, '2019-03-01-hybrid': { 'StorageManagementClient': '2017-10-01', @@ -220,11 +239,8 @@ except ImportError: try: from enum import Enum - from msrestazure.azure_active_directory import AADTokenCredentials - from msrestazure.azure_active_directory import MSIAuthentication from azure.mgmt.core.tools import parse_resource_id, resource_id, is_valid_resource_id from azure.cli.core import cloud as azure_cloud - from azure.common.credentials import ServicePrincipalCredentials, UserPassCredentials from azure.mgmt.network import NetworkManagementClient from azure.mgmt.resource.resources import ResourceManagementClient from azure.mgmt.managementgroups import ManagementGroupsAPI as ManagementGroupsClient @@ -240,11 +256,11 @@ try: from azure.mgmt.marketplaceordering import MarketplaceOrderingAgreements from azure.mgmt.trafficmanager import TrafficManagerManagementClient from azure.storage.blob import BlobServiceClient - from msal.application import ClientApplication, ConfidentialClientApplication from azure.mgmt.authorization import AuthorizationManagementClient from azure.mgmt.sql import SqlManagementClient from azure.mgmt.servicebus import ServiceBusManagementClient from azure.mgmt.rdbms.postgresql import PostgreSQLManagementClient + from azure.mgmt.rdbms.postgresql_flexibleservers import PostgreSQLManagementClient as PostgreSQLFlexibleManagementClient from azure.mgmt.rdbms.mysql import MySQLManagementClient from azure.mgmt.rdbms.mariadb import MariaDBManagementClient from azure.mgmt.containerregistry import ContainerRegistryManagementClient @@ -257,7 +273,11 @@ try: from azure.mgmt.iothub import models as IoTHubModels from azure.mgmt.resource.locks import ManagementLockClient from azure.mgmt.recoveryservicesbackup import RecoveryServicesBackupClient - import azure.mgmt.recoveryservicesbackup.models as RecoveryServicesBackupModels + try: + # Older versions of the library exposed the modules at the root of the package + import azure.mgmt.recoveryservicesbackup.models as RecoveryServicesBackupModels + except ImportError: + import azure.mgmt.recoveryservicesbackup.activestamp.models as RecoveryServicesBackupModels from azure.mgmt.search import SearchManagementClient from azure.mgmt.datalake.store import DataLakeStoreAccountManagementClient import azure.mgmt.datalake.store.models as DataLakeStoreAccountModel @@ -266,6 +286,8 @@ try: from azure.mgmt.datafactory import DataFactoryManagementClient import azure.mgmt.datafactory.models as DataFactoryModel from azure.identity._credentials import client_secret, user_password, certificate, managed_identity + from azure.identity import AzureCliCredential + from msgraph import GraphServiceClient except ImportError as exc: Authentication = object @@ -415,6 +437,7 @@ class AzureRMModuleBase(object): self._mysql_client = None self._mariadb_client = None self._postgresql_client = None + self._postgresql_flexible_client = None self._containerregistry_client = None self._containerinstance_client = None self._containerservice_client = None @@ -484,8 +507,8 @@ class AzureRMModuleBase(object): ''' self.module.fail_json(msg=msg, **kwargs) - def deprecate(self, msg, version=None): - self.module.deprecate(msg, version) + def deprecate(self, msg, version=None, collection_name='azure.azcollection'): + self.module.deprecate(msg, version, collection_name=collection_name) def log(self, msg, pretty_print=False): if pretty_print: @@ -675,11 +698,15 @@ class AzureRMModuleBase(object): self.fail("Error {0} has a provisioning state of {1}. Expecting state to be {2}.".format( azure_object.name, azure_object.provisioning_state, AZURE_SUCCESS_STATE)) - def get_blob_service_client(self, resource_group_name, storage_account_name): + def get_blob_service_client(self, resource_group_name, storage_account_name, auth_mode='key'): try: self.log("Getting storage account detail") account = self.storage_client.storage_accounts.get_properties(resource_group_name=resource_group_name, account_name=storage_account_name) - account_keys = self.storage_client.storage_accounts.list_keys(resource_group_name=resource_group_name, account_name=storage_account_name) + if auth_mode == 'login' and self.azure_auth.credentials.get('credential'): + credential = self.azure_auth.credentials['credential'] + else: + account_keys = self.storage_client.storage_accounts.list_keys(resource_group_name=resource_group_name, account_name=storage_account_name) + credential = account_keys.keys[0].value except Exception as exc: self.fail("Error getting storage account detail for {0}: {1}".format(storage_account_name, str(exc))) @@ -687,7 +714,7 @@ class AzureRMModuleBase(object): self.log("Create blob service client") return BlobServiceClient( account_url=account.primary_endpoints.blob, - credential=account_keys.keys[0].value, + credential=credential, ) except Exception as exc: self.fail("Error creating blob service client for storage account {0} - {1}".format(storage_account_name, str(exc))) @@ -854,14 +881,17 @@ class AzureRMModuleBase(object): # wrap basic strings in a dict that just defines the default return dict(default_api_version=profile_raw) - def get_graphrbac_client(self, tenant_id): - cred = self.azure_auth.azure_credentials - base_url = self.azure_auth._cloud_environment.endpoints.active_directory_graph_resource_id - client = GraphRbacManagementClient(cred, tenant_id, base_url) + # The graphrbac has deprecated, migrate to msgraph + # def get_graphrbac_client(self, tenant_id): + # cred = self.azure_auth.azure_credentials + # base_url = self.azure_auth._cloud_environment.endpoints.active_directory_graph_resource_id + # client = GraphRbacManagementClient(cred, tenant_id, base_url) + # return client - return client + def get_msgraph_client(self): + return GraphServiceClient(self.azure_auth.azure_credential_track2) - def get_mgmt_svc_client(self, client_type, base_url=None, api_version=None, suppress_subscription_id=False, is_track2=False): + def get_mgmt_svc_client(self, client_type, base_url=None, api_version=None, suppress_subscription_id=False): self.log('Getting management service client {0}'.format(client_type.__name__)) self.check_client_version(client_type) @@ -883,16 +913,10 @@ class AzureRMModuleBase(object): # Some management clients do not take a subscription ID as parameters. if suppress_subscription_id: - if is_track2: - client_kwargs = dict(credential=self.azure_auth.azure_credential_track2, base_url=base_url, credential_scopes=[base_url + ".default"]) - else: - client_kwargs = dict(credentials=self.azure_auth.azure_credentials, base_url=base_url) + client_kwargs = dict(credential=self.azure_auth.azure_credential_track2, base_url=base_url, credential_scopes=[base_url + ".default"]) else: - if is_track2: - client_kwargs = dict(credential=self.azure_auth.azure_credential_track2, - subscription_id=mgmt_subscription_id, base_url=base_url, credential_scopes=[base_url + ".default"]) - else: - client_kwargs = dict(credentials=self.azure_auth.azure_credentials, subscription_id=mgmt_subscription_id, base_url=base_url) + client_kwargs = dict(credential=self.azure_auth.azure_credential_track2, + subscription_id=mgmt_subscription_id, base_url=base_url, credential_scopes=[base_url + ".default"]) api_profile_dict = {} @@ -926,13 +950,8 @@ class AzureRMModuleBase(object): setattr(client, '_ansible_models', importlib.import_module(client_type.__module__).models) client.models = types.MethodType(_ansible_get_models, client) - if not is_track2: - client.config = self.add_user_agent(client.config) - if self.azure_auth._cert_validation_mode == 'ignore': - client.config.session_configuration_callback = self._validation_ignore_callback - else: - if self.azure_auth._cert_validation_mode == 'ignore': - client._config.session_configuration_callback = self._validation_ignore_callback + if self.azure_auth._cert_validation_mode == 'ignore': + client._config.session_configuration_callback = self._validation_ignore_callback return client @@ -992,7 +1011,6 @@ class AzureRMModuleBase(object): if not self._storage_client: self._storage_client = self.get_mgmt_svc_client(StorageManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2021-06-01') return self._storage_client @@ -1006,7 +1024,6 @@ class AzureRMModuleBase(object): if not self._authorization_client: self._authorization_client = self.get_mgmt_svc_client(AuthorizationManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2020-04-01-preview') return self._authorization_client @@ -1021,7 +1038,6 @@ class AzureRMModuleBase(object): self._subscription_client = self.get_mgmt_svc_client(SubscriptionClient, base_url=self._cloud_environment.endpoints.resource_manager, suppress_subscription_id=True, - is_track2=True, api_version='2019-11-01') return self._subscription_client @@ -1036,7 +1052,6 @@ class AzureRMModuleBase(object): self._management_group_client = self.get_mgmt_svc_client(ManagementGroupsClient, base_url=self._cloud_environment.endpoints.resource_manager, suppress_subscription_id=True, - is_track2=True, api_version='2020-05-01') return self._management_group_client @@ -1046,7 +1061,6 @@ class AzureRMModuleBase(object): if not self._network_client: self._network_client = self.get_mgmt_svc_client(NetworkManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2021-03-01') return self._network_client @@ -1061,7 +1075,6 @@ class AzureRMModuleBase(object): if not self._resource_client: self._resource_client = self.get_mgmt_svc_client(ResourceManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2019-10-01') return self._resource_client @@ -1076,7 +1089,6 @@ class AzureRMModuleBase(object): if not self._image_client: self._image_client = self.get_mgmt_svc_client(ComputeManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2021-04-01') return self._image_client @@ -1091,7 +1103,6 @@ class AzureRMModuleBase(object): if not self._compute_client: self._compute_client = self.get_mgmt_svc_client(ComputeManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2021-04-01') return self._compute_client @@ -1106,7 +1117,6 @@ class AzureRMModuleBase(object): if not self._dns_client: self._dns_client = self.get_mgmt_svc_client(DnsManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2018-05-01') return self._dns_client @@ -1121,7 +1131,6 @@ class AzureRMModuleBase(object): if not self._private_dns_client: self._private_dns_client = self.get_mgmt_svc_client( PrivateDnsManagementClient, - is_track2=True, base_url=self._cloud_environment.endpoints.resource_manager) return self._private_dns_client @@ -1136,7 +1145,6 @@ class AzureRMModuleBase(object): if not self._web_client: self._web_client = self.get_mgmt_svc_client(WebSiteManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2021-03-01') return self._web_client @@ -1146,7 +1154,6 @@ class AzureRMModuleBase(object): if not self._containerservice_client: self._containerservice_client = self.get_mgmt_svc_client(ContainerServiceClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2017-07-01') return self._containerservice_client @@ -1161,7 +1168,6 @@ class AzureRMModuleBase(object): if not self._managedcluster_client: self._managedcluster_client = self.get_mgmt_svc_client(ContainerServiceClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2022-02-01') return self._managedcluster_client @@ -1170,16 +1176,22 @@ class AzureRMModuleBase(object): self.log('Getting SQL client') if not self._sql_client: self._sql_client = self.get_mgmt_svc_client(SqlManagementClient, - base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True) + base_url=self._cloud_environment.endpoints.resource_manager) return self._sql_client @property + def postgresql_flexible_client(self): + self.log('Getting PostgreSQL client') + if not self._postgresql_flexible_client: + self._postgresql_flexible_client = self.get_mgmt_svc_client(PostgreSQLFlexibleManagementClient, + base_url=self._cloud_environment.endpoints.resource_manager) + return self._postgresql_flexible_client + + @property def postgresql_client(self): self.log('Getting PostgreSQL client') if not self._postgresql_client: self._postgresql_client = self.get_mgmt_svc_client(PostgreSQLManagementClient, - is_track2=True, base_url=self._cloud_environment.endpoints.resource_manager) return self._postgresql_client @@ -1188,7 +1200,6 @@ class AzureRMModuleBase(object): self.log('Getting MySQL client') if not self._mysql_client: self._mysql_client = self.get_mgmt_svc_client(MySQLManagementClient, - is_track2=True, base_url=self._cloud_environment.endpoints.resource_manager) return self._mysql_client @@ -1197,7 +1208,6 @@ class AzureRMModuleBase(object): self.log('Getting MariaDB client') if not self._mariadb_client: self._mariadb_client = self.get_mgmt_svc_client(MariaDBManagementClient, - is_track2=True, base_url=self._cloud_environment.endpoints.resource_manager) return self._mariadb_client @@ -1207,7 +1217,6 @@ class AzureRMModuleBase(object): if not self._containerregistry_client: self._containerregistry_client = self.get_mgmt_svc_client(ContainerRegistryManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2021-09-01') return self._containerregistry_client @@ -1218,7 +1227,6 @@ class AzureRMModuleBase(object): if not self._containerinstance_client: self._containerinstance_client = self.get_mgmt_svc_client(ContainerInstanceManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2018-06-01') return self._containerinstance_client @@ -1228,7 +1236,6 @@ class AzureRMModuleBase(object): self.log('Getting marketplace agreement client') if not self._marketplace_client: self._marketplace_client = self.get_mgmt_svc_client(MarketplaceOrderingAgreements, - is_track2=True, base_url=self._cloud_environment.endpoints.resource_manager) return self._marketplace_client @@ -1237,7 +1244,6 @@ class AzureRMModuleBase(object): self.log('Getting traffic manager client') if not self._traffic_manager_management_client: self._traffic_manager_management_client = self.get_mgmt_svc_client(TrafficManagerManagementClient, - is_track2=True, base_url=self._cloud_environment.endpoints.resource_manager) return self._traffic_manager_management_client @@ -1247,8 +1253,7 @@ class AzureRMModuleBase(object): if not self._monitor_autoscale_settings_client: self._monitor_autoscale_settings_client = self.get_mgmt_svc_client(MonitorManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - api_version="2015-04-01", - is_track2=True) + api_version="2015-04-01") return self._monitor_autoscale_settings_client @property @@ -1257,8 +1262,7 @@ class AzureRMModuleBase(object): if not self._monitor_log_profiles_client: self._monitor_log_profiles_client = self.get_mgmt_svc_client(MonitorManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - api_version="2016-03-01", - is_track2=True) + api_version="2016-03-01") return self._monitor_log_profiles_client @property @@ -1267,8 +1271,7 @@ class AzureRMModuleBase(object): if not self._monitor_diagnostic_settings_client: self._monitor_diagnostic_settings_client = self.get_mgmt_svc_client(MonitorManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - api_version="2021-05-01-preview", - is_track2=True) + api_version="2021-05-01-preview") return self._monitor_diagnostic_settings_client @property @@ -1276,7 +1279,6 @@ class AzureRMModuleBase(object): self.log('Getting log analytics client') if not self._log_analytics_client: self._log_analytics_client = self.get_mgmt_svc_client(LogAnalyticsManagementClient, - is_track2=True, base_url=self._cloud_environment.endpoints.resource_manager) return self._log_analytics_client @@ -1290,7 +1292,6 @@ class AzureRMModuleBase(object): self.log('Getting servicebus client') if not self._servicebus_client: self._servicebus_client = self.get_mgmt_svc_client(ServiceBusManagementClient, - is_track2=True, api_version="2021-06-01-preview", base_url=self._cloud_environment.endpoints.resource_manager) return self._servicebus_client @@ -1304,8 +1305,7 @@ class AzureRMModuleBase(object): self.log('Getting automation client') if not self._automation_client: self._automation_client = self.get_mgmt_svc_client(AutomationClient, - base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True) + base_url=self._cloud_environment.endpoints.resource_manager) return self._automation_client @property @@ -1317,7 +1317,6 @@ class AzureRMModuleBase(object): self.log('Getting iothub client') if not self._IoThub_client: self._IoThub_client = self.get_mgmt_svc_client(IotHubClient, - is_track2=True, api_version='2018-04-01', base_url=self._cloud_environment.endpoints.resource_manager) return self._IoThub_client @@ -1332,7 +1331,6 @@ class AzureRMModuleBase(object): if not self._lock_client: self._lock_client = self.get_mgmt_svc_client(ManagementLockClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2016-09-01') return self._lock_client @@ -1346,7 +1344,6 @@ class AzureRMModuleBase(object): self.log('Getting recovery services backup client') if not self._recovery_services_backup_client: self._recovery_services_backup_client = self.get_mgmt_svc_client(RecoveryServicesBackupClient, - is_track2=True, base_url=self._cloud_environment.endpoints.resource_manager) return self._recovery_services_backup_client @@ -1360,7 +1357,6 @@ class AzureRMModuleBase(object): if not self._search_client: self._search_client = self.get_mgmt_svc_client(SearchManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2020-08-01') return self._search_client @@ -1370,7 +1366,6 @@ class AzureRMModuleBase(object): if not self._datalake_store_client: self._datalake_store_client = self.get_mgmt_svc_client(DataLakeStoreAccountManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2016-11-01') return self._datalake_store_client @@ -1385,7 +1380,6 @@ class AzureRMModuleBase(object): self._notification_hub_client = self.get_mgmt_svc_client( NotificationHubsManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2016-03-01') return self._notification_hub_client @@ -1396,7 +1390,6 @@ class AzureRMModuleBase(object): self._event_hub_client = self.get_mgmt_svc_client( EventHubManagementClient, base_url=self._cloud_environment.endpoints.resource_manager, - is_track2=True, api_version='2021-11-01') return self._event_hub_client @@ -1405,7 +1398,6 @@ class AzureRMModuleBase(object): self.log('Getting datafactory client...') if not self._datafactory_client: self._datafactory_client = self.get_mgmt_svc_client(DataFactoryManagementClient, - is_track2=True, base_url=self._cloud_environment.endpoints.resource_manager) return self._datafactory_client @@ -1425,7 +1417,8 @@ class AzureRMAuth(object): def __init__(self, auth_source=None, profile=None, subscription_id=None, client_id=None, secret=None, tenant=None, ad_user=None, password=None, cloud_environment='AzureCloud', cert_validation_mode='validate', api_profile='latest', adfs_authority_url=None, fail_impl=None, is_ad_resource=False, - x509_certificate_path=None, thumbprint=None, track1_cred=False, **kwargs): + x509_certificate_path=None, thumbprint=None, track1_cred=False, + disable_instance_discovery=False, **kwargs): if fail_impl: self._fail_impl = fail_impl @@ -1448,7 +1441,8 @@ class AzureRMAuth(object): api_profile=api_profile, adfs_authority_url=adfs_authority_url, x509_certificate_path=x509_certificate_path, - thumbprint=thumbprint) + thumbprint=thumbprint, + disable_instance_discovery=disable_instance_discovery) if not self.credentials: if HAS_AZURE_CLI_CORE: @@ -1467,6 +1461,12 @@ class AzureRMAuth(object): if self._cert_validation_mode not in ['validate', 'ignore']: self.fail('invalid cert_validation_mode: {0}'.format(self._cert_validation_mode)) + # Disable instance discovery: module-arg, credential profile, env, "False" + self._disable_instance_discovery = disable_instance_discovery or \ + self.credentials.get('disable_instance_discovery') or \ + self._get_env('disable_instance_discovery') or \ + False + # if cloud_environment specified, look up/build Cloud object raw_cloud_env = self.credentials.get('cloud_environment') if self.credentials.get('credentials') is not None and raw_cloud_env is not None: @@ -1504,84 +1504,50 @@ class AzureRMAuth(object): if self.credentials.get('auth_source') == 'msi': # MSI Credentials - if is_ad_resource or track1_cred: - self.azure_credentials = self.credentials['credentials'] - self.azure_credential_track2 = self.credentials['credential'] + self.azure_credential_track2 = self.credentials['credentials'] elif self.credentials.get('credentials') is not None: # AzureCLI credentials - if is_ad_resource or track1_cred: - self.azure_credentials = self.credentials['credentials'] self.azure_credential_track2 = self.credentials['credentials'] elif self.credentials.get('client_id') is not None and \ self.credentials.get('secret') is not None and \ self.credentials.get('tenant') is not None: - - graph_resource = self._cloud_environment.endpoints.active_directory_graph_resource_id - rm_resource = self._cloud_environment.endpoints.resource_manager - if is_ad_resource or track1_cred: - self.azure_credentials = ServicePrincipalCredentials(client_id=self.credentials['client_id'], - secret=self.credentials['secret'], - tenant=self.credentials['tenant'], - cloud_environment=self._cloud_environment, - resource=graph_resource if self.is_ad_resource else rm_resource, - verify=self._cert_validation_mode == 'validate') self.azure_credential_track2 = client_secret.ClientSecretCredential(client_id=self.credentials['client_id'], client_secret=self.credentials['secret'], tenant_id=self.credentials['tenant'], - authority=self._adfs_authority_url) + authority=self._adfs_authority_url, + disable_instance_discovery=self._disable_instance_discovery) elif self.credentials.get('client_id') is not None and \ self.credentials.get('tenant') is not None and \ self.credentials.get('thumbprint') is not None and \ self.credentials.get('x509_certificate_path') is not None: - if is_ad_resource or track1_cred: - self.azure_credentials = self.acquire_token_with_client_certificate( - self._adfs_authority_url, - self.credentials['x509_certificate_path'], - self.credentials['thumbprint'], - self.credentials['client_id'], - self.credentials['tenant']) - self.azure_credential_track2 = certificate.CertificateCredential(tenant_id=self.credentials['tenant'], client_id=self.credentials['client_id'], certificate_path=self.credentials['x509_certificate_path'], - authority=self._adfs_authority_url) + authority=self._adfs_authority_url, + disable_instance_discovery=self._disable_instance_discovery) elif self.credentials.get('ad_user') is not None and \ self.credentials.get('password') is not None and \ self.credentials.get('client_id') is not None and \ self.credentials.get('tenant') is not None: - if is_ad_resource or track1_cred: - self.azure_credentials = self.acquire_token_with_username_password( - self._adfs_authority_url, - self.credentials['ad_user'], - self.credentials['password'], - self.credentials['client_id'], - self.credentials['tenant']) self.azure_credential_track2 = user_password.UsernamePasswordCredential(username=self.credentials['ad_user'], password=self.credentials['password'], tenant_id=self.credentials.get('tenant'), client_id=self.credentials.get('client_id'), - authority=self._adfs_authority_url) + authority=self._adfs_authority_url, + disable_instance_discovery=self._disable_instance_discovery) elif self.credentials.get('ad_user') is not None and self.credentials.get('password') is not None: - tenant = self.credentials.get('tenant') - if not tenant: - tenant = 'common' # SDK default - - if is_ad_resource or track1_cred: - self.azure_credentials = UserPassCredentials(self.credentials['ad_user'], - self.credentials['password'], - tenant=tenant, - cloud_environment=self._cloud_environment, - verify=self._cert_validation_mode == 'validate') - - client_id = self.credentials.get('client_id', '04b07795-8ddb-461a-bbee-02f9e1bf7b46') + client_id = self.credentials.get('client_id') + if client_id is None: + client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46' self.azure_credential_track2 = user_password.UsernamePasswordCredential(username=self.credentials['ad_user'], password=self.credentials['password'], tenant_id=self.credentials.get('tenant', 'organizations'), client_id=client_id, - authority=self._adfs_authority_url) + authority=self._adfs_authority_url, + disable_instance_discovery=self._disable_instance_discovery) else: self.fail("Failed to authenticate with provided credentials. Some attributes were missing. " @@ -1640,7 +1606,7 @@ class AzureRMAuth(object): except Exception as exc: self.fail("cloud_environment {0} could not be resolved: {1}".format(_cloud_environment, str(exc)), exception=traceback.format_exc()) - credentials = MSIAuthentication(client_id=client_id, cloud_environment=cloud_environment) + client_id = client_id or self._get_env('client_id') credential = managed_identity.ManagedIdentityCredential(client_id=client_id, cloud_environment=cloud_environment) subscription_id = subscription_id or self._get_env('subscription_id') if not subscription_id: @@ -1653,8 +1619,7 @@ class AzureRMAuth(object): self.fail("Failed to get MSI token: {0}. " "Please check whether your machine enabled MSI or grant access to any subscription.".format(str(exc))) return { - 'credentials': credentials, - 'credential': credential, + 'credentials': credential, 'subscription_id': subscription_id, 'cloud_environment': cloud_environment, 'auth_source': 'msi' @@ -1669,12 +1634,13 @@ class AzureRMAuth(object): except Exception as exc: self.fail("Failed to load CLI profile {0}.".format(str(exc))) - credentials, subscription_id, tenant = profile.get_login_credentials( - subscription_id=subscription_id, resource=resource) + cred, subscription_id, tenant = profile.get_login_credentials( + subscription_id=subscription_id) cloud_environment = get_cli_active_cloud() + az_cli = AzureCliCredential() cli_credentials = { - 'credentials': credentials, + 'credentials': az_cli if self.is_ad_resource else cred, 'subscription_id': subscription_id, 'cloud_environment': cloud_environment } @@ -1762,42 +1728,6 @@ class AzureRMAuth(object): return None - def acquire_token_with_username_password(self, authority, username, password, client_id, tenant): - authority_uri = authority - - if tenant is not None: - authority_uri = authority + '/' + tenant - - context = ClientApplication(client_id=client_id, authority=authority_uri) - base_url = self._cloud_environment.endpoints.resource_manager - if not base_url.endswith("/"): - base_url += "/" - scopes = [base_url + ".default"] - token_response = context.acquire_token_by_username_password(username, password, scopes) - - return AADTokenCredentials(token_response) - - def acquire_token_with_client_certificate(self, authority, x509_private_key_path, thumbprint, client_id, tenant): - authority_uri = authority - - if tenant is not None: - authority_uri = authority + '/' + tenant - - x509_private_key = None - with open(x509_private_key_path, 'r') as pem_file: - x509_private_key = pem_file.read() - - base_url = self._cloud_environment.endpoints.resource_manager - if not base_url.endswith("/"): - base_url += "/" - scopes = [base_url + ".default"] - client_credential = {"thumbprint": thumbprint, "private_key": x509_private_key} - context = ConfidentialClientApplication(client_id=client_id, authority=authority_uri, client_credential=client_credential) - - token_response = context.acquire_token_for_client(scopes=scopes) - - return AADTokenCredentials(token_response) - def log(self, msg, pretty_print=False): pass # Use only during module development diff --git a/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common_rest.py b/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common_rest.py index 6acb1e7b9..bc740824f 100644 --- a/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common_rest.py +++ b/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common_rest.py @@ -82,7 +82,7 @@ class GenericRestClient(object): response = self._client.send_request(request, **operation_config) if response.status_code not in expected_status_codes: - exp = SendRequestException(response, response.status_code) + exp = SendRequestException(response.text(), response.status_code) raise exp elif response.status_code == 202 and polling_timeout > 0: def get_long_running_output(response): |