Consistency issue between pulumi-azuread & pulumi-azure?

[juchom]

I'm currently working with both packages in my solution and according to the pulumi documentation the configuration for each package use the following variables:

pulumi-azure

• azure:clientId or ARM_CLIENT_ID
• azure:subscriptionId or ARM_SUBSCRIPTION_ID
• azure:tenantId or ARM_TENANT_ID
• azure:clientSecret or ARM_CLIENT_SECRET

pulumi-azuread

• azuread:clientId or ARM_CLIENT_ID
• azuread:subscriptionId or ARM_SUBSCRIPTION_ID
• azuread:tenantId or ARM_TENANT_ID
• azuread:clientSecret or ARM_CLIENT_SECRET
• azuread:certificatePassword or ARM_CLIENT_CERTIFICATE_PASSWORD
• azuread:clientCertificatePath or ARM_CLIENT_CERTIFICATE_PATH
• azuread:environment or ARM_ENVIRONMENT

Would it make sense to rename azuread:* to azure:* because they use the same environment variables?

[stack72]

Hi @juchom

you are correct - each of the packages don't reflect the same configuration variables and they both should. I have opened a PR in our tfgen generation repo that creates the configuration to ensure we pick this validation up in the future

With regards to using the same azure:*, technically these are different providers therefore they do need to be configured differently. When the PR (linked) is merged, at least the providers will use the same consistent environment variables

Thoughts?

Paul

[stack72]

pulumi/pulumi-terraform-bridge#72

[juchom]

Hi @stack72 ,

I'm not sure to understand how things will change after your PR?

Could you please give an example of the config before -> after.

Julien

[stack72]

Hi @juchom

The issue is, we are missing some fields that are not mapped in the azure provider. Therefore when this PR gets merged we will be alerted to those and then we can roll those changes out

This PR helps us understand the underlying schema better so we are fully covered

Paul

[juchom]

Ok, when I opened this issue, I had this in mind:

Imagine you use the azure & azuread provider in your stack, we can do that with config variables:

• azure:clientId 1234
• azuread:clientId 5678

But if we use the environment variable we only have ARM_CLIENT_ID for both.

I see your point to keep azure:* and azuread:*, but in that case should we have ARM_CLIENT_ID and ARM_AD_CLIENT_ID for azuread provider?

[nimro]

With regards to using the same azure:*, technically these are different providers therefore they do need to be configured differently.

I see your point to keep azure:* and azuread:*, but in that case should we have ARM_CLIENT_ID and ARM_AD_CLIENT_ID for azuread provider?

I'd love this. Having them share the same env vars is a massive pain when trying to configure them to access different tenants. Instead of CI simply setting appropriate env vars for both, one has to jump through hoops.

Even an optional dedicated set of AD env vars that are checked before the default "ARM" ones would be fantastic, and still provide backwards compatibility.