feat: Support Azure DevOps OIDC provider (#1240)

* feat: Support Azure DevOps OIDC provider

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* feat: Support Azure DevOps OIDC provider

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* add pipeline

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* add pipeline

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* add pipeline

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* add pipeline

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* add pipeline

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* add pipeline

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* add pipeline

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* add pipeline

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* add pipeline

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* add pipeline

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* chore: Add Azure DevOps adapter

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* chore: Add Azure DevOps adapter

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* chore: Add Azure DevOps adapter

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* chore: Add Azure DevOps adapter

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* remove testing file

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* support azure devops

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* support azure devops

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* support azure devops

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* remove replace

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* feedback

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

* fix grammar

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>

---------

Signed-off-by: Jorge Turrado <jorge.turrado@mail.schwarz>
Co-authored-by: cgoetz-inovex <carlo.goetz@inovex.de>

Author: JorTurFer

docs/guides/workload_identity_federation.md

@@ -1,12 +1,12 @@
 ---
-page_title: "Workload Identity Federation with GitHub Actions"
+page_title: "Workload Identity Federation"
 ---
 
 # Workload Identity Federation with GitHub Actions
 
 Workload Identity Federation (WIF) allows you to authenticate the STACKIT Terraform provider without using long-lived Service Account keys. 
 This is particularly useful in CI/CD environments like **GitHub Actions**, **GitLab CI**, or **Azure DevOps**, where you can use short-lived 
-OIDC tokens. This guide focuses on using WIF with GitHub Actions, but the principles may apply to other CI/CD platforms that support OIDC.
+OIDC tokens. This guide focuses on using WIF with GitHub Actions and Azure DevOps, but the principles may apply to other CI/CD platforms that support OIDC.
 
 ## Prerequisites
 
@@ -16,8 +16,13 @@ Before using Workload Identity Federation flow, you need to:
 ## Setup Workload Identity Federation
 
 WIF can be configured to trust any public OIDC provider following the [docs page](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/manage-service-account-federations/#create-a-federated-identity-provider)
-but for the purpose of this guide we will focus on GitHub Actions as OIDC provider. GitHub Actions supports OIDC authentication using 
-the public issuer "https://token.actions.githubusercontent.com" (for GH Enterprise you should check your issuer URL) and setting repository and action information
+but for the purpose of this guide we will focus on GitHub Actions and AzureDevOps as OIDC providers. 
+
+> Important: You should use the most restrictive assertions possible by validating all available data from the OIDC token. This prevents security risks associated with trusting tokens issued outside the specific context of your CI/CD pipeline.
+
+### GitHub Actions assertions
+
+GitHub Actions supports OIDC authentication using the public issuer "https://token.actions.githubusercontent.com" (for GH Enterprise you should check your issuer URL) and setting repository and action information
 as part of the OIDC token claims. [More info here](https://docs.github.com/es/actions/concepts/security/openid-connect).
 
 Using this provider [repository](https://github.com/stackitcloud/terraform-provider-stackit) (stackitcloud/terraform-provider-stackit) as example and assuming that we want to 
@@ -28,7 +33,27 @@ execute terraform on the main branch, we will configure the service account "Fed
   - **sub**->equals->repo:stackitcloud/terraform-provider-stackit:ref:refs/heads/main # This is the repository and branch where the action will run
   - **aud**->equals->sts.accounts.stackit.cloud # Mandatory value
 
-> Note: You can use more fine-grained assertions just adding them. More info about OIDC token claims in [GitHub](https://docs.github.com/en/actions/reference/security/oidc)
+> Note: You can use more fine-grained assertions by adding them. More info about OIDC token claims in [GitHub](https://docs.github.com/en/actions/reference/security/oidc)
+
+### Azure DevOps assertions
+
+Azure DevOps supports OIDC authentication using the public issuer "https://vstoken.azure.com" (for Azure DevOps Server you should check your issuer URL) and setting information like organization, project, and pipeline 
+as part of the OIDC token claims. 
+
+Using a hypothetical pipeline named `terraform-ado-oidc` inside the project 'https://myorg.azure.com/project-abc` as example and assuming that we want to 
+execute terraform on the main branch, we will configure the service account "Federated identity Provider" with the following configuration:
+- **Provider Name**: AzureDevOps # This is just an example, you can choose any name you want
+- **Issuer URL**: https://vstoken.dev.azure.com/{ORGANIZATION_ID} # This is the public issuer for Azure DevOps OIDC tokens
+  - For most organizations, the URL uses `vstoken.dev.azure.com`, but some legacy organizations might use 'vstoken.azure.com'. To be 100% sure, you can inspect the `iss` claim in a decoded OIDC token from your pipeline.
+  - How to find your ORGANIZATION_ID?
+    - Via Browser: Go to https://dev.azure.com/{YOUR_ORG_NAME}/_apis/connectionData and copy the value of instanceId. 
+    - Via Pipeline: Add a script step echo $(System.CollectionId) to print it during a run.
+- **Assertions**:
+  - **aud**->equals->api://AzureADTokenExchange # Mandatory value
+  - **sub**->equals->p://myorg/project-abc/terraform-ado-oidc # This is the pipeline where the process is running
+  - **rpo_ref**->equals->refs/heads/main # This is the branch where the pipeline will run
+
+> Note: This is just an example, you can use more or less fine-grained assertions.
 
 ## Provider Configuration
 
@@ -50,7 +75,9 @@ provider "stackit" {
 In most CI/CD scenarios, the cleanest way is to set the `STACKIT_SERVICE_ACCOUNT_EMAIL` environment variable as well as `STACKIT_USE_OIDC="1"` to enable the WIF flow. This way you don't need to 
 change your provider configuration and the provider will automatically fetch the OIDC token and exchange it for a short-lived access token.
 
-## Example GitHub Actions Workflow
+## Examples
+
+### GitHub Actions Workflow
 
 > Note: To request OIDC tokens, you need to [grant this permission to the GitHub Actions workflow](https://docs.github.com/en/actions/reference/security/oidc#required-permission).
 
@@ -120,3 +147,75 @@ jobs:
           STACKIT_USE_OIDC: "1"
           STACKIT_SERVICE_ACCOUNT_EMAIL: "terraform-example@sa.stackit.cloud"
 ```
+
+### Azure Pipeline
+
+```yaml
+trigger:
+  branches:
+    include:
+      - main
+
+pool:
+  vmImage: "ubuntu-latest"
+
+variables:
+  STACKIT_USE_OIDC: "1"
+  STACKIT_SERVICE_ACCOUNT_EMAIL: "terraform-example@sa.stackit.cloud"
+
+jobs:
+  - job: demo-job
+    displayName: "Workload Identity Federation with STACKIT"
+    steps:
+      - checkout: self
+
+      - task: TerraformInstaller@1
+        inputs:
+          terraformVersion: "latest"
+        displayName: "Setup Terraform"
+
+      - script: |
+          cat <<EOF > main.tf
+          terraform {
+            required_providers {
+              stackit = {
+                source = "stackitcloud/stackit"
+              }
+            }
+          }
+
+          provider "stackit" {
+            default_region  = "eu01"
+          }
+
+          resource "stackit_service_account" "sa"   {
+            project_id = "e1925fbf-5272-497a-8298-1586760670de"
+            name       = "terraform-example-ci"
+          }
+          EOF
+        displayName: "Create Test Configuration"
+
+      - script: |
+          terraform init
+        displayName: "Terraform Init"
+        env:
+          STACKIT_USE_OIDC: $(STACKIT_USE_OIDC)
+          STACKIT_SERVICE_ACCOUNT_EMAIL: $(STACKIT_SERVICE_ACCOUNT_EMAIL)
+          SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+
+      - script: |
+          terraform plan -out=tfplan
+        displayName: "Terraform Plan"
+        env:
+          STACKIT_USE_OIDC: $(STACKIT_USE_OIDC)
+          STACKIT_SERVICE_ACCOUNT_EMAIL: $(STACKIT_SERVICE_ACCOUNT_EMAIL)
+          SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+
+      - script: |
+          terraform apply -auto-approve tfplan
+        displayName: "Terraform Apply"
+        env:
+          STACKIT_USE_OIDC: $(STACKIT_USE_OIDC)
+          STACKIT_SERVICE_ACCOUNT_EMAIL: $(STACKIT_SERVICE_ACCOUNT_EMAIL)
+          SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+```

docs/index.md

@@ -74,7 +74,7 @@ When using Workload Identity Federation (WIF), you don't need a static service a
 
 WIF can be configured to trust any public OIDC provider following the [official documentation](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/manage-service-account-federations/#create-a-federated-identity-provider).
 
-To use WIF, set the `use_oidc` flag to `true` and provide an OIDC token for the exchange. While you can provide the token directly via `service_account_federated_token`, this is **not recommended for GitHub Actions**, as the provider will automatically fetch the token from the environment. For a complete setup, see our [Workload Identity Federation guide](./guides/workload_identity_federation.md).
+To use WIF, set the `use_oidc` flag to `true` and provide an OIDC token for the exchange. While you can provide the token directly via `service_account_federated_token`, this is **not recommended for GitHub Actions or Azure DevOps**, as the provider will automatically fetch the token from the environment. For a complete setup, see our [Workload Identity Federation guide](./docs/guides/workload_identity_federation.md).
 
 In addition to this, you must set the `service_account_email` to specify which service account to impersonate.
 

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/terraform-plugin-go v0.29.0
 	github.com/hashicorp/terraform-plugin-log v0.10.0
 	github.com/hashicorp/terraform-plugin-testing v1.14.0
-	github.com/stackitcloud/stackit-sdk-go/core v0.21.1
+	github.com/stackitcloud/stackit-sdk-go/core v0.22.0
 	github.com/stackitcloud/stackit-sdk-go/services/cdn v1.10.0
 	github.com/stackitcloud/stackit-sdk-go/services/dns v0.17.6
 	github.com/stackitcloud/stackit-sdk-go/services/edge v0.4.3

go.sum

@@ -109,6 +109,8 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jhump/protoreflect v1.17.0 h1:qOEr613fac2lOuTgWN4tPAtLL7fUSbuJL5X5XumQh94=
 github.com/jhump/protoreflect v1.17.0/go.mod h1:h9+vUUL38jiBzck8ck+6G/aeMX8Z4QUY/NiJPwPNi+8=
+github.com/jorturfer/stackit-sdk-go/core v0.0.0-20260218233050-3f219dc9de13 h1:SUA7JGasPoMs6ubO0xH0Lp+a6wQ+hoJF+KLVf5dDCis=
+github.com/jorturfer/stackit-sdk-go/core v0.0.0-20260218233050-3f219dc9de13/go.mod h1:osMglDby4csGZ5sIfhNyYq1bS1TxIdPY88+skE/kkmI=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -149,8 +151,8 @@ github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
 github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
-github.com/stackitcloud/stackit-sdk-go/core v0.21.1 h1:Y/PcAgM7DPYMNqum0MLv4n1mF9ieuevzcCIZYQfm3Ts=
-github.com/stackitcloud/stackit-sdk-go/core v0.21.1/go.mod h1:osMglDby4csGZ5sIfhNyYq1bS1TxIdPY88+skE/kkmI=
+github.com/stackitcloud/stackit-sdk-go/core v0.22.0 h1:6rViz7GnNwXSh51Lur5xuDzO8EWSZfN9J0HvEkBKq6c=
+github.com/stackitcloud/stackit-sdk-go/core v0.22.0/go.mod h1:osMglDby4csGZ5sIfhNyYq1bS1TxIdPY88+skE/kkmI=
 github.com/stackitcloud/stackit-sdk-go/services/authorization v0.12.0 h1:HxPgBu04j5tj6nfZ2r0l6v4VXC0/tYOGe4sA5Addra8=
 github.com/stackitcloud/stackit-sdk-go/services/authorization v0.12.0/go.mod h1:uYI9pHAA2g84jJN25ejFUxa0/JtfpPZqMDkctQ1BzJk=
 github.com/stackitcloud/stackit-sdk-go/services/cdn v1.10.0 h1:YALzjYAApyQMKyt4C2LKhPRZHa6brmbFeKuuwl+KOTs=

stackit/provider.go

@@ -549,7 +549,7 @@ func (p *Provider) Configure(ctx context.Context, req provider.ConfigureRequest,
 		sdkConfig.ServiceAccountFederatedTokenFunc = oidcadapters.ReadJWTFromFileSystem(oidc_token_path)
 	}
 
-	// Workload Identity Federation via provided OIDC Token from GitHub Actions
+	// Workload Identity Federation via provided OIDC Token from GitHub Actions or Azure DevOps
 	if sdkConfig.ServiceAccountFederatedTokenFunc == nil && utils.GetEnvBoolIfValueAbsent(providerConfig.UseOIDC, "STACKIT_USE_OIDC") {
 		sdkConfig.WorkloadIdentityFederation = true
 		// https://docs.github.com/en/actions/reference/security/oidc#methods-for-requesting-the-oidc-token
@@ -558,6 +558,17 @@ func (p *Provider) Configure(ctx context.Context, req provider.ConfigureRequest,
 		if oidcReqURL != "" && oidcReqToken != "" {
 			sdkConfig.ServiceAccountFederatedTokenFunc = oidcadapters.RequestGHOIDCToken(oidcReqURL, oidcReqToken)
 		}
+
+		// https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/oidctoken/create?view=azure-devops-rest-7.1#taskhuboidctoken
+		// https://learn.microsoft.com/es-es/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml
+		oidcReqURL = utils.GetEnvStringOrDefault(providerConfig.OIDCTokenRequestURL, "SYSTEM_OIDCREQUESTURI", "")
+		oidcReqToken = utils.GetEnvStringOrDefault(providerConfig.OIDCTokenRequestToken, "SYSTEM_ACCESSTOKEN", "")
+		// This can be set to the ID of the service connection to restrict the token exchange to that connection, not supported by default to avoid additional configuration
+		// for users that don't need it, can be added as an additional provider config parameter in the future if there is demand
+		serviceConnectionID := ""
+		if oidcReqURL != "" && oidcReqToken != "" {
+			sdkConfig.ServiceAccountFederatedTokenFunc = oidcadapters.RequestAzureDevOpsOIDCToken(oidcReqURL, oidcReqToken, serviceConnectionID)
+		}
 	}
 
 	roundTripper, err := sdkauth.SetupAuth(sdkConfig)