Add support for disable_instance_discovery

Added support in ansible common to support setting disable_instance_discovery when using azure clouds and you don't have access to login.microsoftonline.com. This can be specified as a module argument, environment variable or in credential profile. To enable set to True, default if False which doesn't change the current behaviour. Updated doc fragment to explain how to use it. fix ansible-collections#1236
p3ck · Feb 21, 2024 · 729b239 · 729b239
1 parent b8d8d09
commit 729b239
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 7 deletions.
diff --git a/plugins/doc_fragments/azure.py b/plugins/doc_fragments/azure.py
@@ -65,6 +65,17 @@ class ModuleDocFragment(object):
         type: str
         choices: [ ignore, validate ]
         version_added: '0.0.1'
+    disable_instance_discovery:
+        description:
+            - Determines whether or not instance discovery is performed when attempting to authenticate.
+              Setting this to true will completely disable both instance discovery and authority validation.
+              This functionality is intended for use in scenarios where the metadata endpoint cannot be reached                      such as in private clouds or Azure Stack. The process of instance discovery entails retrieving
+              authority metadata from https://login.microsoft.com/ to validate the authority. By setting this
+              to **True**, the validation of the authority is disabled. As a result, it is crucial to ensure
+              that the configured authority host is valid and trustworthy.
+            - Set via credential file profile or the C(AZURE_DISABLE_INSTANCE_DISCOVERY) environment variable.
+        type: bool
+        version_added: '2.2.1'
     auth_source:
         description:
             - Controls the source of the credentials to use for authentication.

diff --git a/plugins/module_utils/azure_rm_common.py b/plugins/module_utils/azure_rm_common.py
@@ -49,6 +49,7 @@
     log_path=dict(type='str', no_log=True),
     x509_certificate_path=dict(type='path', no_log=True),
     thumbprint=dict(type='str', no_log=True),
+    disable_instance_discovery=dict(type='bool', default=False),
 )
 
 AZURE_CREDENTIAL_ENV_MAPPING = dict(
@@ -63,7 +64,8 @@
     cert_validation_mode='AZURE_CERT_VALIDATION_MODE',
     adfs_authority_url='AZURE_ADFS_AUTHORITY_URL',
     x509_certificate_path='AZURE_X509_CERTIFICATE_PATH',
-    thumbprint='AZURE_THUMBPRINT'
+    thumbprint='AZURE_THUMBPRINT',
+    disable_instance_discovery='AZURE_DISABLE_INSTANCE_DISCOVERY'
 )
 
 
@@ -1411,7 +1413,8 @@ class AzureRMAuth(object):
     def __init__(self, auth_source=None, profile=None, subscription_id=None, client_id=None, secret=None,
                  tenant=None, ad_user=None, password=None, cloud_environment='AzureCloud', cert_validation_mode='validate',
                  api_profile='latest', adfs_authority_url=None, fail_impl=None, is_ad_resource=False,
-                 x509_certificate_path=None, thumbprint=None, track1_cred=False, **kwargs):
+                 x509_certificate_path=None, thumbprint=None, track1_cred=False,
+                 disable_instance_discovery=False, **kwargs):
 
         if fail_impl:
             self._fail_impl = fail_impl
@@ -1434,7 +1437,8 @@ def __init__(self, auth_source=None, profile=None, subscription_id=None, client_
             api_profile=api_profile,
             adfs_authority_url=adfs_authority_url,
             x509_certificate_path=x509_certificate_path,
-            thumbprint=thumbprint)
+            thumbprint=thumbprint,
+            disable_instance_discovery=disable_instance_discovery)
 
         if not self.credentials:
             if HAS_AZURE_CLI_CORE:
@@ -1453,6 +1457,12 @@ def __init__(self, auth_source=None, profile=None, subscription_id=None, client_
         if self._cert_validation_mode not in ['validate', 'ignore']:
             self.fail('invalid cert_validation_mode: {0}'.format(self._cert_validation_mode))
 
+        # Disable instance discovery: module-arg, credential profile, env, "False"
+        self._disable_instance_discovery = disable_instance_discovery or \
+            self.credentials.get('disable_instance_discovery') or \
+            self._get_env('disable_instance_discovery') or \
+            False
+
         # if cloud_environment specified, look up/build Cloud object
         raw_cloud_env = self.credentials.get('cloud_environment')
         if self.credentials.get('credentials') is not None and raw_cloud_env is not None:
@@ -1500,7 +1510,8 @@ def __init__(self, auth_source=None, profile=None, subscription_id=None, client_
             self.azure_credential_track2 = client_secret.ClientSecretCredential(client_id=self.credentials['client_id'],
                                                                                 client_secret=self.credentials['secret'],
                                                                                 tenant_id=self.credentials['tenant'],
-                                                                                authority=self._adfs_authority_url)
+                                                                                authority=self._adfs_authority_url,
+                                                                                disable_instance_discovery=self._disable_instance_discovery)
 
         elif self.credentials.get('client_id') is not None and \
                 self.credentials.get('tenant') is not None and \
@@ -1509,7 +1520,8 @@ def __init__(self, auth_source=None, profile=None, subscription_id=None, client_
             self.azure_credential_track2 = certificate.CertificateCredential(tenant_id=self.credentials['tenant'],
                                                                              client_id=self.credentials['client_id'],
                                                                              certificate_path=self.credentials['x509_certificate_path'],
-                                                                             authority=self._adfs_authority_url)
+                                                                             authority=self._adfs_authority_url,
+                                                                             disable_instance_discovery=self._disable_instance_discovery)
 
         elif self.credentials.get('ad_user') is not None and \
                 self.credentials.get('password') is not None and \
@@ -1519,7 +1531,8 @@ def __init__(self, auth_source=None, profile=None, subscription_id=None, client_
                                                                                     password=self.credentials['password'],
                                                                                     tenant_id=self.credentials.get('tenant'),
                                                                                     client_id=self.credentials.get('client_id'),
-                                                                                    authority=self._adfs_authority_url)
+                                                                                    authority=self._adfs_authority_url,
+                                                                                    disable_instance_discovery=self._disable_instance_discovery)
 
         elif self.credentials.get('ad_user') is not None and self.credentials.get('password') is not None:
             client_id = self.credentials.get('client_id')
@@ -1529,7 +1542,8 @@ def __init__(self, auth_source=None, profile=None, subscription_id=None, client_
                                                                                     password=self.credentials['password'],
                                                                                     tenant_id=self.credentials.get('tenant', 'organizations'),
                                                                                     client_id=client_id,
-                                                                                    authority=self._adfs_authority_url)
+                                                                                    authority=self._adfs_authority_url,
+                                                                                    disable_instance_discovery=self._disable_instance_discovery)
 
         else:
             self.fail("Failed to authenticate with provided credentials. Some attributes were missing. "