From ffe9a41468e9299fa1218a271fdc5c1129a5a3ed Mon Sep 17 00:00:00 2001
From: tombuildsstuff <git@ibuildstuff.co.uk>
Date: Wed, 17 Nov 2021 18:45:21 +0100
Subject: [PATCH] internal/backend/remote-state/azure: adding tests covering
 MSAL

---
 .../remote-state/azure/backend_test.go        | 163 ++++++++++++++++++
 .../remote-state/azure/helpers_test.go        |   2 +
 2 files changed, 165 insertions(+)

diff --git a/internal/backend/remote-state/azure/backend_test.go b/internal/backend/remote-state/azure/backend_test.go
index 51dbc6106a..2411ddedb9 100644
--- a/internal/backend/remote-state/azure/backend_test.go
+++ b/internal/backend/remote-state/azure/backend_test.go
@@ -253,6 +253,169 @@ func TestBackendADALServicePrincipalClientSecretCustomEndpoint(t *testing.T) {
 	backend.TestBackendStates(t, b)
 }
 
+func TestBackendMSALAzureADAuthBasic(t *testing.T) {
+	testAccAzureBackend(t)
+	rs := acctest.RandString(4)
+	res := testResourceNames(rs, "testState")
+	res.useAzureADAuth = true
+	res.useMicrosoftGraph = true
+	armClient := buildTestClient(t, res)
+
+	ctx := context.TODO()
+	err := armClient.buildTestResources(ctx, &res)
+	defer armClient.destroyTestResources(ctx, res)
+	if err != nil {
+		armClient.destroyTestResources(ctx, res)
+		t.Fatalf("Error creating Test Resources: %q", err)
+	}
+
+	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
+		"storage_account_name": res.storageAccountName,
+		"container_name":       res.storageContainerName,
+		"key":                  res.storageKeyName,
+		"access_key":           res.storageAccountAccessKey,
+		"environment":          os.Getenv("ARM_ENVIRONMENT"),
+		"endpoint":             os.Getenv("ARM_ENDPOINT"),
+		"use_azuread_auth":     true,
+	})).(*Backend)
+
+	backend.TestBackendStates(t, b)
+}
+
+func TestBackendMSALManagedServiceIdentityBasic(t *testing.T) {
+	testAccAzureBackendRunningInAzure(t)
+	rs := acctest.RandString(4)
+	res := testResourceNames(rs, "testState")
+	res.useMicrosoftGraph = true
+	armClient := buildTestClient(t, res)
+
+	ctx := context.TODO()
+	err := armClient.buildTestResources(ctx, &res)
+	defer armClient.destroyTestResources(ctx, res)
+	if err != nil {
+		t.Fatalf("Error creating Test Resources: %q", err)
+	}
+
+	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
+		"storage_account_name": res.storageAccountName,
+		"container_name":       res.storageContainerName,
+		"key":                  res.storageKeyName,
+		"resource_group_name":  res.resourceGroup,
+		"use_msi":              true,
+		"subscription_id":      os.Getenv("ARM_SUBSCRIPTION_ID"),
+		"tenant_id":            os.Getenv("ARM_TENANT_ID"),
+		"environment":          os.Getenv("ARM_ENVIRONMENT"),
+		"endpoint":             os.Getenv("ARM_ENDPOINT"),
+	})).(*Backend)
+
+	backend.TestBackendStates(t, b)
+}
+
+func TestBackendMSALServicePrincipalClientCertificateBasic(t *testing.T) {
+	testAccAzureBackend(t)
+
+	clientCertPassword := os.Getenv("ARM_CLIENT_CERTIFICATE_PASSWORD")
+	clientCertPath := os.Getenv("ARM_CLIENT_CERTIFICATE_PATH")
+	if clientCertPath == "" {
+		t.Skip("Skipping since `ARM_CLIENT_CERTIFICATE_PATH` is not specified!")
+	}
+
+	rs := acctest.RandString(4)
+	res := testResourceNames(rs, "testState")
+	res.useMicrosoftGraph = true
+	armClient := buildTestClient(t, res)
+
+	ctx := context.TODO()
+	err := armClient.buildTestResources(ctx, &res)
+	defer armClient.destroyTestResources(ctx, res)
+	if err != nil {
+		t.Fatalf("Error creating Test Resources: %q", err)
+	}
+
+	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
+		"storage_account_name":        res.storageAccountName,
+		"container_name":              res.storageContainerName,
+		"key":                         res.storageKeyName,
+		"resource_group_name":         res.resourceGroup,
+		"subscription_id":             os.Getenv("ARM_SUBSCRIPTION_ID"),
+		"tenant_id":                   os.Getenv("ARM_TENANT_ID"),
+		"client_id":                   os.Getenv("ARM_CLIENT_ID"),
+		"client_certificate_password": clientCertPassword,
+		"client_certificate_path":     clientCertPath,
+		"environment":                 os.Getenv("ARM_ENVIRONMENT"),
+		"endpoint":                    os.Getenv("ARM_ENDPOINT"),
+	})).(*Backend)
+
+	backend.TestBackendStates(t, b)
+}
+
+func TestBackendMSALServicePrincipalClientSecretBasic(t *testing.T) {
+	testAccAzureBackend(t)
+	rs := acctest.RandString(4)
+	res := testResourceNames(rs, "testState")
+	res.useMicrosoftGraph = true
+	armClient := buildTestClient(t, res)
+
+	ctx := context.TODO()
+	err := armClient.buildTestResources(ctx, &res)
+	defer armClient.destroyTestResources(ctx, res)
+	if err != nil {
+		t.Fatalf("Error creating Test Resources: %q", err)
+	}
+
+	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
+		"storage_account_name": res.storageAccountName,
+		"container_name":       res.storageContainerName,
+		"key":                  res.storageKeyName,
+		"resource_group_name":  res.resourceGroup,
+		"subscription_id":      os.Getenv("ARM_SUBSCRIPTION_ID"),
+		"tenant_id":            os.Getenv("ARM_TENANT_ID"),
+		"client_id":            os.Getenv("ARM_CLIENT_ID"),
+		"client_secret":        os.Getenv("ARM_CLIENT_SECRET"),
+		"environment":          os.Getenv("ARM_ENVIRONMENT"),
+		"endpoint":             os.Getenv("ARM_ENDPOINT"),
+	})).(*Backend)
+
+	backend.TestBackendStates(t, b)
+}
+
+func TestBackendMSALServicePrincipalClientSecretCustomEndpoint(t *testing.T) {
+	testAccAzureBackend(t)
+
+	// this is only applicable for Azure Stack.
+	endpoint := os.Getenv("ARM_ENDPOINT")
+	if endpoint == "" {
+		t.Skip("Skipping as ARM_ENDPOINT isn't configured")
+	}
+
+	rs := acctest.RandString(4)
+	res := testResourceNames(rs, "testState")
+	res.useMicrosoftGraph = true
+	armClient := buildTestClient(t, res)
+
+	ctx := context.TODO()
+	err := armClient.buildTestResources(ctx, &res)
+	defer armClient.destroyTestResources(ctx, res)
+	if err != nil {
+		t.Fatalf("Error creating Test Resources: %q", err)
+	}
+
+	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
+		"storage_account_name": res.storageAccountName,
+		"container_name":       res.storageContainerName,
+		"key":                  res.storageKeyName,
+		"resource_group_name":  res.resourceGroup,
+		"subscription_id":      os.Getenv("ARM_SUBSCRIPTION_ID"),
+		"tenant_id":            os.Getenv("ARM_TENANT_ID"),
+		"client_id":            os.Getenv("ARM_CLIENT_ID"),
+		"client_secret":        os.Getenv("ARM_CLIENT_SECRET"),
+		"environment":          os.Getenv("ARM_ENVIRONMENT"),
+		"endpoint":             endpoint,
+	})).(*Backend)
+
+	backend.TestBackendStates(t, b)
+}
+
 func TestBackendAccessKeyLocked(t *testing.T) {
 	testAccAzureBackend(t)
 	rs := acctest.RandString(4)
diff --git a/internal/backend/remote-state/azure/helpers_test.go b/internal/backend/remote-state/azure/helpers_test.go
index c1d2ffd41f..dadb9aa260 100644
--- a/internal/backend/remote-state/azure/helpers_test.go
+++ b/internal/backend/remote-state/azure/helpers_test.go
@@ -84,6 +84,7 @@ func buildTestClient(t *testing.T, res resourceNames) *ArmClient {
 		StorageAccountName:            res.storageAccountName,
 		UseMsi:                        msiEnabled,
 		UseAzureADAuthentication:      res.useAzureADAuth,
+		UseMicrosoftGraph:             res.useMicrosoftGraph,
 	})
 	if err != nil {
 		t.Fatalf("Failed to build ArmClient: %+v", err)
@@ -127,6 +128,7 @@ type resourceNames struct {
 	storageKeyName          string
 	storageAccountAccessKey string
 	useAzureADAuth          bool
+	useMicrosoftGraph       bool
 }
 
 func testResourceNames(rString string, keyName string) resourceNames {