lego/providers/dns/azuredns/azuredns.toml

Name = "AzureDNS"
Description = ''''''
URL = "https://azure.microsoft.com/services/dns/"
Code = "azuredns"
Since = "v0.1.0"

Example = '''
### Using client secret
AZURE_CLIENT_ID=<your service principal client ID> \
AZURE_TENANT_ID=<your service principal tenant ID> \
AZURE_CLIENT_SECRET=<your service principal client secret> \
lego --domains example.com --email your_example@email.com --dns azuredns run

### Using client certificate
AZURE_CLIENT_ID=<your service principal client ID> \
AZURE_TENANT_ID=<your service principal tenant ID> \
AZURE_CLIENT_CERTIFICATE_PATH=<your service principal certificate path> \
lego --domains example.com --email your_example@email.com --dns azuredns run

### Using Azure CLI
az login \
lego --domains example.com --email your_example@email.com --dns azuredns run
'''

Additional = '''
## Description

Azure Credentials are automatically detected in the following locations and prioritized in the following order:

1. Environment variables for client secret: `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_SECRET`
2. Environment variables for client certificate: `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_CERTIFICATE_PATH`
3. Workload identity for resources hosted in Azure environment (see below)
4. Shared credentials file (defaults to `~/.azure`), used by Azure CLI

Link:
- [Azure Authentication](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication)

### Workload identity

#### Azure Managed Identity

Azure managed identity service allows linking Azure AD identities to Azure resources. \
Workloads running inside compute typed resource can inherit from this configuration to get rights on Azure resources.

#### Workload identity for AKS

Workload identity allows workloads running Azure Kubernetes Services (AKS) clusters to authenticate as an Azure AD application identity using federated credentials. \
This must be configured in kubernetes workload deployment in one hand and on the Azure AD application registration in the other hand. \

Here is a summary of the steps to follow to use it :
* create a `ServiceAccount` resource, add following annotations to reference the targeted Azure AD application registration : `azure.workload.identity/client-id` and `azure.workload.identity/tenant-id`. \
* on the `Deployment` resource you must reference the previous `ServiceAccount` and add the following label : `azure.workload.identity/use: "true"`.
* create a fedreated credentials of type `Kubernetes accessing Azure resources`, add the cluster issuer URL  and add the namespace and name of your kubernetes service account.

Link :
- [Azure AD Workload identity](https://azure.github.io/azure-workload-identity/docs/topics/service-account-labels-and-annotations.html)

'''

[Configuration]
  [Configuration.Credentials]
    AZURE_CLIENT_ID = "Client ID"
    AZURE_CLIENT_SECRET = "Client secret"
    AZURE_TENANT_ID = "Tenant ID"
    AZURE_SUBSCRIPTION_ID = "DNS zone subscription ID"
    AZURE_RESOURCE_GROUP = "DNS zone resource group"
  [Configuration.Additional]
    AZURE_ENVIRONMENT = "Azure environment, one of: public, usgovernment, and china"
    AZURE_PRIVATE_ZONE = "Set to true to use Azure Private DNS Zones and not public"
    AZURE_ZONE_NAME = "Zone name to use inside Azure DNS service to add the TXT record in"
    AZURE_TTL = "The TTL of the TXT record used for the DNS challenge"
    AZURE_POLLING_INTERVAL = "Time between DNS propagation check"
    AZURE_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"

[Links]
  API = "https://docs.microsoft.com/en-us/go/azure/"
  GoClient = "https://github.com/Azure/azure-sdk-for-go"
azure: new implementation based on the new API client (#1830) Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com> 2023-07-12 18:02:06 +00:00			`Name = "AzureDNS"`
			`Description = ''''''`
			`URL = "https://azure.microsoft.com/services/dns/"`
			`Code = "azuredns"`
			`Since = "v0.1.0"`

			`Example = '''`
			`### Using client secret`
			`AZURE_CLIENT_ID=<your service principal client ID> \`
			`AZURE_TENANT_ID=<your service principal tenant ID> \`
			`AZURE_CLIENT_SECRET=<your service principal client secret> \`
			`lego --domains example.com --email your_example@email.com --dns azuredns run`

			`### Using client certificate`
			`AZURE_CLIENT_ID=<your service principal client ID> \`
			`AZURE_TENANT_ID=<your service principal tenant ID> \`
			`AZURE_CLIENT_CERTIFICATE_PATH=<your service principal certificate path> \`
			`lego --domains example.com --email your_example@email.com --dns azuredns run`

			`### Using Azure CLI`
			`az login \`
			`lego --domains example.com --email your_example@email.com --dns azuredns run`
			`'''`

			`Additional = '''`
			`## Description`

			`Azure Credentials are automatically detected in the following locations and prioritized in the following order:`

			1. Environment variables for client secret: `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_SECRET`
			2. Environment variables for client certificate: `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_CERTIFICATE_PATH`
			`3. Workload identity for resources hosted in Azure environment (see below)`
			4. Shared credentials file (defaults to `~/.azure`), used by Azure CLI

			`Link:`
			`- [Azure Authentication](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication)`

			`### Workload identity`

			`#### Azure Managed Identity`

			`Azure managed identity service allows linking Azure AD identities to Azure resources. \`
			`Workloads running inside compute typed resource can inherit from this configuration to get rights on Azure resources.`

			`#### Workload identity for AKS`

			`Workload identity allows workloads running Azure Kubernetes Services (AKS) clusters to authenticate as an Azure AD application identity using federated credentials. \`
			`This must be configured in kubernetes workload deployment in one hand and on the Azure AD application registration in the other hand. \`

			`Here is a summary of the steps to follow to use it :`
			* create a `ServiceAccount` resource, add following annotations to reference the targeted Azure AD application registration : `azure.workload.identity/client-id` and `azure.workload.identity/tenant-id`. \
			* on the `Deployment` resource you must reference the previous `ServiceAccount` and add the following label : `azure.workload.identity/use: "true"`.
			* create a fedreated credentials of type `Kubernetes accessing Azure resources`, add the cluster issuer URL and add the namespace and name of your kubernetes service account.

			`Link :`
			`- [Azure AD Workload identity](https://azure.github.io/azure-workload-identity/docs/topics/service-account-labels-and-annotations.html)`

			`'''`

			`[Configuration]`
			`[Configuration.Credentials]`
			`AZURE_CLIENT_ID = "Client ID"`
			`AZURE_CLIENT_SECRET = "Client secret"`
			`AZURE_TENANT_ID = "Tenant ID"`
			`AZURE_SUBSCRIPTION_ID = "DNS zone subscription ID"`
			`AZURE_RESOURCE_GROUP = "DNS zone resource group"`
			`[Configuration.Additional]`
			`AZURE_ENVIRONMENT = "Azure environment, one of: public, usgovernment, and china"`
			`AZURE_PRIVATE_ZONE = "Set to true to use Azure Private DNS Zones and not public"`
			`AZURE_ZONE_NAME = "Zone name to use inside Azure DNS service to add the TXT record in"`
			`AZURE_TTL = "The TTL of the TXT record used for the DNS challenge"`
			`AZURE_POLLING_INTERVAL = "Time between DNS propagation check"`
			`AZURE_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"`

			`[Links]`
			`API = "https://docs.microsoft.com/en-us/go/azure/"`
			`GoClient = "https://github.com/Azure/azure-sdk-for-go"`