Navigation
GuidesUpdated July 3, 2026

Epic Terraform OIDC Conversion

guideepicazureconfiguration-management

Epic Terraform OIDC Conversion

Introduction

Due to the high failure rate of Dynamic Service principals in all workspaces, the Epic Azure platform will migrate to OIDC authentication and authorization over a short period of time. The purpose of this document is to record the high level steps necessary and the reasoning behind each step.

Step 1 - Rename the workspaces

Start by renaming the workspace-creation workspace, then go through each workspace and rename and validate each to the new naming convention, which starts with aide-xxxx

Step 2 - Create Service principals and assign to workspaces

Using [https://secure.optum.com] , create the service principals with the required naming convention. Keep a CSV file to associate each workspace with a new service principle, with 10 workspaces max per Service Principle.

Step 3 - Grant Permissions on Service principals

Run a script for the repository that grants each of the workspaces the required Contributor access to each of the Resource groups. A shell script has been written that assigns the permissions to the service principals, it serves as an example at a point in time.

Step 4 - Grant Golden Image Access to Service principals

This requires a service now ticket to the group Public Cloud Developer Toolkit - ENG and request granting the Service principals access to the Golden Images

Step 5 - Create Federated Credentials using Service principals

Create/maintain a csv file that is of the form:

A script must be run against the csv file, by somone who owns every service principal listed in the csv file. Hopefully this can be improved upon.

The script can be found here:

ClientID,WorkspaceName

87f1cb81-c572-4bbd-8410-dd43dbba6e9a,aide-0085665-tfews-epic-cloudtesteast-shared-wus3-01
87f1cb81-c572-4bbd-8410-dd43dbba6e9a,aide-0085665-tfews-epic-odb-eastepic-test-wus3-01

Step 6 - Update Workspace Variables

The variable: TFC_VAULT_BACKED_AZURE_AUTH needs to be set to false.

These variables need to be added:

  • TFC_AZURE_PROVIDER_AUTH - true
  • TFC_AZURE_RUN_CLIENT_ID - Client ID GUID you are mapping it to.

Step 7 - Update Terraform for workspaces

The provider.tf files currently look like this:

variable "tfc_vault_backed_azure_dynamic_credentials" {
  description = "Object containing Vault-backed Azure dynamic credentials configuration"
  type = object({
    default = object({
      client_id_file_path     = string
      client_secret_file_path = string
    })
    aliases = map(object({
      client_id_file_path     = string
      client_secret_file_path = string
    }))
  })
}

provider "azurerm" {
  features {}
  use_cli                 = false
  client_id_file_path     = var.tfc_vault_backed_azure_dynamic_credentials.default.client_id_file_path
  client_secret_file_path = var.tfc_vault_backed_azure_dynamic_credentials.default.client_secret_file_path
  tenant_id               = var.tenant_id
  subscription_id         = var.subscription_id
}

This needs to be modified to:

variable "tfc_azure_dynamic_credentials" {
  description = "Object containing Azure dynamic credentials configuration"
  type = object({
    default = object({
      client_id_file_path = string
      oidc_token_file_path = string
    })
    aliases = map(object({
      client_id_file_path = string
      oidc_token_file_path = string
    }))
  })
}

provider "azurerm" {
  features {}
  use_cli              = false
  use_oidc             = true
  client_id_file_path  = var.tfc_azure_dynamic_credentials.default.client_id_file_path
  oidc_token_file_path = var.tfc_azure_dynamic_credentials.default.oidc_token_file_path
  subscription_id      = var.subscription_id
  tenant_id            = var.tenant_id
}

Additionally, many of our workspaces have multiple azurerm provider blocks. These are often found in files named acn-main.tf Each of these blocks needs to be updated from

client_id_file_path     = var.tfc_vault_backed_azure_dynamic_credentials.default.client_id_file_path
client_secret_file_path = var.tfc_vault_backed_azure_dynamic_credentials.default.client_secret_file_path

to:

use_oidc             = true
client_id_file_path  = var.tfc_azure_dynamic_credentials.default.client_id_file_path
oidc_token_file_path = var.tfc_azure_dynamic_credentials.default.oidc_token_file_path

Note: you may find provider blocks in other files. Please make sure to update every provider block.

Here is a set of commands to run on a Mac that will modify the providers.tf file properly

cp providers.tf providers.tf.bak
cat providers.tf | sed '/provider[[:space:]]*"azurerm"/a\
  use_oidc                = true
;' | sed 's/client_id_file_path.*vault_backed.*$/client_id_file_path  = var.tfc_azure_dynamic_credentials.default.client_id_file_path/;s/client_secret_file_path.*/oidc_token_file_path = var.tfc_azure_dynamic_credentials.default.oidc_token_file_path/;' \
> providers_new.tf && mv providers_new.tf providers.tf

Step 8 - Test each workspace

Run Terraform on each space.