feat: support either WIF or SP app password

Author: malhussan

modules/azure/storage-account/backplane/README.md

@@ -12,6 +12,13 @@ The module supports two modes of operation:
 1. **Existing Service Principals**: Use `existing_principal_ids` to grant permissions to already existing service principals
 2. **Create New Service Principal**: Use `create_service_principal_name` to create a single new service principal and automatically grant it permissions
 
+## Authentication Methods
+
+When creating a new service principal, you can choose between two authentication methods:
+
+- **Application Password** (default): A traditional client secret will be created
+- **Workload Identity Federation**: Configure federated identity credentials for passwordless authentication (e.g., from GitHub Actions, Azure DevOps, or other OIDC providers)
+
 ## Usage Examples
 
 ### Using Existing Service Principals
@@ -43,6 +50,23 @@ module "storage_account_backplane" {
 }
 ```
 
+### Creating a New Service Principal with Workload Identity Federation
+
+```hcl
+module "storage_account_backplane" {
+  source = "./modules/azure/storage-account/backplane"
+
+  name  = "my-storage-account"
+  scope = "/providers/Microsoft.Management/managementGroups/my-mg"
+
+  create_service_principal_name = "deployment-sp"
+  workload_identity_federation = {
+    issuer  = "https://token.actions.githubusercontent.com"
+    subject = "repo:my-org/my-repo:ref:refs/heads/main"
+  }
+}
+```
+
 ### Mixed Usage (Both Existing and New)
 
 ```hcl
@@ -78,6 +102,8 @@ No modules.
 | Name | Type |
 |------|------|
 | [azuread_application.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
+| [azuread_application_federated_identity_credential.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource |
+| [azuread_application_password.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password) | resource |
 | [azuread_service_principal.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
 | [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
 | [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
@@ -90,11 +116,13 @@ No modules.
 | <a name="input_existing_principal_ids"></a> [existing\_principal\_ids](#input\_existing\_principal\_ids) | set of existing principal ids that will be granted permissions to deploy the building block | `set(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | name of the building block, used for naming resources | `string` | n/a | yes |
 | <a name="input_scope"></a> [scope](#input\_scope) | Scope where the building block should be deployable, typically the parent of all Landing Zones. | `string` | n/a | yes |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Configuration for workload identity federation. If not provided, an application password will be created instead. | <pre>object({<br>    issuer  = string<br>    subject = string<br>  })</pre> | `null` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
+| <a name="output_application_password"></a> [application\_password](#output\_application\_password) | Information about the created application password (excludes the actual password value for security). |
 | <a name="output_created_application"></a> [created\_application](#output\_created\_application) | Information about the created Azure AD application. |
 | <a name="output_created_service_principal"></a> [created\_service\_principal](#output\_created\_service\_principal) | Information about the created service principal. |
 | <a name="output_documentation_md"></a> [documentation\_md](#output\_documentation\_md) | Markdown documentation with information about the Storage Account Building Block building block backplane |
@@ -103,4 +131,5 @@ No modules.
 | <a name="output_role_definition_id"></a> [role\_definition\_id](#output\_role\_definition\_id) | The ID of the role definition that enables deployment of the building block to subscriptions. |
 | <a name="output_role_definition_name"></a> [role\_definition\_name](#output\_role\_definition\_name) | The name of the role definition that enables deployment of the building block to subscriptions. |
 | <a name="output_scope"></a> [scope](#output\_scope) | The scope where the role definition and role assignments are applied. |
+| <a name="output_workload_identity_federation"></a> [workload\_identity\_federation](#output\_workload\_identity\_federation) | Information about the created workload identity federation credential. |
 <!-- END_TF_DOCS -->

modules/azure/storage-account/backplane/main.tf

@@ -12,6 +12,26 @@ resource "azuread_service_principal" "buildingblock_deploy" {
   app_role_assignment_required = false
 }
 
+
+# Create federated identity credentials
+resource "azuread_application_federated_identity_credential" "buildingblock_deploy" {
+  count = var.create_service_principal_name != null && var.workload_identity_federation != null ? 1 : 0
+
+  application_id = azuread_application.buildingblock_deploy[0].id
+  display_name   = var.create_service_principal_name
+  audiences      = ["api://AzureADTokenExchange"]
+  issuer         = var.workload_identity_federation.issuer
+  subject        = var.workload_identity_federation.subject
+}
+
+# Create application password (when not using workload identity federation)
+resource "azuread_application_password" "buildingblock_deploy" {
+  count = var.create_service_principal_name != null && var.workload_identity_federation == null ? 1 : 0
+
+  application_id = azuread_application.buildingblock_deploy[0].id
+  display_name   = "${var.create_service_principal_name}-password"
+}
+
 # Role Definition
 resource "azurerm_role_definition" "buildingblock_deploy" {
   name        = "${var.name}-deploy"

modules/azure/storage-account/backplane/outputs.tf

@@ -37,6 +37,26 @@ output "created_application" {
   description = "Information about the created Azure AD application."
 }
 
+output "workload_identity_federation" {
+  value = var.create_service_principal_name != null && var.workload_identity_federation != null ? {
+    credential_id = azuread_application_federated_identity_credential.buildingblock_deploy[0].credential_id
+    display_name  = azuread_application_federated_identity_credential.buildingblock_deploy[0].display_name
+    issuer        = azuread_application_federated_identity_credential.buildingblock_deploy[0].issuer
+    subject       = azuread_application_federated_identity_credential.buildingblock_deploy[0].subject
+    audiences     = azuread_application_federated_identity_credential.buildingblock_deploy[0].audiences
+  } : null
+  description = "Information about the created workload identity federation credential."
+}
+
+output "application_password" {
+  value = var.create_service_principal_name != null && var.workload_identity_federation == null ? {
+    key_id       = azuread_application_password.buildingblock_deploy[0].key_id
+    display_name = azuread_application_password.buildingblock_deploy[0].display_name
+  } : null
+  description = "Information about the created application password (excludes the actual password value for security)."
+  sensitive   = true
+}
+
 output "scope" {
   value       = var.scope
   description = "The scope where the role definition and role assignments are applied."

modules/azure/storage-account/backplane/variables.tf

@@ -30,3 +30,12 @@ variable "create_service_principal_name" {
     error_message = "Service principal name can only contain alphanumeric characters, hyphens, and underscores"
   }
 }
+
+variable "workload_identity_federation" {
+  type = object({
+    issuer  = string
+    subject = string
+  })
+  default     = null
+  description = "Configuration for workload identity federation. If not provided, an application password will be created instead."
+}