Backend/azure: Update go-azure-sdk version to v0.20250131.1134653 (#36458)

* dependencies: update go-azure-sdk to v0.20250131.1134653 * Update backend test for Github and ADO to not rely on the env vars * Setting ado_pipeline_service_connection_id during provider config * Update doc * changelog
2026-02-05 06:46:14 +01:00 · 2025-02-14 02:02:28 +11:00
parent e0661f44ae
commit 8913b2ffa8
10 changed files with 142 additions and 44 deletions
--- a/.changes/unreleased/ENHANCEMENTS-20250207-164803.yaml
+++ b/.changes/unreleased/ENHANCEMENTS-20250207-164803.yaml
@@ -0,0 +1,5 @@
+kind: ENHANCEMENTS
+body: Azure Backend supports ADO Pipelines OIDC token refresh by using the `oidc_request_url`, `oidc_request_token` and (the new) `ado_pipeline_service_connection_id`.
+time: 2025-02-07T16:48:03.902464157+11:00
+custom:
+    Issue: "36458"
--- a/go.mod
+++ b/go.mod
@@ -177,8 +177,8 @@ require (
 	github.com/hashicorp/copywrite v0.20.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-azure-helpers v0.71.0 // indirect
-	github.com/hashicorp/go-azure-sdk/resource-manager v0.20241212.1154051 // indirect
-	github.com/hashicorp/go-azure-sdk/sdk v0.20241212.1154051 // indirect
+	github.com/hashicorp/go-azure-sdk/resource-manager v0.20250131.1134653 // indirect
+	github.com/hashicorp/go-azure-sdk/sdk v0.20250131.1134653 // indirect
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 // indirect
 	github.com/hashicorp/go-immutable-radix v1.0.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1072,10 +1072,10 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-azure-helpers v0.71.0 h1:ra3aIRzg01g6MLKQ+yABcb6WJtrqRUDDgyuPLmyZ9lY=
 github.com/hashicorp/go-azure-helpers v0.71.0/go.mod h1:BmbF4JDYXK5sEmFeU5hcn8Br21uElcqLfdQxjatwQKw=
-github.com/hashicorp/go-azure-sdk/resource-manager v0.20241212.1154051 h1:jFgd3bzeRViGTzicIn9gDw2O/Gk6WjVJCTTefPNOGPY=
-github.com/hashicorp/go-azure-sdk/resource-manager v0.20241212.1154051/go.mod h1:XapOZ9HiCtXz3qb5yNFiCuWbOBj2I3WU1K2jwqgK2zA=
-github.com/hashicorp/go-azure-sdk/sdk v0.20241212.1154051 h1:4fCKJPSeLVvwl7ZCqU7MOUKyx/M7kl/J6wlw2O3xn40=
-github.com/hashicorp/go-azure-sdk/sdk v0.20241212.1154051/go.mod h1:oI5R0fTbBx3K/sJBK5R/OlEy8ozdQjvctxVU9v3EDkc=
+github.com/hashicorp/go-azure-sdk/resource-manager v0.20250131.1134653 h1:KuDCZKWoOByX5MUyFRNWLl4Gy6wpZCwJ7Ez1mbUwouo=
+github.com/hashicorp/go-azure-sdk/resource-manager v0.20250131.1134653/go.mod h1:AawbnS/Kkp/IURMJVzmvD+Co2zK91lKFqYYDbenCpGU=
+github.com/hashicorp/go-azure-sdk/sdk v0.20250131.1134653 h1:Bd+glHUD1mdal1zn0NgoS4wDFhUB8Qfw61j0nZEnC5A=
+github.com/hashicorp/go-azure-sdk/sdk v0.20250131.1134653/go.mod h1:oI5R0fTbBx3K/sJBK5R/OlEy8ozdQjvctxVU9v3EDkc=
 github.com/hashicorp/go-checkpoint v0.5.0 h1:MFYpPZCnQqQTE18jFwSII6eUQrD/oxMFp3mlgcqk5mU=
 github.com/hashicorp/go-checkpoint v0.5.0/go.mod h1:7nfLNL10NsxqO4iWuW6tWW0HjZuDrwkBuEQsVcpCOgg=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
--- a/internal/backend/remote-state/azure/backend.go
+++ b/internal/backend/remote-state/azure/backend.go
@@ -156,17 +156,24 @@ func New() backend.Backend {
 				Description: "Allow OpenID Connect to be used for authentication",
 			},

+			"ado_pipeline_service_connection_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID", "ARM_OIDC_AZURE_SERVICE_CONNECTION_ID"}, nil),
+				Description: "The Azure DevOps Pipeline Service Connection ID.",
+			},
+
 			"oidc_request_token": {
 				Type:        schema.TypeString,
 				Optional:    true,
-				DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_TOKEN", "ACTIONS_ID_TOKEN_REQUEST_TOKEN"}, ""),
+				DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_TOKEN", "ACTIONS_ID_TOKEN_REQUEST_TOKEN", "SYSTEM_ACCESSTOKEN"}, nil),
 				Description: "The bearer token for the request to the OIDC provider. For use when authenticating as a Service Principal using OpenID Connect.",
 			},

 			"oidc_request_url": {
 				Type:        schema.TypeString,
 				Optional:    true,
-				DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_URL", "ACTIONS_ID_TOKEN_REQUEST_URL"}, ""),
+				DefaultFunc: schema.MultiEnvDefaultFunc([]string{"ARM_OIDC_REQUEST_URL", "ACTIONS_ID_TOKEN_REQUEST_URL", "SYSTEM_OIDCREQUESTURI"}, nil),
 				Description: "The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Principal using OpenID Connect.",
 			},

@@ -329,9 +336,10 @@ func (b *Backend) configure(ctx context.Context) error {
 		ClientCertificatePassword: data.Get("client_certificate_password").(string),
 		ClientSecret:              *clientSecret,

-		OIDCAssertionToken:          *oidcToken,
-		GitHubOIDCTokenRequestURL:   data.Get("oidc_request_url").(string),
-		GitHubOIDCTokenRequestToken: data.Get("oidc_request_token").(string),
+		OIDCAssertionToken:             *oidcToken,
+		OIDCTokenRequestURL:            data.Get("oidc_request_url").(string),
+		OIDCTokenRequestToken:          data.Get("oidc_request_token").(string),
+		ADOPipelineServiceConnectionID: data.Get("ado_pipeline_service_connection_id").(string),

 		CustomManagedIdentityEndpoint: data.Get("msi_endpoint").(string),

@@ -341,6 +349,7 @@ func (b *Backend) configure(ctx context.Context) error {
 		EnableAuthenticatingUsingManagedIdentity:   enableManagedIdentity,
 		EnableAuthenticationUsingOIDC:              enableOidc,
 		EnableAuthenticationUsingGitHubOIDC:        enableOidc,
+		EnableAuthenticationUsingADOPipelineOIDC:   enableOidc,
 	}

 	backendConfig := BackendConfig{
--- a/internal/backend/remote-state/azure/backend_test.go
+++ b/internal/backend/remote-state/azure/backend_test.go
@@ -57,7 +57,7 @@ func TestAccBackendAccessKeyBasic(t *testing.T) {
 	}
 	defer m.destroyTestResources(ctx)

-	clearEnv()
+	clearARMEnv()
 	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"storage_account_name": m.names.storageAccountName,
 		"container_name":       m.names.storageContainerName,
@@ -89,7 +89,7 @@ func TestAccBackendSASTokenBasic(t *testing.T) {
 		t.Fatalf("Error building SAS Token: %+v", err)
 	}

-	clearEnv()
+	clearARMEnv()
 	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"storage_account_name": m.names.storageAccountName,
 		"container_name":       m.names.storageContainerName,
@@ -106,6 +106,16 @@ func TestAccBackendGithubOIDCBasic(t *testing.T) {

 	testAccAzureBackendRunningInGitHubActions(t)

+	oidcRequestToken := os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN")
+	if oidcRequestToken == "" {
+		t.Fatalf("Missing ACTIONS_ID_TOKEN_REQUEST_TOKEN")
+	}
+
+	oidcRequestURL := os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL")
+	if oidcRequestURL == "" {
+		t.Fatalf("Missing ACTIONS_ID_TOKEN_REQUEST_URL")
+	}
+
 	ctx := newCtx()
 	m := BuildTestMeta(t, ctx)

@@ -116,7 +126,7 @@ func TestAccBackendGithubOIDCBasic(t *testing.T) {
 	}
 	defer m.destroyTestResources(ctx)

-	clearEnv()
+	clearARMEnv()
 	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"subscription_id":      m.subscriptionId,
 		"resource_group_name":  m.names.resourceGroup,
@@ -124,6 +134,8 @@ func TestAccBackendGithubOIDCBasic(t *testing.T) {
 		"container_name":       m.names.storageContainerName,
 		"key":                  m.names.storageKeyName,
 		"use_oidc":             true,
+		"oidc_request_token":   oidcRequestToken,
+		"oidc_request_url":     oidcRequestURL,
 		"tenant_id":            m.tenantId,
 		"client_id":            m.clientId,
 		"environment":          m.env.Name,
@@ -132,6 +144,55 @@ func TestAccBackendGithubOIDCBasic(t *testing.T) {
 	backend.TestBackendStates(t, b)
 }

+func TestAccBackendADOPipelinesOIDCBasic(t *testing.T) {
+	t.Parallel()
+
+	testAccAzureBackendRunningInADOPipelines(t)
+
+	oidcRequestToken := os.Getenv("SYSTEM_ACCESSTOKEN")
+	if oidcRequestToken == "" {
+		t.Fatalf("Missing SYSTEM_ACCESSTOKEN")
+	}
+
+	oidcRequestURL := os.Getenv("SYSTEM_OIDCREQUESTURI")
+	if oidcRequestURL == "" {
+		t.Fatalf("Missing SYSTEM_OIDCREQUESTURI")
+	}
+
+	adoPipelineServiceConnectionId := os.Getenv("ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID")
+	if adoPipelineServiceConnectionId == "" {
+		t.Fatalf("Missing ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID")
+	}
+
+	ctx := newCtx()
+	m := BuildTestMeta(t, ctx)
+
+	err := m.buildTestResources(ctx)
+	if err != nil {
+		m.destroyTestResources(ctx)
+		t.Fatalf("Error creating Test Resources: %q", err)
+	}
+	defer m.destroyTestResources(ctx)
+
+	clearARMEnv()
+	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
+		"subscription_id":                    m.subscriptionId,
+		"resource_group_name":                m.names.resourceGroup,
+		"storage_account_name":               m.names.storageAccountName,
+		"container_name":                     m.names.storageContainerName,
+		"key":                                m.names.storageKeyName,
+		"use_oidc":                           true,
+		"oidc_request_token":                 oidcRequestToken,
+		"oidc_request_url":                   oidcRequestURL,
+		"ado_pipeline_service_connection_id": adoPipelineServiceConnectionId,
+		"tenant_id":                          m.tenantId,
+		"client_id":                          m.clientId,
+		"environment":                        m.env.Name,
+	})).(*Backend)
+
+	backend.TestBackendStates(t, b)
+}
+
 func TestAccBackendAzureADAuthBasic(t *testing.T) {
 	t.Parallel()

@@ -147,7 +208,7 @@ func TestAccBackendAzureADAuthBasic(t *testing.T) {
 	}
 	defer m.destroyTestResources(ctx)

-	clearEnv()
+	clearARMEnv()
 	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"subscription_id":      m.subscriptionId,
 		"resource_group_name":  m.names.resourceGroup,
@@ -179,7 +240,7 @@ func TestAccBackendManagedServiceIdentityBasic(t *testing.T) {
 	}
 	defer m.destroyTestResources(ctx)

-	clearEnv()
+	clearARMEnv()
 	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"subscription_id":      m.subscriptionId,
 		"resource_group_name":  m.names.resourceGroup,
@@ -215,7 +276,7 @@ func TestAccBackendServicePrincipalClientCertificateBasic(t *testing.T) {
 	}
 	defer m.destroyTestResources(ctx)

-	clearEnv()
+	clearARMEnv()
 	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"subscription_id":             m.subscriptionId,
 		"resource_group_name":         m.names.resourceGroup,
@@ -247,7 +308,7 @@ func TestAccBackendServicePrincipalClientSecretBasic(t *testing.T) {
 	}
 	defer m.destroyTestResources(ctx)

-	clearEnv()
+	clearARMEnv()
 	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"subscription_id":      m.subscriptionId,
 		"resource_group_name":  m.names.resourceGroup,
@@ -278,7 +339,7 @@ func TestAccBackendAccessKeyLocked(t *testing.T) {
 	}
 	defer m.destroyTestResources(ctx)

-	clearEnv()
+	clearARMEnv()

 	b1 := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"storage_account_name": m.names.storageAccountName,
@@ -318,7 +379,7 @@ func TestAccBackendServicePrincipalLocked(t *testing.T) {
 	}
 	defer m.destroyTestResources(ctx)

-	clearEnv()
+	clearARMEnv()

 	b1 := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"subscription_id":      m.subscriptionId,
--- a/internal/backend/remote-state/azure/client_test.go
+++ b/internal/backend/remote-state/azure/client_test.go
@@ -29,7 +29,7 @@ func TestRemoteClientAccessKeyBasic(t *testing.T) {
 	}
 	defer m.destroyTestResources(ctx)

-	clearEnv()
+	clearARMEnv()
 	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"storage_account_name": m.names.storageAccountName,
 		"container_name":       m.names.storageContainerName,
@@ -61,7 +61,7 @@ func TestRemoteClientManagedServiceIdentityBasic(t *testing.T) {
 	}
 	defer m.destroyTestResources(ctx)

-	clearEnv()
+	clearARMEnv()
 	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"subscription_id":      m.subscriptionId,
 		"resource_group_name":  m.names.resourceGroup,
@@ -101,7 +101,7 @@ func TestRemoteClientSasTokenBasic(t *testing.T) {
 		t.Fatalf("Error building SAS Token: %+v", err)
 	}

-	clearEnv()
+	clearARMEnv()
 	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"storage_account_name": m.names.storageAccountName,
 		"container_name":       m.names.storageContainerName,
@@ -133,7 +133,7 @@ func TestRemoteClientServicePrincipalBasic(t *testing.T) {
 	}
 	defer m.destroyTestResources(ctx)

-	clearEnv()
+	clearARMEnv()
 	b := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"subscription_id":      m.subscriptionId,
 		"resource_group_name":  m.names.resourceGroup,
@@ -169,7 +169,7 @@ func TestRemoteClientAccessKeyLocks(t *testing.T) {
 	}
 	defer m.destroyTestResources(ctx)

-	clearEnv()
+	clearARMEnv()

 	b1 := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"storage_account_name": m.names.storageAccountName,
@@ -215,7 +215,7 @@ func TestRemoteClientServicePrincipalLocks(t *testing.T) {
 	}
 	defer m.destroyTestResources(ctx)

-	clearEnv()
+	clearARMEnv()

 	b1 := backend.TestBackendConfig(t, New(), backend.TestWrapConfig(map[string]interface{}{
 		"subscription_id":      m.subscriptionId,
--- a/internal/backend/remote-state/azure/go.mod
+++ b/internal/backend/remote-state/azure/go.mod
@@ -4,8 +4,8 @@ go 1.24.0

 require (
 	github.com/hashicorp/go-azure-helpers v0.71.0
-	github.com/hashicorp/go-azure-sdk/resource-manager v0.20241212.1154051
-	github.com/hashicorp/go-azure-sdk/sdk v0.20241212.1154051
+	github.com/hashicorp/go-azure-sdk/resource-manager v0.20250131.1134653
+	github.com/hashicorp/go-azure-sdk/sdk v0.20250131.1134653
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/terraform v0.0.0-00010101000000-000000000000
 	github.com/hashicorp/terraform/internal/legacy v0.0.0-00010101000000-000000000000
--- a/internal/backend/remote-state/azure/go.sum
+++ b/internal/backend/remote-state/azure/go.sum
@@ -180,10 +180,10 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-azure-helpers v0.71.0 h1:ra3aIRzg01g6MLKQ+yABcb6WJtrqRUDDgyuPLmyZ9lY=
 github.com/hashicorp/go-azure-helpers v0.71.0/go.mod h1:BmbF4JDYXK5sEmFeU5hcn8Br21uElcqLfdQxjatwQKw=
-github.com/hashicorp/go-azure-sdk/resource-manager v0.20241212.1154051 h1:jFgd3bzeRViGTzicIn9gDw2O/Gk6WjVJCTTefPNOGPY=
-github.com/hashicorp/go-azure-sdk/resource-manager v0.20241212.1154051/go.mod h1:XapOZ9HiCtXz3qb5yNFiCuWbOBj2I3WU1K2jwqgK2zA=
-github.com/hashicorp/go-azure-sdk/sdk v0.20241212.1154051 h1:4fCKJPSeLVvwl7ZCqU7MOUKyx/M7kl/J6wlw2O3xn40=
-github.com/hashicorp/go-azure-sdk/sdk v0.20241212.1154051/go.mod h1:oI5R0fTbBx3K/sJBK5R/OlEy8ozdQjvctxVU9v3EDkc=
+github.com/hashicorp/go-azure-sdk/resource-manager v0.20250131.1134653 h1:KuDCZKWoOByX5MUyFRNWLl4Gy6wpZCwJ7Ez1mbUwouo=
+github.com/hashicorp/go-azure-sdk/resource-manager v0.20250131.1134653/go.mod h1:AawbnS/Kkp/IURMJVzmvD+Co2zK91lKFqYYDbenCpGU=
+github.com/hashicorp/go-azure-sdk/sdk v0.20250131.1134653 h1:Bd+glHUD1mdal1zn0NgoS4wDFhUB8Qfw61j0nZEnC5A=
+github.com/hashicorp/go-azure-sdk/sdk v0.20250131.1134653/go.mod h1:oI5R0fTbBx3K/sJBK5R/OlEy8ozdQjvctxVU9v3EDkc=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 h1:1/D3zfFHttUKaCaGKZ/dR2roBXv0vKbSCnssIldfQdI=
--- a/internal/backend/remote-state/azure/helpers_test.go
+++ b/internal/backend/remote-state/azure/helpers_test.go
@@ -56,7 +56,16 @@ func testAccAzureBackendRunningInGitHubActions(t *testing.T) {
 	}
 }

-// clearEnv cleans up the azure related environment variables.
+// these kind of tests can only run when within ADO Pipelines (e.g. OIDC)
+func testAccAzureBackendRunningInADOPipelines(t *testing.T) {
+	testAccAzureBackend(t)
+
+	if os.Getenv("TF_RUNNING_IN_ADO_PIPELINES") == "" {
+		t.Skip("Skipping test since not running in ADO Pipelines")
+	}
+}
+
+// clearARMEnv cleans up the azure related environment variables.
 // This is to ensure the configuration only comes from HCL, which avoids
 // env vars for test setup interfere the behavior.
 //
@@ -65,7 +74,7 @@ func testAccAzureBackendRunningInGitHubActions(t *testing.T) {
 // impact can be eliminated given all the tests are implemented in a similar
 // pattern that those env vars will be consumed at the very begining. The test
 // runner has to ensure to set a **big enough parallelism**.
-func clearEnv() {
+func clearARMEnv() {
 	for _, evexp := range os.Environ() {
 		k, _, ok := strings.Cut(evexp, "=")
 		if !ok {
@@ -178,19 +187,21 @@ func BuildTestMeta(t *testing.T, ctx context.Context) *TestMeta {
 	// - MSI: For MSI related tests
 	// - OIDC: For OIDC related tests
 	authConfig := &auth.Credentials{
-		Environment:                 *env,
-		TenantID:                    tenantID,
-		ClientID:                    clientID,
-		ClientSecret:                clientSecret,
-		ClientCertificatePath:       os.Getenv("ARM_CLIENT_CERTIFICATE_PATH"),
-		ClientCertificatePassword:   os.Getenv("ARM_CLIENT_CERTIFICATE_PASSWORD"),
-		GitHubOIDCTokenRequestURL:   os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL"),
-		GitHubOIDCTokenRequestToken: os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN"),
+		Environment:                    *env,
+		TenantID:                       tenantID,
+		ClientID:                       clientID,
+		ClientSecret:                   clientSecret,
+		ClientCertificatePath:          os.Getenv("ARM_CLIENT_CERTIFICATE_PATH"),
+		ClientCertificatePassword:      os.Getenv("ARM_CLIENT_CERTIFICATE_PASSWORD"),
+		OIDCTokenRequestURL:            getEnvvars("ACTIONS_ID_TOKEN_REQUEST_URL", "SYSTEM_OIDCREQUESTURI"),
+		OIDCTokenRequestToken:          getEnvvars("ACTIONS_ID_TOKEN_REQUEST_TOKEN", "SYSTEM_ACCESSTOKEN"),
+		ADOPipelineServiceConnectionID: os.Getenv("ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID"),

 		EnableAuthenticatingUsingClientSecret:      true,
 		EnableAuthenticatingUsingClientCertificate: true,
 		EnableAuthenticatingUsingManagedIdentity:   true,
 		EnableAuthenticationUsingGitHubOIDC:        true,
+		EnableAuthenticationUsingADOPipelineOIDC:   true,
 	}

 	resourceManagerAuth, err := auth.NewAuthorizerFromCredentials(ctx, *authConfig, env.ResourceManager)
@@ -325,3 +336,13 @@ func randString(strlen int) string {
 	}
 	return string(result)
 }
+
+// getEnvvars return the first non-empty env var specified. If none is found, it returns empty string.
+func getEnvvars(envvars ...string) string {
+	for _, envvar := range envvars {
+		if v := os.Getenv(envvar); v != "" {
+			return v
+		}
+	}
+	return ""
+}
--- a/website/docs/language/backend/azurerm.mdx
+++ b/website/docs/language/backend/azurerm.mdx
@@ -540,9 +540,11 @@ When authenticating using a Managed Identity (MSI) - the following fields are al

 When authenticating using a Service Principal with OpenID Connect (OIDC / Workload Identity Federation) - the following fields are also supported:

-* `oidc_request_url` - (Optional) The URL for the OIDC provider from which to request an ID token. This can also be sourced from the `ARM_OIDC_REQUEST_URL` or `ACTIONS_ID_TOKEN_REQUEST_URL` environment variables.
+* `ado_pipeline_service_connection_id` - (Optional) The Azure DevOps Pipeline Service Connection ID. This can also be sourced from the `ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID` or `ARM_OIDC_AZURE_SERVICE_CONNECTION_ID` Environment Variables. The provider will look for values in this order and use the first it finds configured.

-* `oidc_request_token` - (Optional) The bearer token for the request to the OIDC provider. This can also be sourced from the `ARM_OIDC_REQUEST_TOKEN` or `ACTIONS_ID_TOKEN_REQUEST_TOKEN` environment variables.
+* `oidc_request_url` - (Optional) The URL for the OIDC provider from which to request an ID token. This can also be sourced from the `ARM_OIDC_REQUEST_URL`, `ACTIONS_ID_TOKEN_REQUEST_URL` or `SYSTEM_OIDCREQUESTURI` Environment Variables. The provider will look for values in this order and use the first it finds configured.
+
+* `oidc_request_token` - (Optional) The bearer token for the request to the OIDC provider. This can also be sourced from the `ARM_OIDC_REQUEST_TOKEN`, `ACTIONS_ID_TOKEN_REQUEST_TOKEN` or `SYSTEM_ACCESSTOKEN` Environment Variables. The provider will look for values in this order and use the first it finds configured.

 * `oidc_token` - (Optional) The ID token when authenticating using OpenID Connect (OIDC). This can also be sourced from the `ARM_OIDC_TOKEN` environment variable.