windsorcli · rmvangun · Dec 10, 2025 · Dec 10, 2025
diff --git a/pkg/composer/composer.go b/pkg/composer/composer.go
@@ -176,6 +176,7 @@ func (r *Composer) generateGitignore() error {
 		".windsor/",
 		".volumes/",
 		"terraform/**/backend_override.tf",
+		"terraform/**/providers_override.tf",
 		"contexts/**/.kube/",
 		"contexts/**/.talos/",
 		"contexts/**/.omni/",

diff --git a/pkg/composer/composer_test.go b/pkg/composer/composer_test.go
@@ -1114,7 +1114,7 @@ func TestComposer_generateGitignore(t *testing.T) {
 		}
 
 		contentStr := string(content)
-		requiredEntries := []string{".windsor/", ".volumes/", "terraform/**/backend_override.tf"}
+		requiredEntries := []string{".windsor/", ".volumes/", "terraform/**/backend_override.tf", "terraform/**/providers_override.tf"}
 		for _, entry := range requiredEntries {
 			if !strings.Contains(contentStr, entry) {
 				t.Errorf("Expected .gitignore to contain %s", entry)

diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
@@ -112,6 +112,16 @@ const MinimumVersion1Password = "2.15.0"
 
 const MinimumVersionAWSCLI = "2.15.0"
 
+const MinimumVersionKubelogin = "0.1.7"
+
+// DefaultAKSOIDCServerID is the standard Azure AKS OIDC server ID (application ID of the
+// Microsoft-managed enterprise application "Azure Kubernetes Service AAD Server").
+// This is the same for all AKS clusters with AKS-managed Azure AD enabled.
+const DefaultAKSOIDCServerID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
+// DefaultAKSOIDCClientID is the standard Azure AKS OIDC client ID used for all AKS clusters.
+const DefaultAKSOIDCClientID = "80faf920-1908-4b52-b5ef-a8e7bedfc67a"
+
 const DefaultNodeHealthCheckTimeout = 5 * time.Minute
 
 const DefaultNodeHealthCheckPollInterval = 10 * time.Second

diff --git a/pkg/provisioner/terraform/stack.go b/pkg/provisioner/terraform/stack.go
@@ -247,6 +247,10 @@ func (s *TerraformStack) Down(blueprint *blueprintv1alpha1.Blueprint) error {
 		if err := s.shims.Remove(filepath.Join(component.FullPath, "backend_override.tf")); err != nil && !os.IsNotExist(err) {
 			return fmt.Errorf("error removing backend_override.tf from %s: %w", component.Path, err)
 		}
+
+		if err := s.shims.Remove(filepath.Join(component.FullPath, "providers_override.tf")); err != nil && !os.IsNotExist(err) {
+			return fmt.Errorf("error removing providers_override.tf from %s: %w", component.Path, err)
+		}
 	}
 
 	return nil

diff --git a/pkg/provisioner/terraform/stack_test.go b/pkg/provisioner/terraform/stack_test.go
@@ -697,6 +697,32 @@ func TestStack_Down(t *testing.T) {
 			t.Errorf("Expected remove error, got: %v", err)
 		}
 	})
+
+	t.Run("ErrorRemovingProvidersOverride", func(t *testing.T) {
+		stack, mocks := setup(t)
+		projectRoot := os.Getenv("WINDSOR_PROJECT_ROOT")
+		providersOverridePath := filepath.Join(projectRoot, ".windsor", "contexts", "local", "remote", "path", "providers_override.tf")
+		if err := os.MkdirAll(filepath.Dir(providersOverridePath), 0755); err != nil {
+			t.Fatalf("Failed to create directory: %v", err)
+		}
+		if err := os.WriteFile(providersOverridePath, []byte("test"), 0644); err != nil {
+			t.Fatalf("Failed to create providers override file: %v", err)
+		}
+		mocks.Shims.Remove = func(path string) error {
+			if strings.Contains(path, "providers_override.tf") {
+				return fmt.Errorf("remove error")
+			}
+			return nil
+		}
+		blueprint := createTestBlueprint()
+		err := stack.Down(blueprint)
+		if err == nil {
+			t.Error("Expected error, got nil")
+		}
+		if !strings.Contains(err.Error(), "error removing providers_override.tf") {
+			t.Errorf("Expected remove error, got: %v", err)
+		}
+	})
 }
 
 func TestNewShims(t *testing.T) {

diff --git a/pkg/runtime/env/terraform_env.go b/pkg/runtime/env/terraform_env.go
@@ -15,6 +15,7 @@ import (
 
 	"github.com/goccy/go-yaml"
 	blueprintv1alpha1 "github.com/windsorcli/cli/api/v1alpha1"
+	"github.com/windsorcli/cli/pkg/constants"
 	"github.com/windsorcli/cli/pkg/runtime/config"
 	"github.com/windsorcli/cli/pkg/runtime/shell"
 )
@@ -106,7 +107,10 @@ func (e *TerraformEnvPrinter) GetEnvVars() (map[string]string, error) {
 
 // PostEnvHook executes operations after setting the environment variables.
 func (e *TerraformEnvPrinter) PostEnvHook(directory ...string) error {
-	return e.generateBackendOverrideTf(directory...)
+	if err := e.generateBackendOverrideTf(directory...); err != nil {
+		return err
+	}
+	return e.generateProvidersOverrideTf(directory...)
 }
 
 // GenerateTerraformArgs constructs Terraform CLI arguments and environment variables for given project and module paths.
@@ -492,6 +496,91 @@ func (e *TerraformEnvPrinter) generateBackendOverrideTf(directory ...string) err
 	return nil
 }
 
+// generateProvidersOverrideTf creates a providers_override.tf file when using Azure + AKS
+// to configure Kubernetes provider authentication via Entra ID using kubelogin with SPN authentication.
+// Detects SPN mode when AZURE_CLIENT_SECRET is set and validates required environment variables.
+// This enables generic Kubernetes modules to work with AKS clusters using Entra AD authentication
+// without requiring provider blocks in the modules themselves.
+func (e *TerraformEnvPrinter) generateProvidersOverrideTf(directory ...string) error {
+	var currentPath string
+	if len(directory) > 0 {
+		currentPath = filepath.Clean(directory[0])
+	} else {
+		var err error
+		currentPath, err = e.shims.Getwd()
+		if err != nil {
+			return fmt.Errorf("error getting current directory: %w", err)
+		}
+	}
+
+	projectPath, err := e.findRelativeTerraformProjectPath(directory...)
+	if err != nil {
+		return fmt.Errorf("error finding project path: %w", err)
+	}
+
+	if projectPath == "" {
+		return nil
+	}
+
+	azureEnabled := e.configHandler.GetBool("azure.enabled", false)
+	clusterDriver := e.configHandler.GetString("cluster.driver", "")
+
+	if !azureEnabled || clusterDriver != "aks" {
+		providersOverridePath := filepath.Join(currentPath, "providers_override.tf")
+		if _, err := e.shims.Stat(providersOverridePath); err == nil {
+			if err := e.shims.Remove(providersOverridePath); err != nil {
+				return fmt.Errorf("error removing providers_override.tf: %w", err)
+			}
+		}
+		return nil
+	}
+
+	config := e.configHandler.GetConfig()
+	if config == nil || config.Azure == nil {
+		return nil
+	}
+
+	azureEnv := "AzurePublicCloud"
+	if config.Azure.Environment != nil {
+		azureEnv = *config.Azure.Environment
+	}
+
+	azureClientSecret := e.shims.Getenv("AZURE_CLIENT_SECRET")
+
+	if azureClientSecret == "" {
+		providersOverridePath := filepath.Join(currentPath, "providers_override.tf")
+		if _, err := e.shims.Stat(providersOverridePath); err == nil {
+			if err := e.shims.Remove(providersOverridePath); err != nil {
+				return fmt.Errorf("error removing providers_override.tf: %w", err)
+			}
+		}
+		return nil
+	}
+
+	providerConfig := fmt.Sprintf(`provider "kubernetes" {
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "kubelogin"
+    args = [
+      "get-token",
+      "--login", "spn",
+      "--environment", "%s",
+      "--server-id", "%s",
+    ]
+  }
+}
+`, azureEnv, constants.DefaultAKSOIDCServerID)
+
+	providersOverridePath := filepath.Join(currentPath, "providers_override.tf")
+
+	err = e.shims.WriteFile(providersOverridePath, []byte(providerConfig), os.ModePerm)
+	if err != nil {
+		return fmt.Errorf("error writing providers_override.tf: %w", err)
+	}
+
+	return nil
+}
+
 // generateBackendConfigArgs constructs backend config args for terraform commands.
 // It reads the backend type from the config and adds relevant key-value pairs.
 // The function supports local, s3, kubernetes, and azurerm backends.