chore(deps): update localstack/localstack docker tag to v4.12.0

.github/workflows/ci.yaml

@@ -128,7 +128,7 @@ jobs:
         run: go install ./...
 
       - name: Run Gosec Security Scanner
-        uses: securego/gosec@6be2b51fd78feca86af91f5186b7964d76cb1256 # v2.22.10
+        uses: securego/gosec@424fc4cd9c82ea0fd6bee9cd49c2db2c3cc0c93f # v2.22.11
         with:
           args: ./...
         env:

aqua.yaml

@@ -9,25 +9,25 @@
 #     - all
 registries:
   - type: standard
-    ref: v4.444.2 # renovate: depName=aquaproj/aqua-registry
+    ref: v4.445.0 # renovate: depName=aquaproj/aqua-registry
 packages:
-- name: hashicorp/terraform@v1.14.1
+- name: hashicorp/terraform@v1.14.2
 - name: siderolabs/talos@v1.11.5
 - name: siderolabs/omni/omnictl@v1.3.4
 - name: siderolabs/omni/omni@v1.3.4
-- name: kubernetes/kubectl@v1.34.2
+- name: kubernetes/kubectl@v1.34.3
 - name: go-task/task@v3.45.5
 - name: golang/go@go1.25.5
 - name: getsops/sops@v3.9.0
 - name: abiosoft/colima@v0.9.1
 - name: lima-vm/lima@v2.0.2
 - name: docker/cli@v27.4.1
-- name: securego/gosec@v2.22.10
+- name: securego/gosec@v2.22.11
 - name: docker/compose@v5.0.0
 - name: google/go-jsonnet@v0.21.0
 - name: mikefarah/yq@v4.49.2
 - name: goreleaser/goreleaser@v2.13.1
-- name: helm/helm@v4.0.1
+- name: helm/helm@v4.0.2
 - name: 1password/cli@v2.30.3
 - name: fluxcd/flux2@v2.7.5
-- name: aws/aws-cli@2.32.12
+- name: aws/aws-cli@2.32.15

go.mod

@@ -25,9 +25,9 @@ require (
 	github.com/spf13/pflag v1.0.10
 	github.com/zclconf/go-cty v1.17.0
 	golang.org/x/crypto v0.46.0
-	k8s.io/api v0.34.2
-	k8s.io/apimachinery v0.34.2
-	k8s.io/client-go v0.34.2
+	k8s.io/api v0.34.3
+	k8s.io/apimachinery v0.34.3
+	k8s.io/client-go v0.34.3
 	sigs.k8s.io/controller-runtime v0.22.4
 	sigs.k8s.io/yaml v1.6.0
 )

go.sum

@@ -625,14 +625,14 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
-k8s.io/api v0.34.2 h1:fsSUNZhV+bnL6Aqrp6O7lMTy6o5x2C4XLjnh//8SLYY=
-k8s.io/api v0.34.2/go.mod h1:MMBPaWlED2a8w4RSeanD76f7opUoypY8TFYkSM+3XHw=
+k8s.io/api v0.34.3 h1:D12sTP257/jSH2vHV2EDYrb16bS7ULlHpdNdNhEw2S4=
+k8s.io/api v0.34.3/go.mod h1:PyVQBF886Q5RSQZOim7DybQjAbVs8g7gwJNhGtY5MBk=
 k8s.io/apiextensions-apiserver v0.34.2 h1:WStKftnGeoKP4AZRz/BaAAEJvYp4mlZGN0UCv+uvsqo=
 k8s.io/apiextensions-apiserver v0.34.2/go.mod h1:398CJrsgXF1wytdaanynDpJ67zG4Xq7yj91GrmYN2SE=
-k8s.io/apimachinery v0.34.2 h1:zQ12Uk3eMHPxrsbUJgNF8bTauTVR2WgqJsTmwTE/NW4=
-k8s.io/apimachinery v0.34.2/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
-k8s.io/client-go v0.34.2 h1:Co6XiknN+uUZqiddlfAjT68184/37PS4QAzYvQvDR8M=
-k8s.io/client-go v0.34.2/go.mod h1:2VYDl1XXJsdcAxw7BenFslRQX28Dxz91U9MWKjX97fE=
+k8s.io/apimachinery v0.34.3 h1:/TB+SFEiQvN9HPldtlWOTp0hWbJ+fjU+wkxysf/aQnE=
+k8s.io/apimachinery v0.34.3/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
+k8s.io/client-go v0.34.3 h1:wtYtpzy/OPNYf7WyNBTj3iUA0XaBHVqhv4Iv3tbrF5A=
+k8s.io/client-go v0.34.3/go.mod h1:OxxeYagaP9Kdf78UrKLa3YZixMCfP6bgPwPwNBQBzpM=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=

pkg/composer/composer.go

@@ -176,6 +176,7 @@ func (r *Composer) generateGitignore() error {
 		".windsor/",
 		".volumes/",
 		"terraform/**/backend_override.tf",
+		"terraform/**/providers_override.tf",
 		"contexts/**/.kube/",
 		"contexts/**/.talos/",
 		"contexts/**/.omni/",

pkg/composer/composer_test.go

@@ -1114,7 +1114,7 @@ func TestComposer_generateGitignore(t *testing.T) {
 		}
 
 		contentStr := string(content)
-		requiredEntries := []string{".windsor/", ".volumes/", "terraform/**/backend_override.tf"}
+		requiredEntries := []string{".windsor/", ".volumes/", "terraform/**/backend_override.tf", "terraform/**/providers_override.tf"}
 		for _, entry := range requiredEntries {
 			if !strings.Contains(contentStr, entry) {
 				t.Errorf("Expected .gitignore to contain %s", entry)

pkg/constants/constants.go

@@ -77,13 +77,13 @@ const DefaultKustomizationWaitPollInterval = 5 * time.Second
 const DefaultKustomizationWaitMaxFailures = 5
 
 // renovate: datasource=docker depName=localstack/localstack
-const DefaultAWSLocalstackImage = "localstack/localstack:4.11.1"
+const DefaultAWSLocalstackImage = "localstack/localstack:4.12.0"
 
 // renovate: datasource=docker depName=localstack/localstack-pro
 const DefaultAWSLocalstackProImage = "localstack/localstack-pro:4.11.1"
 
 // renovate: datasource=docker depName=coredns/coredns
-const DefaultDNSImage = "coredns/coredns:1.13.1"
+const DefaultDNSImage = "coredns/coredns:1.13.2"
 
 // renovate: datasource=docker depName=registry
 const RegistryDefaultImage = "registry:3.0.0"
@@ -112,6 +112,16 @@ const MinimumVersion1Password = "2.15.0"
 
 const MinimumVersionAWSCLI = "2.15.0"
 
+const MinimumVersionKubelogin = "0.1.7"
+
+// DefaultAKSOIDCServerID is the standard Azure AKS OIDC server ID (application ID of the
+// Microsoft-managed enterprise application "Azure Kubernetes Service AAD Server").
+// This is the same for all AKS clusters with AKS-managed Azure AD enabled.
+const DefaultAKSOIDCServerID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
+// DefaultAKSOIDCClientID is the standard Azure AKS OIDC client ID used for all AKS clusters.
+const DefaultAKSOIDCClientID = "80faf920-1908-4b52-b5ef-a8e7bedfc67a"
+
 const DefaultNodeHealthCheckTimeout = 5 * time.Minute
 
 const DefaultNodeHealthCheckPollInterval = 10 * time.Second

pkg/provisioner/terraform/stack.go

@@ -159,6 +159,13 @@ func (s *TerraformStack) Up(blueprint *blueprintv1alpha1.Blueprint) error {
 				return fmt.Errorf("error removing backend override file for %s: %w", component.Path, err)
 			}
 		}
+
+		providersOverridePath := filepath.Join(component.FullPath, "providers_override.tf")
+		if _, err := s.shims.Stat(providersOverridePath); err == nil {
+			if err := s.shims.Remove(providersOverridePath); err != nil {
+				return fmt.Errorf("error removing providers override file for %s: %w", component.Path, err)
+			}
+		}
 	}
 
 	return nil
@@ -247,6 +254,10 @@ func (s *TerraformStack) Down(blueprint *blueprintv1alpha1.Blueprint) error {
 		if err := s.shims.Remove(filepath.Join(component.FullPath, "backend_override.tf")); err != nil && !os.IsNotExist(err) {
 			return fmt.Errorf("error removing backend_override.tf from %s: %w", component.Path, err)
 		}
+
+		if err := s.shims.Remove(filepath.Join(component.FullPath, "providers_override.tf")); err != nil && !os.IsNotExist(err) {
+			return fmt.Errorf("error removing providers_override.tf from %s: %w", component.Path, err)
+		}
 	}
 
 	return nil

pkg/provisioner/terraform/stack_test.go

@@ -444,6 +444,32 @@ func TestStack_Up(t *testing.T) {
 			t.Errorf("Expected remove error, got: %v", err)
 		}
 	})
+
+	t.Run("ErrorRemovingProvidersOverride", func(t *testing.T) {
+		stack, mocks := setup(t)
+		projectRoot := os.Getenv("WINDSOR_PROJECT_ROOT")
+		providersOverridePath := filepath.Join(projectRoot, ".windsor", "contexts", "local", "remote", "path", "providers_override.tf")
+		if err := os.MkdirAll(filepath.Dir(providersOverridePath), 0755); err != nil {
+			t.Fatalf("Failed to create directory: %v", err)
+		}
+		if err := os.WriteFile(providersOverridePath, []byte("test"), 0644); err != nil {
+			t.Fatalf("Failed to create providers override file: %v", err)
+		}
+		mocks.Shims.Remove = func(path string) error {
+			if strings.Contains(path, "providers_override.tf") {
+				return fmt.Errorf("remove error")
+			}
+			return nil
+		}
+		blueprint := createTestBlueprint()
+		err := stack.Up(blueprint)
+		if err == nil {
+			t.Error("Expected error, got nil")
+		}
+		if !strings.Contains(err.Error(), "error removing providers override file") {
+			t.Errorf("Expected remove error, got: %v", err)
+		}
+	})
 }
 
 func TestStack_Down(t *testing.T) {
@@ -697,6 +723,32 @@ func TestStack_Down(t *testing.T) {
 			t.Errorf("Expected remove error, got: %v", err)
 		}
 	})
+
+	t.Run("ErrorRemovingProvidersOverride", func(t *testing.T) {
+		stack, mocks := setup(t)
+		projectRoot := os.Getenv("WINDSOR_PROJECT_ROOT")
+		providersOverridePath := filepath.Join(projectRoot, ".windsor", "contexts", "local", "remote", "path", "providers_override.tf")
+		if err := os.MkdirAll(filepath.Dir(providersOverridePath), 0755); err != nil {
+			t.Fatalf("Failed to create directory: %v", err)
+		}
+		if err := os.WriteFile(providersOverridePath, []byte("test"), 0644); err != nil {
+			t.Fatalf("Failed to create providers override file: %v", err)
+		}
+		mocks.Shims.Remove = func(path string) error {
+			if strings.Contains(path, "providers_override.tf") {
+				return fmt.Errorf("remove error")
+			}
+			return nil
+		}
+		blueprint := createTestBlueprint()
+		err := stack.Down(blueprint)
+		if err == nil {
+			t.Error("Expected error, got nil")
+		}
+		if !strings.Contains(err.Error(), "error removing providers_override.tf") {
+			t.Errorf("Expected remove error, got: %v", err)
+		}
+	})
 }
 
 func TestNewShims(t *testing.T) {

pkg/runtime/env/terraform_env.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/goccy/go-yaml"
 	blueprintv1alpha1 "github.com/windsorcli/cli/api/v1alpha1"
+	"github.com/windsorcli/cli/pkg/constants"
 	"github.com/windsorcli/cli/pkg/runtime/config"
 	"github.com/windsorcli/cli/pkg/runtime/shell"
 )
@@ -106,7 +107,10 @@ func (e *TerraformEnvPrinter) GetEnvVars() (map[string]string, error) {
 
 // PostEnvHook executes operations after setting the environment variables.
 func (e *TerraformEnvPrinter) PostEnvHook(directory ...string) error {
-	return e.generateBackendOverrideTf(directory...)
+	if err := e.generateBackendOverrideTf(directory...); err != nil {
+		return err
+	}
+	return e.generateProvidersOverrideTf(directory...)
 }
 
 // GenerateTerraformArgs constructs Terraform CLI arguments and environment variables for given project and module paths.
@@ -492,6 +496,101 @@ func (e *TerraformEnvPrinter) generateBackendOverrideTf(directory ...string) err
 	return nil
 }
 
+// generateProvidersOverrideTf creates a providers_override.tf file when using Azure + AKS
+// to configure Kubernetes provider authentication via Entra ID using kubelogin with SPN authentication.
+// Detects SPN mode when AZURE_CLIENT_SECRET is set and validates required environment variables.
+// This enables generic Kubernetes modules to work with AKS clusters using Entra AD authentication
+// without requiring provider blocks in the modules themselves.
+func (e *TerraformEnvPrinter) generateProvidersOverrideTf(directory ...string) error {
+	var currentPath string
+	if len(directory) > 0 {
+		currentPath = filepath.Clean(directory[0])
+	} else {
+		var err error
+		currentPath, err = e.shims.Getwd()
+		if err != nil {
+			return fmt.Errorf("error getting current directory: %w", err)
+		}
+	}
+
+	projectPath, err := e.findRelativeTerraformProjectPath(directory...)
+	if err != nil {
+		return fmt.Errorf("error finding project path: %w", err)
+	}
+
+	if projectPath == "" {
+		return nil
+	}
+
+	azureEnabled := e.configHandler.GetBool("azure.enabled", false)
+	clusterDriver := e.configHandler.GetString("cluster.driver", "")
+
+	if !azureEnabled || clusterDriver != "aks" {
+		providersOverridePath := filepath.Join(currentPath, "providers_override.tf")
+		if _, err := e.shims.Stat(providersOverridePath); err == nil {
+			if err := e.shims.Remove(providersOverridePath); err != nil {
+				return fmt.Errorf("error removing providers_override.tf: %w", err)
+			}
+		}
+		return nil
+	}
+
+	config := e.configHandler.GetConfig()
+	if config == nil || config.Azure == nil {
+		return nil
+	}
+
+	azureEnv := "AzurePublicCloud"
+	if config.Azure.Environment != nil {
+		azureEnv = *config.Azure.Environment
+	}
+
+	loginMode := e.detectKubeloginMode()
+
+	providerConfig := fmt.Sprintf(`provider "kubernetes" {
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "kubelogin"
+    args = [
+      "get-token",
+      "--login", "%s",
+      "--environment", "%s",
+      "--server-id", "%s",
+    ]
+  }
+}
+`, loginMode, azureEnv, constants.DefaultAKSOIDCServerID)
+
+	providersOverridePath := filepath.Join(currentPath, "providers_override.tf")
+
+	err = e.shims.WriteFile(providersOverridePath, []byte(providerConfig), os.ModePerm)
+	if err != nil {
+		return fmt.Errorf("error writing providers_override.tf: %w", err)
+	}
+
+	return nil
+}
+
+// detectKubeloginMode determines which kubelogin authentication mode to use based on
+// environment variables. Priority order: GitHub Actions OIDC, Kubernetes pod workload
+// identity, and fallback to Azure CLI for local development.
+func (e *TerraformEnvPrinter) detectKubeloginMode() string {
+	actionsToken := e.shims.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN")
+	actionsURL := e.shims.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL")
+	if actionsToken != "" && actionsURL != "" {
+		return "workloadidentity"
+	}
+
+	federatedTokenFile := e.shims.Getenv("AZURE_FEDERATED_TOKEN_FILE")
+	if federatedTokenFile != "" {
+		if _, err := e.shims.Stat(federatedTokenFile); err == nil {
+			return "workloadidentity"
+		}
+	}
+
+	return "azurecli"
+}
+
 // generateBackendConfigArgs constructs backend config args for terraform commands.
 // It reads the backend type from the config and adds relevant key-value pairs.
 // The function supports local, s3, kubernetes, and azurerm backends.