From 6a23ebe572d26b39a717d469d40c42b4c20e6234 Mon Sep 17 00:00:00 2001
From: Kevin van Blokland <kevinvanblokland@bloklab.io>
Date: Tue, 22 Jul 2025 09:03:56 +0200
Subject: [PATCH] security/acme-client: add support for AzureDNS System
 Assigned Managed Identities.

---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml          | 6 ++++++
 .../library/OPNsense/AcmeClient/LeValidation/DnsAzure.php   | 4 ++++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml       | 4 ++++
 3 files changed, 14 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index d71044036..e669896d0 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -226,6 +226,12 @@
         <label>Client Secret</label>
         <type>text</type>
     </field>
+    <field>
+        <id>validation.dns_azuredns_managedidentity</id>
+        <label>Use System Assigned Managed Identity</label>
+        <type>checkbox</type>
+        <help><![CDATA[When System Assigned Managed Identity is enabled the Tenant ID, APP ID and Client Secret settings are ignored by the acme client. Access tokens are obtained using the Azure Instance Metadata Service for the System Assigned Managed Identity. See <a target="_blank" href="https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token">documentation</a>.]]></help>
+    </field>
     <field>
         <label>Bunny</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
index 1b2acc9dc..5f478d143 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
@@ -43,5 +43,9 @@ class DnsAzure extends Base implements LeValidationInterface
         $this->acme_env['AZUREDNS_TENANTID'] = (string)$this->config->dns_azuredns_tenantid;
         $this->acme_env['AZUREDNS_APPID'] = (string)$this->config->dns_azuredns_appid;
         $this->acme_env['AZUREDNS_CLIENTSECRET'] = (string)$this->config->dns_azuredns_clientsecret;
+        
+        if ($this->config->dns_azuredns_managedidentity == '1') {
+            $this->acme_env['AZUREDNS_MANAGEDIDENTITY'] = 'true';
+        }
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 0d2167349..d1281cc9e 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -579,6 +579,10 @@
                 <dns_azuredns_clientsecret type="TextField">
                     <Required>N</Required>
                 </dns_azuredns_clientsecret>
+                <dns_azuredns_managedidentity type="BooleanField">
+                    <Default>0</Default>
+                    <Required>N</Required>
+                </dns_azuredns_managedidentity>
                 <dns_bunny_api_key type="TextField">
                     <Required>N</Required>
                 </dns_bunny_api_key>