feat(inputs.sqlserver): Introduce user specified ID parameter for ADD…

… logins (#15424)

Co-authored-by: Joshua Powers <powersj@fastmail.com>

plugins/inputs/sqlserver/README.md

@@ -152,6 +152,10 @@ to use them.
   ## valid methods: "connection_string", "AAD"
   # auth_method = "connection_string"
 
+  ## ClientID is the is the client ID of the user assigned identity of the VM
+  ## that should be used to authenticate to the Azure SQL server.
+  # client_id = ""
+
   ## "database_type" enables a specific set of queries depending on the database type. If specified, it replaces azuredb = true/false and query_version = 2
   ## In the config file, the sql server plugin section should be repeated each with a set of servers for a specific database_type.
   ## Possible values for database_type are - "SQLServer" or "AzureSQLDB" or "AzureSQLManagedInstance" or "AzureSQLPool"
@@ -291,6 +295,10 @@ in a connection string.
 To enable support for AAD authentication, we leverage the existing AAD
 authentication support.
 
+If more then one managed identity is assigned to the VM. You need specify the
+client_id of the identity you wish to use to authenticate with the SQL Server.
+If only one is assigned you don't need so specify this value.
+
 - Please see [SQL Server driver for Go](https://github.com/microsoft/go-mssqldb#azure-active-directory-authentication)
 
 ### How to use AAD Auth with MSI
@@ -300,6 +308,9 @@ authentication support.
 - Configure "system-assigned managed identity" for Azure resources on the Monitoring VM (the VM that'd connect to the SQL server/database) [using the Azure portal](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm).
 - On the database being monitored, create/update a USER with the name of the Monitoring VM as the principal using the below script. This might require allow-listing the client machine's IP address (from where the below SQL script is being run) on the SQL Server resource.
 
+In case of multiple assigned identities on one VM you can use the parameter
+user_assigned_id to specify the client_id.
+
 ```sql
 EXECUTE ('IF EXISTS(SELECT * FROM sys.database_principals WHERE name = ''<Monitoring_VM_Name>'')
     BEGIN

plugins/inputs/sqlserver/sample.conf

@@ -20,6 +20,10 @@
   ## valid methods: "connection_string", "AAD"
   # auth_method = "connection_string"
 
+  ## ClientID is the is the client ID of the user assigned identity of the VM
+  ## that should be used to authenticate to the Azure SQL server.
+  # client_id = ""
+
   ## "database_type" enables a specific set of queries depending on the database type. If specified, it replaces azuredb = true/false and query_version = 2
   ## In the config file, the sql server plugin section should be repeated each with a set of servers for a specific database_type.
   ## Possible values for database_type are - "SQLServer" or "AzureSQLDB" or "AzureSQLManagedInstance" or "AzureSQLPool"

plugins/inputs/sqlserver/sqlserver.go

@@ -28,6 +28,7 @@ type SQLServer struct {
 	Servers      []*config.Secret `toml:"servers"`
 	QueryTimeout config.Duration  `toml:"query_timeout"`
 	AuthMethod   string           `toml:"auth_method"`
+	ClientID     string           `toml:"client_id"`
 	QueryVersion int              `toml:"query_version" deprecated:"1.16.0;1.35.0;use 'database_type' instead"`
 	AzureDB      bool             `toml:"azuredb" deprecated:"1.16.0;1.35.0;use 'database_type' instead"`
 	DatabaseType string           `toml:"database_type"`
@@ -537,9 +538,17 @@ func (s *SQLServer) refreshToken() (*adal.Token, error) {
 	}
 
 	// get new token for the resource id
-	spt, err := adal.NewServicePrincipalTokenFromMSI(msiEndpoint, sqlAzureResourceID)
-	if err != nil {
-		return nil, err
+	var spt *adal.ServicePrincipalToken
+	if s.ClientID == "" {
+		spt, err = adal.NewServicePrincipalTokenFromMSI(msiEndpoint, sqlAzureResourceID)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		spt, err = adal.NewServicePrincipalTokenFromMSIWithUserAssignedID(msiEndpoint, sqlAzureResourceID, s.ClientID)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	// ensure token is fresh