fix: priroitise azure pipelines creds

[jaredfholgate]

This PR is to re-order the creds, so that settings for Azure Pipelines OIDC auth are prioritised over static token creds.

For example with these pipeline settings, it will prioritise azure pipeline auth over the ARM_OIDC_TOKEN:

steps:
  - task: AzureCLI@2
    displayName: Terraform Plan
    inputs:
      azureSubscription: "My-Service-Conbnection"
      scriptType: pscore
      scriptLocation: inlineScript
      addSpnToEnvironment: true
      inlineScript: |
        # Get settings from service connection
        az account show 2>$null | ConvertFrom-Json | Set-Variable account
        $clientId = $account.user.name
        $oidcToken = $env:idToken
        $subscriptionId = $account.id
        $tenantId = $account.tenantId

        $env:ARM_TENANT_ID = $account.tenantId
        $env:ARM_SUBSCRIPTION_ID = $account.id
       
        $env:ARM_USE_OIDC = "true"
        $env:ARM_CLIENT_ID = $clientId
        $env:ARM_USE_AZUREAD = "true"

        # Prioritise for `azapi` provider
        $env:ARM_OIDC_AZURE_SERVICE_CONNECTION_ID = "My-Service-Conbnection"
        $env:ARM_OIDC_REQUEST_TOKEN ="$(System.AccessToken)"

        # Fallback for `azurerm` and `azuread` providers
        $env:ARM_OIDC_TOKEN = $oidcToken

        # Run Terraform Plan
        $command = "terraform"
        $arguments = @()
        $arguments += "plan"
        $arguments += "-out=tfplan"
        $arguments += "-input=false"

        Write-Host "Running: $command $arguments"
        & $command $arguments

[magodo]

@jaredfholgate This PR is unnecessary once the ADO OIDC supports in azurerm/azuread providers are available?

[jaredfholgate]

@jaredfholgate This PR is unnecessary once the ADO OIDC supports in azurerm/azuread providers are available?

Yes, so long as we match the env vars as discussed elsewhere then it will not be needed.

[ms-henglu]

I'll close this PR in favor of #784 which adds support for same environment variables as azurerm provider.