Skip to content

Commit

Permalink
Migrate federated-credentials to use module in dev (equinor#1559)
Browse files Browse the repository at this point in the history 
Co-authored-by: Automatic Update <[email protected]>
  • Loading branch information
@sveinpj
sveinpj and Automatic Update authored Dec 19, 2024
1 parent 7734786 commit 7993875
Show file tree
Hide file tree
Showing 11 changed files with 113 additions and 96 deletions.
8 changes: 8 additions & 0 deletions terraform/subscriptions/modules/federated-credentials/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
resource "azurerm_federated_identity_credential" "this" {
audience = ["api://AzureADTokenExchange"]
name = var.name
issuer = var.issuer
subject = var.subject
parent_id = var.parent_id
resource_group_name = var.resource_group_name
}
19 changes: 19 additions & 0 deletions terraform/subscriptions/modules/federated-credentials/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
variable "name" {
type = string
}

variable "issuer" {
type = string
}

variable "subject" {
type = string
}

variable "parent_id" {
type = string
}

variable "resource_group_name" {
type = string
}
7 changes: 3 additions & 4 deletions terraform/subscriptions/s941/dev/pre-clusters/azure-service-operator.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,9 @@ data "azurerm_user_assigned_identity" "azure-service-operator" {
name = "radix-id-azure-service-operator-${module.config.environment}"
}

resource "azurerm_federated_identity_credential" "azure-service-operator-fedcred" {
for_each = module.clusters.oidc_issuer_url

audience = ["api://AzureADTokenExchange"]
module "azure-service-operator-fedcred" {
source = "../../../modules/federated-credentials"
for_each = module.clusters.oidc_issuer_url
name = "k8s-azure-service-operator-${each.key}-${module.config.environment}"
issuer = each.value
subject = "system:serviceaccount:azure-service-operator-system:azureserviceoperator-default"
Expand Down
7 changes: 3 additions & 4 deletions terraform/subscriptions/s941/dev/pre-clusters/cert-manager.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,9 @@ data "azurerm_user_assigned_identity" "cert-manager-mi" {
name = "radix-id-certmanager-${module.config.environment}"
}

resource "azurerm_federated_identity_credential" "cert-manager-mi-fedcred" {
for_each = module.clusters.oidc_issuer_url

audience = ["api://AzureADTokenExchange"]
module "cert-manager-mi-fedcred" {
source = "../../../modules/federated-credentials"
for_each = module.clusters.oidc_issuer_url
name = "k8s-cert-manager-dns01-${each.key}-${module.config.environment}"
issuer = each.value
subject = "system:serviceaccount:cert-manager:cert-manager"
Expand Down
21 changes: 9 additions & 12 deletions terraform/subscriptions/s941/dev/pre-clusters/cost-allocation.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,9 @@ data "azurerm_user_assigned_identity" "cost-allocation-writer" {
name = "radix-id-cost-allocation-writer-${module.config.environment}"
}

resource "azurerm_federated_identity_credential" "cost-allocation-writer" {
for_each = module.clusters.oidc_issuer_url

audience = ["api://AzureADTokenExchange"]
module "cost-allocation-writer" {
source = "../../../modules/federated-credentials"
for_each = module.clusters.oidc_issuer_url
name = "k8s-radix-cost-allocation-writer-${each.key}-${module.config.environment}"
issuer = each.value
subject = "system:serviceaccount:radix-cost-allocation:radix-cost-allocation"
Expand All @@ -23,26 +22,24 @@ data "azurerm_user_assigned_identity" "cost-allocation-api-reader" {
name = "radix-id-cost-allocation-reader-${module.config.environment}"
}

resource "azurerm_federated_identity_credential" "cost-allocation-api-reader-prod" {
for_each = module.clusters.oidc_issuer_url

audience = ["api://AzureADTokenExchange"]
module "cost-allocation-api-reader-prod" {
source = "../../../modules/federated-credentials"
for_each = module.clusters.oidc_issuer_url
name = "k8s-radix-cost-allocation-reader-prod-${each.key}-${module.config.environment}"
issuer = each.value
subject = "system:serviceaccount:radix-cost-allocation-api-prod:server-sa"
parent_id = data.azurerm_user_assigned_identity.cost-allocation-api-reader.id
resource_group_name = data.azurerm_user_assigned_identity.cost-allocation-api-reader.resource_group_name
depends_on = [module.aks]
}
resource "azurerm_federated_identity_credential" "cost-allocation-api-reader-qa" {
for_each = module.clusters.oidc_issuer_url

audience = ["api://AzureADTokenExchange"]
module "cost-allocation-api-reader-qa" {
source = "../../../modules/federated-credentials"
for_each = module.clusters.oidc_issuer_url
name = "k8s-radix-cost-allocation-reader-qa-${each.key}-${module.config.environment}"
issuer = each.value
subject = "system:serviceaccount:radix-cost-allocation-api-qa:server-sa"
parent_id = data.azurerm_user_assigned_identity.cost-allocation-api-reader.id
resource_group_name = data.azurerm_user_assigned_identity.cost-allocation-api-reader.resource_group_name
depends_on = [module.aks]
}

15 changes: 7 additions & 8 deletions terraform/subscriptions/s941/dev/pre-clusters/external-secrets-operator.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,13 @@ data "azurerm_user_assigned_identity" "this" {
name = "radix-id-external-secrets-operator-${module.config.environment}"
}

resource "azurerm_federated_identity_credential" "eso" {
for_each = module.clusters.oidc_issuer_url

audience = ["api://AzureADTokenExchange"]
issuer = each.value
module "eso" {
source = "../../../modules/federated-credentials"
for_each = module.clusters.oidc_issuer_url
name = "operator-wi-${each.key}"
parent_id = data.azurerm_user_assigned_identity.this.id
resource_group_name = module.config.common_resource_group
issuer = each.value
subject = "system:serviceaccount:external-secrets:workload-identity-sa"
parent_id = data.azurerm_user_assigned_identity.this.id
resource_group_name = data.azurerm_user_assigned_identity.this.resource_group_name
depends_on = [module.aks]
}
}
9 changes: 4 additions & 5 deletions terraform/subscriptions/s941/dev/pre-clusters/grafana.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,13 @@ data "azurerm_user_assigned_identity" "grafana" {
name = "radix-id-grafana-admin-${module.config.environment}"
}

resource "azurerm_federated_identity_credential" "grafana-mi-fedcred" {
for_each = module.clusters.oidc_issuer_url

audience = ["api://AzureADTokenExchange"]
module "grafana-mi-fedcred" {
source = "../../../modules/federated-credentials"
for_each = module.clusters.oidc_issuer_url
name = "k8s-grafana-${each.key}"
issuer = each.value
subject = "system:serviceaccount:monitor:grafana"
parent_id = data.azurerm_user_assigned_identity.grafana.id
resource_group_name = data.azurerm_user_assigned_identity.grafana.resource_group_name
depends_on = [module.aks]
}
}
13 changes: 6 additions & 7 deletions terraform/subscriptions/s941/dev/pre-clusters/log-api.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,20 @@ data "azurerm_user_assigned_identity" "log-api-mi" {
name = module.config.radix_log_api_mi_name
}

resource "azurerm_federated_identity_credential" "log-api-mi-prod" {
for_each = module.clusters.oidc_issuer_url

audience = ["api://AzureADTokenExchange"]
module "log-api-mi-prod" {
source = "../../../modules/federated-credentials"
for_each = module.clusters.oidc_issuer_url
name = "k8s-radix-log-api-prod-${each.key}-${module.config.environment}"
issuer = each.value
subject = "system:serviceaccount:radix-log-api-prod:server-sa"
parent_id = data.azurerm_user_assigned_identity.log-api-mi.id
resource_group_name = data.azurerm_user_assigned_identity.log-api-mi.resource_group_name
depends_on = [module.aks]
}
resource "azurerm_federated_identity_credential" "log-api-mi-qa" {
for_each = module.clusters.oidc_issuer_url

audience = ["api://AzureADTokenExchange"]
module "log-api-mi-qa" {
source = "../../../modules/federated-credentials"
for_each = module.clusters.oidc_issuer_url
name = "k8s-radix-log-api-qa-${each.key}-${module.config.environment}"
issuer = each.value
subject = "system:serviceaccount:radix-log-api-qa:server-sa"
Expand Down
9 changes: 4 additions & 5 deletions terraform/subscriptions/s941/dev/pre-clusters/velero.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,13 @@ data "azurerm_user_assigned_identity" "velero" {
name = "radix-id-velero-${module.config.environment}"
}

resource "azurerm_federated_identity_credential" "velero-mi-fedcred" {
for_each = module.clusters.oidc_issuer_url

audience = ["api://AzureADTokenExchange"]
module "velero-mi-fedcred" {
source = "../../../modules/federated-credentials"
for_each = module.clusters.oidc_issuer_url
name = "k8s-velero-${each.key}-${module.config.environment}"
issuer = each.value
subject = "system:serviceaccount:velero:velero"
parent_id = data.azurerm_user_assigned_identity.velero.id
resource_group_name = module.config.common_resource_group
resource_group_name = data.azurerm_user_assigned_identity.velero.resource_group_name
depends_on = [module.aks]
}
20 changes: 9 additions & 11 deletions terraform/subscriptions/s941/dev/pre-clusters/vulnerability-scanner.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,9 @@ data "azurerm_user_assigned_identity" "vulnerability-scanner-writer" {
name = "radix-id-vulnerability-scan-writer-${module.config.environment}"
}

resource "azurerm_federated_identity_credential" "vulnerability-scanner-writer" {
for_each = module.clusters.oidc_issuer_url

audience = ["api://AzureADTokenExchange"]
module "vulnerability-scanner-writer" {
source = "../../../modules/federated-credentials"
for_each = module.clusters.oidc_issuer_url
name = "k8s-radix-vulnerability-scan-writer-${each.key}-${module.config.environment}"
issuer = each.value
subject = "system:serviceaccount:radix-vulnerability-scanner:radix-vulnerability-scanner"
Expand All @@ -23,21 +22,20 @@ data "azurerm_user_assigned_identity" "vulnerability-scanner-api-reader" {
name = "radix-id-vulnerability-scan-reader-${module.config.environment}"
}

resource "azurerm_federated_identity_credential" "vulnerability-scanner-api-reader-prod" {
for_each = module.clusters.oidc_issuer_url

audience = ["api://AzureADTokenExchange"]
module "vulnerability-scanner-api-reader-prod" {
source = "../../../modules/federated-credentials"
for_each = module.clusters.oidc_issuer_url
name = "k8s-radix-vulnerability-scan-reader-prod-${each.key}-${module.config.environment}"
issuer = each.value
subject = "system:serviceaccount:radix-vulnerability-scanner-api-prod:server-sa"
parent_id = data.azurerm_user_assigned_identity.vulnerability-scanner-api-reader.id
resource_group_name = data.azurerm_user_assigned_identity.vulnerability-scanner-api-reader.resource_group_name
depends_on = [module.aks]
}
resource "azurerm_federated_identity_credential" "vulnerability-scanner-api-reader-qa" {
for_each = module.clusters.oidc_issuer_url

audience = ["api://AzureADTokenExchange"]
module "vulnerability-scanner-api-reader-qa" {
source = "../../../modules/federated-credentials"
for_each = module.clusters.oidc_issuer_url
name = "k8s-radix-vulnerability-scan-reader-qa-${each.key}-${module.config.environment}"
issuer = each.value
subject = "system:serviceaccount:radix-vulnerability-scanner-api-qa:server-sa"
Expand Down
81 changes: 41 additions & 40 deletions terraform/subscriptions/s941/playground/post-clusters/.terraform.lock.hcl
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 7993875

Please sign in to comment.