From 9792491b7330e11064416a2f38f6ead280a3073d Mon Sep 17 00:00:00 2001 From: Richard Hagen Date: Thu, 19 Dec 2024 11:44:11 +0100 Subject: [PATCH] Remove outdated AppRegistrations (#1561) --- .../subscriptions/s940/prod/common/github.tf | 54 ----------------- .../subscriptions/s941/dev/common/github.tf | 52 ---------------- terraform/tenant/entra/github.tf | 59 ------------------- 3 files changed, 165 deletions(-) delete mode 100644 terraform/subscriptions/s940/prod/common/github.tf delete mode 100644 terraform/subscriptions/s941/dev/common/github.tf delete mode 100644 terraform/tenant/entra/github.tf diff --git a/terraform/subscriptions/s940/prod/common/github.tf b/terraform/subscriptions/s940/prod/common/github.tf deleted file mode 100644 index f9b39224a..000000000 --- a/terraform/subscriptions/s940/prod/common/github.tf +++ /dev/null @@ -1,54 +0,0 @@ - -data "azuread_application" "github_operator" { - display_name = "OP-Terraform-Github Action" -} -data "azuread_service_principal" "github_operator" { - display_name = data.azuread_application.github_operator.display_name -} -data "azurerm_storage_account" "infra" { - name = module.config.backend.storage_account_name - resource_group_name = module.config.backend.resource_group_name -} -data "azurerm_subscription" "subscription" { - subscription_id = module.config.subscription -} - -resource "azurerm_role_assignment" "github-operator-contributor" { - scope = data.azurerm_subscription.subscription.id - role_definition_name = "Contributor" - principal_id = data.azuread_service_principal.github_operator.object_id -} - -resource "azurerm_role_assignment" "github-operator-data-owner" { - scope = data.azurerm_storage_account.infra.id - role_definition_name = "Storage Blob Data Owner" - principal_id = data.azuread_service_principal.github_operator.object_id -} - -resource "azurerm_role_assignment" "github-operator-user-admin" { - scope = data.azurerm_storage_account.infra.id - role_definition_name = "User Access Administrator" - principal_id = data.azuread_service_principal.github_operator.object_id -} - -resource "azuread_application_federated_identity_credential" "github-operator-federated-credentials" { - application_id = data.azuread_application.github_operator.id - display_name = "radix-platform-operations" - description = "Allow Github to authenticate" - audiences = ["api://AzureADTokenExchange"] - issuer = "https://token.actions.githubusercontent.com" - subject = "repo:equinor/radix-platform:environment:s940" - - timeouts {} -} - -resource "azuread_application_federated_identity_credential" "github-operator-federated-credentials-operations" { - application_id = data.azuread_application.github_operator.id - display_name = "radix-platform-operations-operations" - description = "Allow Github to authenticate" - audiences = ["api://AzureADTokenExchange"] - issuer = "https://token.actions.githubusercontent.com" - subject = "repo:equinor/radix-platform:environment:operations" - - timeouts {} -} diff --git a/terraform/subscriptions/s941/dev/common/github.tf b/terraform/subscriptions/s941/dev/common/github.tf deleted file mode 100644 index c91ffc1b8..000000000 --- a/terraform/subscriptions/s941/dev/common/github.tf +++ /dev/null @@ -1,52 +0,0 @@ - -data "azuread_application" "github_operator" { - display_name = "ar-radix-platform-github-dev-cluster-maintenance" -} -data "azuread_service_principal" "github_operator" { - display_name = data.azuread_application.github_operator.display_name -} -data "azurerm_storage_account" "infra" { - name = module.config.backend.storage_account_name - resource_group_name = module.config.backend.resource_group_name -} -data "azurerm_subscription" "subscription" { - subscription_id = module.config.subscription -} - -resource "azurerm_role_assignment" "github-operator-contributor" { - scope = data.azurerm_subscription.subscription.id - role_definition_name = "Contributor" - principal_id = data.azuread_service_principal.github_operator.object_id -} - -resource "azurerm_role_assignment" "github-operator-data-owner" { - scope = data.azurerm_storage_account.infra.id - role_definition_name = "Storage Blob Data Owner" - principal_id = data.azuread_service_principal.github_operator.object_id -} - -resource "azurerm_role_assignment" "github-operator-user-admin" { - scope = data.azurerm_storage_account.infra.id - role_definition_name = "User Access Administrator" - principal_id = data.azuread_service_principal.github_operator.object_id -} - -resource "azuread_application_federated_identity_credential" "github-operator-federated-credentials" { - application_id = data.azuread_application.github_operator.id - display_name = "radix-platform-operations" - description = "Allow Github to authenticate" - audiences = ["api://AzureADTokenExchange"] - issuer = "https://token.actions.githubusercontent.com" - subject = "repo:equinor/radix-platform:environment:s941" - timeouts {} -} - -resource "azuread_application_federated_identity_credential" "github-operator-federated-credentials-operations" { - application_id = data.azuread_application.github_operator.id - display_name = "radix-platform-operations-operations" - description = "Allow Github to authenticate" - audiences = ["api://AzureADTokenExchange"] - issuer = "https://token.actions.githubusercontent.com" - subject = "repo:equinor/radix-platform:environment:operations" - timeouts {} -} diff --git a/terraform/tenant/entra/github.tf b/terraform/tenant/entra/github.tf deleted file mode 100644 index 7cb9775e7..000000000 --- a/terraform/tenant/entra/github.tf +++ /dev/null @@ -1,59 +0,0 @@ - - -resource "azuread_application" "APP_GITHUB_ACTION_CLUSTER_S941" { - display_name = "ar-radix-platform-github-dev-cluster-maintenance" - owners = data.azuread_group.radix.members - sign_in_audience = "AzureADandPersonalMicrosoftAccount" - service_management_reference = "110327" - tags = ["iac=terraform"] - - api { - known_client_applications = [] - mapped_claims_enabled = false - requested_access_token_version = 2 - } -} -resource "azuread_service_principal" "SP_GITHUB_ACTION_CLUSTER_S941" { - client_id = azuread_application.APP_GITHUB_ACTION_CLUSTER_S941.client_id - app_role_assignment_required = false - owners = azuread_application.APP_GITHUB_ACTION_CLUSTER_S941.owners -} - -resource "azuread_application" "APP_GITHUB_ACTION_CLUSTER_S940" { - display_name = "OP-Terraform-Github Action" - owners = data.azuread_group.radix-platform-operators.members - sign_in_audience = "AzureADMyOrg" - tags = ["iac=terraform"] - service_management_reference = "110327" - required_resource_access { - resource_app_id = "00000003-0000-0000-c000-000000000000" - resource_access { - id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" - type = "Scope" - } - } - - api { - known_client_applications = [] - mapped_claims_enabled = false - requested_access_token_version = 1 - } -} -resource "azuread_service_principal" "SP_GITHUB_ACTION_CLUSTER_S940" { - client_id = azuread_application.APP_GITHUB_ACTION_CLUSTER_S940.client_id - app_role_assignment_required = false - owners = azuread_application.APP_GITHUB_ACTION_CLUSTER_S940.owners -} - -output "s941-github-operator-client-id" { - value = { - client-id = azuread_application.APP_GITHUB_ACTION_CLUSTER_S941.client_id - name = azuread_application.APP_GITHUB_ACTION_CLUSTER_S941.display_name - } -} -output "s940-github-operator-client-id" { - value = { - client-id = azuread_application.APP_GITHUB_ACTION_CLUSTER_S940.client_id - name = azuread_application.APP_GITHUB_ACTION_CLUSTER_S940.display_name - } -}