Skip to content

Commit 805548b

Browse files
jwmossmozjwmossmoz
authored
RELOPS-2209: replace puppet kitchen identity with ronin OIDC (#283)
* RELOPS-2209: replace puppet kitchen identity with ronin OIDC * Ignore and untrack terraform lockfile in azure_ad * Migrate azure_ad module config to azuread provider v3
1 parent 754599e commit 805548b

10 files changed

Lines changed: 61 additions & 119 deletions

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,8 @@ override.tf.json
2727
# Ignore transient lock info files created by terraform apply
2828
.terraform.tfstate.lock.info
2929

30+
*.terraform.lock*
31+
3032
# Include override files you do wish to add to version control using negated pattern
3133
# !example_override.tf
3234

terraform/azure_ad/.terraform.lock.hcl

Lines changed: 0 additions & 64 deletions
This file was deleted.

terraform/azure_ad/groups.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,6 @@ data "azuread_user" "zero_din_members" {
1515
# Add members to the 0DIN group
1616
resource "azuread_group_member" "zero_din_membership" {
1717
for_each = data.azuread_user.zero_din_members
18-
group_object_id = azuread_group.zero_din.id
18+
group_object_id = azuread_group.zero_din.object_id
1919
member_object_id = each.value.object_id
2020
}

terraform/azure_ad/kitchen-ronin-puppet.tf

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
data "azuread_group" "relops" {
2+
display_name = "Relops"
3+
security_enabled = true
4+
}
5+
6+
resource "azuread_application" "ronin_puppet_test_kitchen" {
7+
display_name = "ronin-puppet-test-kitchen"
8+
owners = data.azuread_group.relops.members
9+
10+
web {
11+
homepage_url = "https://github.com/mozilla-platform-ops/ronin_puppet"
12+
13+
implicit_grant {
14+
access_token_issuance_enabled = false
15+
id_token_issuance_enabled = true
16+
}
17+
}
18+
}
19+
20+
resource "azuread_service_principal" "ronin_puppet_test_kitchen" {
21+
client_id = azuread_application.ronin_puppet_test_kitchen.client_id
22+
tags = concat(["name:ronin-puppet-test-kitchen"], local.sp_tags)
23+
owners = data.azuread_group.relops.members
24+
}
25+
26+
resource "azurerm_role_assignment" "ronin_puppet_test_kitchen_contributor" {
27+
role_definition_name = "Contributor"
28+
principal_id = azuread_service_principal.ronin_puppet_test_kitchen.object_id
29+
scope = data.azurerm_subscription.currentSubscription.id
30+
}
31+
32+
resource "azuread_application_federated_identity_credential" "ronin_puppet_test_kitchen_pr" {
33+
application_id = azuread_application.ronin_puppet_test_kitchen.id
34+
display_name = "github-actions-pr"
35+
description = "GitHub Actions OIDC for pull_request workflows in mozilla-platform-ops/ronin_puppet"
36+
audiences = ["api://AzureADTokenExchange"]
37+
issuer = "https://token.actions.githubusercontent.com"
38+
subject = "repo:mozilla-platform-ops/ronin_puppet:pull_request"
39+
}
40+
41+
resource "azuread_application_federated_identity_credential" "ronin_puppet_test_kitchen_branches" {
42+
application_id = azuread_application.ronin_puppet_test_kitchen.id
43+
display_name = "github-actions-branches"
44+
description = "GitHub Actions OIDC for branch workflows in mozilla-platform-ops/ronin_puppet"
45+
audiences = ["api://AzureADTokenExchange"]
46+
issuer = "https://token.actions.githubusercontent.com"
47+
subject = "repo:mozilla-platform-ops/ronin_puppet:ref:refs/heads/*"
48+
}

terraform/azure_ad/sp_ms_store_apitoken_app.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
resource "azuread_application" "ms_store_apitoken_app" {
22
display_name = "MS Store API Token app"
3-
owners = [data.azuread_user.mcornmesser.id]
3+
owners = [data.azuread_user.mcornmesser.object_id]
44
api {
55
known_client_applications = []
66
mapped_claims_enabled = false
@@ -31,4 +31,4 @@ resource "azuread_application" "ms_store_apitoken_app" {
3131
resource "azuread_service_principal" "ms_store_apitoken_app" {
3232
client_id = azuread_application.ms_store_apitoken_app.client_id
3333
tags = concat(["name:ms_store_apitoken_app"], local.sp_tags)
34-
}
34+
}

terraform/azure_ad/sp_packer_through_cib.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ data "azuread_user" "mcornmesser" {
66
resource "azuread_application" "Packer_Through_CIB" {
77
display_name = "Packer_Through_CIB"
88
# Packer bits live in the CloudImageBuilder repo
9-
owners = [data.azuread_user.mcornmesser.id]
9+
owners = [data.azuread_user.mcornmesser.object_id]
1010
required_resource_access {
1111
# azure management service api
1212
resource_app_id = "797f4846-ba00-4fd7-ba43-dac1f8f63013"
@@ -105,4 +105,4 @@ resource "azurerm_role_assignment" "Packer_Through_CIB_subscription_contributor"
105105
role_definition_name = "Contributor"
106106
principal_id = azuread_service_principal.Packer_Through_CIB.object_id
107107
scope = data.azurerm_subscription.currentSubscription.id
108-
}
108+
}

terraform/azure_ad/sp_packer_worker_images.tf

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ data "azuread_user" "jmoss" {
55
# application: worker_images_dev
66
resource "azuread_application" "worker_images_dev" {
77
display_name = "worker_images_dev"
8-
owners = [data.azuread_user.jmoss.id]
8+
owners = [data.azuread_user.jmoss.object_id]
99
web {
1010
homepage_url = "https://github.com/mozilla-platform-ops/worker-images"
1111
implicit_grant {
@@ -43,7 +43,7 @@ resource "azurerm_role_assignment" "worker_images_dev" {
4343

4444
resource "azuread_application" "worker_images_fxci" {
4545
display_name = "worker_images_fxci"
46-
owners = [data.azuread_user.jmoss.id]
46+
owners = [data.azuread_user.jmoss.object_id]
4747
web {
4848
homepage_url = "https://github.com/mozilla-platform-ops/worker-images"
4949
implicit_grant {
@@ -81,7 +81,7 @@ resource "azurerm_role_assignment" "worker_images_fxci" {
8181

8282
resource "azuread_application" "worker_images_fxci_trusted" {
8383
display_name = "worker_images_fxci_trusted"
84-
owners = [data.azuread_user.jmoss.id]
84+
owners = [data.azuread_user.jmoss.object_id]
8585
web {
8686
homepage_url = "https://github.com/mozilla-platform-ops/worker-images"
8787
implicit_grant {
@@ -120,7 +120,7 @@ resource "azurerm_role_assignment" "worker_images_fxci_trusted" {
120120
# application: worker_manager_tceng
121121
resource "azuread_application" "worker_images_tceng" {
122122
display_name = "worker_images_tceng"
123-
owners = [data.azuread_user.mcornmesser.id]
123+
owners = [data.azuread_user.mcornmesser.object_id]
124124
api {
125125
known_client_applications = []
126126
mapped_claims_enabled = false

terraform/azure_ad/sp_puppet_test_kitchen.tf

Lines changed: 0 additions & 43 deletions
This file was deleted.

terraform/azure_ad/sp_splunk.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
resource "azuread_application" "splunkeventhub" {
22
display_name = "sp-infosec-splunkeventhub"
3-
owners = [data.azuread_user.jmoss.id]
3+
owners = [data.azuread_user.jmoss.object_id]
44
web {
55
redirect_uris = []
66

terraform/azure_ad/versions.tf renamed to terraform/azure_ad/terraform.tf

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
11
terraform {
2-
required_version = ">= 0.15"
32
required_providers {
43
aws = {
54
source = "hashicorp/aws"
@@ -10,7 +9,7 @@ terraform {
109
}
1110
azuread = {
1211
source = "hashicorp/azuread"
13-
version = "~> 2"
12+
version = "~> 3"
1413
}
1514
}
1615
}

0 commit comments

Comments
 (0)