diff --git a/README.md b/README.md index ca982c2..ec6a4fa 100644 --- a/README.md +++ b/README.md @@ -269,10 +269,10 @@ Once you are finished with the reference architecture, you can remove all provis | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes | | location | Azure region to deploy into | `string` | n/a | yes | | subscription\_id | Azure Subscription (ID) to use | `string` | n/a | yes | | github\_org\_id | GitHub org id (required for Backstage) | `string` | `null` | no | -| humanitec\_org\_id | Humanitec Organization ID (required for Backstage) | `string` | `null` | no | | vm\_size | The Azure VM instances type to use as "Agents" (aka Kubernetes Nodes) in AKS | `string` | `"Standard_D2_v2"` | no | | with\_backstage | Deploy Backstage | `bool` | `false` | no | diff --git a/main.tf b/main.tf index 8fecc36..3162ca7 100644 --- a/main.tf +++ b/main.tf @@ -3,9 +3,10 @@ module "base" { source = "./modules/base" - subscription_id = var.subscription_id - location = var.location - vm_size = var.vm_size + subscription_id = var.subscription_id + location = var.location + vm_size = var.vm_size + humanitec_org_id = var.humanitec_org_id } # User used for scaffolding and deploying apps diff --git a/modules/base/README.md b/modules/base/README.md index 8e57735..490efdd 100644 --- a/modules/base/README.md +++ b/modules/base/README.md @@ -38,10 +38,10 @@ Module that provides the reference architecture. | Name | Type | |------|------| | [azuread_application.main](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource | +| [azuread_application_federated_identity_credential.credential](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource | | [azuread_group.cluster_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource | | [azuread_group_member.cluster_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member) | resource | | [azuread_service_principal.humanitec](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource | -| [azuread_service_principal_password.humanitec](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password) | resource | | [azurerm_container_registry.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry) | resource | | [azurerm_public_ip.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource | | [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | @@ -63,6 +63,7 @@ Module that provides the reference architecture. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes | | location | Azure region to deploy into | `string` | n/a | yes | | subscription\_id | Azure Subscription (ID) to use | `string` | n/a | yes | | cluster\_name | Name for the AKS cluster | `string` | `"ref-arch"` | no | diff --git a/modules/base/humanitec.tf b/modules/base/humanitec.tf index ed4dd66..ed6694b 100644 --- a/modules/base/humanitec.tf +++ b/modules/base/humanitec.tf @@ -6,10 +6,8 @@ resource "humanitec_resource_account" "cluster_account" { type = "azure" credentials = jsonencode({ - "appId" : azuread_service_principal.humanitec.client_id, - "displayName" : azuread_application.main.display_name, - "password" : azuread_service_principal_password.humanitec.value, - "tenant" : azuread_service_principal.humanitec.application_tenant_id + "azure_identity_tenant_id" : azuread_service_principal.humanitec.application_tenant_id + "azure_identity_client_id" : azuread_service_principal.humanitec.client_id }) } diff --git a/modules/base/main.tf b/modules/base/main.tf index 3105869..f516395 100644 --- a/modules/base/main.tf +++ b/modules/base/main.tf @@ -72,8 +72,13 @@ resource "azuread_service_principal" "humanitec" { owners = [data.azuread_client_config.current.object_id] } -resource "azuread_service_principal_password" "humanitec" { - service_principal_id = azuread_service_principal.humanitec.id +resource "azuread_application_federated_identity_credential" "credential" { + application_id = azuread_application.main.id + display_name = "AccessFromHumanitec" + description = "Access From Humanitec" + audiences = ["api://AzureADTokenExchange"] + issuer = "https://idtoken.humanitec.io" + subject = "${var.humanitec_org_id}/${humanitec_resource_account.cluster_account.id}" } # Required to fetch AKS credentials diff --git a/modules/base/terraform.tfvars.example b/modules/base/terraform.tfvars.example index 7618d8f..0eec6d2 100644 --- a/modules/base/terraform.tfvars.example +++ b/modules/base/terraform.tfvars.example @@ -8,6 +8,9 @@ container_registry_name_prefix = "humrefarch" # Name of the environment to be deployed into environment = "development" +# Humanitec Organization ID +humanitec_org_id = "" + # Number of allowed unavaiable replicas for the ingress-nginx controller ingress_nginx_min_unavailable = 1 diff --git a/modules/base/variables.tf b/modules/base/variables.tf index a2e1279..bd4fbd3 100644 --- a/modules/base/variables.tf +++ b/modules/base/variables.tf @@ -49,3 +49,8 @@ variable "subscription_id" { description = "Azure Subscription (ID) to use" type = string } + +variable "humanitec_org_id" { + description = "Humanitec Organization ID" + type = string +} diff --git a/terraform.tfvars.example b/terraform.tfvars.example index 2ebfdbb..72c35c0 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -2,7 +2,7 @@ # GitHub org id (required for Backstage) github_org_id = "" -# Humanitec Organization ID (required for Backstage) +# Humanitec Organization ID humanitec_org_id = "" # Azure region to deploy into diff --git a/variables.tf b/variables.tf index aba8325..b0d6e4a 100644 --- a/variables.tf +++ b/variables.tf @@ -27,7 +27,6 @@ variable "github_org_id" { } variable "humanitec_org_id" { - description = "Humanitec Organization ID (required for Backstage)" + description = "Humanitec Organization ID" type = string - default = null }