feat: use dynamic credentials

main.tf

@@ -3,9 +3,10 @@
 module "base" {
   source = "./modules/base"
 
-  subscription_id = var.subscription_id
-  location        = var.location
-  vm_size         = var.vm_size
+  subscription_id  = var.subscription_id
+  location         = var.location
+  vm_size          = var.vm_size
+  humanitec_org_id = var.humanitec_org_id
 }
 
 # User used for scaffolding and deploying apps

modules/base/README.md

@@ -38,6 +38,7 @@ Module that provides the reference architecture.
 | Name | Type |
 |------|------|
 | [azuread_application.main](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
+| [azuread_application_federated_identity_credential.credential](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource |
 | [azuread_group.cluster_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
 | [azuread_group_member.cluster_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member) | resource |
 | [azuread_service_principal.humanitec](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
@@ -68,6 +69,7 @@ Module that provides the reference architecture.
 | cluster\_name | Name for the AKS cluster | `string` | `"ref-arch"` | no |
 | container\_registry\_name\_prefix | Name for Azure Container Registry | `string` | `"humrefarch"` | no |
 | environment | Name of the environment to be deployed into | `string` | `"development"` | no |
+| humanitec\_org\_id | Humanitec Organization ID (required for Backstage) | `string` | `null` | no |
 | ingress\_nginx\_min\_unavailable | Number of allowed unavaiable replicas for the ingress-nginx controller | `number` | `1` | no |
 | ingress\_nginx\_replica\_count | Number of replicas for the ingress-nginx controller | `number` | `2` | no |
 | resource\_group\_name | Name of the resource group to create | `string` | `"ref-arch"` | no |

modules/base/humanitec.tf

@@ -6,10 +6,8 @@ resource "humanitec_resource_account" "cluster_account" {
   type = "azure"
 
   credentials = jsonencode({
-    "appId" : azuread_service_principal.humanitec.client_id,
-    "displayName" : azuread_application.main.display_name,
-    "password" : azuread_service_principal_password.humanitec.value,
-    "tenant" : azuread_service_principal.humanitec.application_tenant_id
+    "azure_identity_tenant_id" : azuread_service_principal.humanitec.application_tenant_id
+    "azure_identity_client_id" : azuread_service_principal.humanitec.client_id
   })
 }
 

modules/base/main.tf

@@ -76,6 +76,15 @@ resource "azuread_service_principal_password" "humanitec" {
   service_principal_id = azuread_service_principal.humanitec.id
 }
 
+resource "azuread_application_federated_identity_credential" "credential" {
+  application_id = azuread_application.main.id
+  display_name   = "AccessFromHumanitec"
+  description    = "Access From Humanitec"
+  audiences      = ["api://AzureADTokenExchange"]
+  issuer         = "https://idtoken.humanitec.io"
+  subject        = "${var.humanitec_org_id}/${humanitec_resource_account.cluster_account.id}"
+}
+
 # Required to fetch AKS credentials
 resource "azurerm_role_assignment" "humanitec_cluster_user" {
   scope                = module.azure_aks.aks_id

modules/base/terraform.tfvars.example

@@ -8,6 +8,9 @@ container_registry_name_prefix = "humrefarch"
 # Name of the environment to be deployed into
 environment = "development"
 
+# Humanitec Organization ID (required for Backstage)
+humanitec_org_id = ""
+
 # Number of allowed unavaiable replicas for the ingress-nginx controller
 ingress_nginx_min_unavailable = 1
 

modules/base/variables.tf

@@ -49,3 +49,9 @@ variable "subscription_id" {
   description = "Azure Subscription (ID) to use"
   type        = string
 }
+
+variable "humanitec_org_id" {
+  description = "Humanitec Organization ID (required for Backstage)"
+  type        = string
+  default     = null
+}