diff --git a/main.tf b/main.tf index 8fecc36..3162ca7 100644 --- a/main.tf +++ b/main.tf @@ -3,9 +3,10 @@ module "base" { source = "./modules/base" - subscription_id = var.subscription_id - location = var.location - vm_size = var.vm_size + subscription_id = var.subscription_id + location = var.location + vm_size = var.vm_size + humanitec_org_id = var.humanitec_org_id } # User used for scaffolding and deploying apps diff --git a/modules/base/README.md b/modules/base/README.md index 8e57735..ac54e6e 100644 --- a/modules/base/README.md +++ b/modules/base/README.md @@ -38,6 +38,7 @@ Module that provides the reference architecture. | Name | Type | |------|------| | [azuread_application.main](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource | +| [azuread_application_federated_identity_credential.credential](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource | | [azuread_group.cluster_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource | | [azuread_group_member.cluster_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member) | resource | | [azuread_service_principal.humanitec](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource | @@ -68,6 +69,7 @@ Module that provides the reference architecture. | cluster\_name | Name for the AKS cluster | `string` | `"ref-arch"` | no | | container\_registry\_name\_prefix | Name for Azure Container Registry | `string` | `"humrefarch"` | no | | environment | Name of the environment to be deployed into | `string` | `"development"` | no | +| humanitec\_org\_id | Humanitec Organization ID (required for Backstage) | `string` | `null` | no | | ingress\_nginx\_min\_unavailable | Number of allowed unavaiable replicas for the ingress-nginx controller | `number` | `1` | no | | ingress\_nginx\_replica\_count | Number of replicas for the ingress-nginx controller | `number` | `2` | no | | resource\_group\_name | Name of the resource group to create | `string` | `"ref-arch"` | no | diff --git a/modules/base/humanitec.tf b/modules/base/humanitec.tf index ed4dd66..ed6694b 100644 --- a/modules/base/humanitec.tf +++ b/modules/base/humanitec.tf @@ -6,10 +6,8 @@ resource "humanitec_resource_account" "cluster_account" { type = "azure" credentials = jsonencode({ - "appId" : azuread_service_principal.humanitec.client_id, - "displayName" : azuread_application.main.display_name, - "password" : azuread_service_principal_password.humanitec.value, - "tenant" : azuread_service_principal.humanitec.application_tenant_id + "azure_identity_tenant_id" : azuread_service_principal.humanitec.application_tenant_id + "azure_identity_client_id" : azuread_service_principal.humanitec.client_id }) } diff --git a/modules/base/main.tf b/modules/base/main.tf index 3105869..454491d 100644 --- a/modules/base/main.tf +++ b/modules/base/main.tf @@ -76,6 +76,15 @@ resource "azuread_service_principal_password" "humanitec" { service_principal_id = azuread_service_principal.humanitec.id } +resource "azuread_application_federated_identity_credential" "credential" { + application_id = azuread_application.main.id + display_name = "AccessFromHumanitec" + description = "Access From Humanitec" + audiences = ["api://AzureADTokenExchange"] + issuer = "https://idtoken.humanitec.io" + subject = "${var.humanitec_org_id}/${humanitec_resource_account.cluster_account.id}" +} + # Required to fetch AKS credentials resource "azurerm_role_assignment" "humanitec_cluster_user" { scope = module.azure_aks.aks_id diff --git a/modules/base/terraform.tfvars.example b/modules/base/terraform.tfvars.example index 7618d8f..4fe59a4 100644 --- a/modules/base/terraform.tfvars.example +++ b/modules/base/terraform.tfvars.example @@ -8,6 +8,9 @@ container_registry_name_prefix = "humrefarch" # Name of the environment to be deployed into environment = "development" +# Humanitec Organization ID (required for Backstage) +humanitec_org_id = "" + # Number of allowed unavaiable replicas for the ingress-nginx controller ingress_nginx_min_unavailable = 1 diff --git a/modules/base/variables.tf b/modules/base/variables.tf index a2e1279..f64c5b9 100644 --- a/modules/base/variables.tf +++ b/modules/base/variables.tf @@ -49,3 +49,9 @@ variable "subscription_id" { description = "Azure Subscription (ID) to use" type = string } + +variable "humanitec_org_id" { + description = "Humanitec Organization ID (required for Backstage)" + type = string + default = null +}