Skip to content

Commit

Permalink
feat: switch to OIDC based auth for Terraform (#382)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Pactionly
Pactionly authored Jun 26, 2023
1 parent 6de7b27 commit 52a58d7
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 17 deletions.
13 changes: 7 additions & 6 deletions .github/workflows/apply-prod.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@ on:
env:
IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/gratibot

permissions:
id-token: write
contents: read
packages: write

jobs:
build:
name: Tag image
Expand All @@ -39,8 +44,6 @@ jobs:
plan:
name: "Terraform Prod plan"
runs-on: ubuntu-latest
environment:
name: "prod-plan"
needs: build
steps:
- name: Checkout
Expand All @@ -56,10 +59,9 @@ jobs:
terragrunt plan
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
ARM_TENANT_ID: "1b4a4fed-fed8-4823-a8a0-3d5cea83d122"
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_PROD_SUBSCRIPTION_ID }}
TF_VAR_acr_subscription_id: ${{ secrets.AZURE_PROD_SUBSCRIPTION_ID }}
ARM_USE_OIDC: true
TF_VAR_gratibot_image: "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}"
TF_VAR_app_token: ${{ secrets.PROD_PLAN_APP_TOKEN }}
TF_VAR_bot_user_token: ${{ secrets.PROD_PLAN_BOT_TOKEN }}
Expand All @@ -84,10 +86,9 @@ jobs:
terragrunt apply --terragrunt-non-interactive -auto-approve
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
ARM_TENANT_ID: "1b4a4fed-fed8-4823-a8a0-3d5cea83d122"
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_PROD_SUBSCRIPTION_ID }}
TF_VAR_acr_subscription_id: ${{ secrets.AZURE_PROD_SUBSCRIPTION_ID }}
ARM_USE_OIDC: true
TF_VAR_gratibot_image: "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}"
TF_VAR_app_token: ${{ secrets.PROD_APP_TOKEN }}
TF_VAR_bot_user_token: ${{ secrets.PROD_BOT_TOKEN }}
Expand Down
10 changes: 7 additions & 3 deletions .github/workflows/pull-request.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,12 @@ on:
env:
IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/gratibot

permissions:
id-token: write
pull-requests: write
contents: read
packages: write

jobs:
setup:
name: Pipeline Setup
Expand Down Expand Up @@ -57,7 +63,6 @@ jobs:
terragrunt validate --terragrunt-no-auto-init
working-directory: infra/terragrunt/nonprod/gratibot/
env:
TF_VAR_acr_subscription_id: ${{ secrets.AZURE_NONPROD_SUBSCRIPTION_ID }}
TF_VAR_gratibot_image: "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}"
TF_VAR_app_token: ${{ secrets.NONPROD_APP_TOKEN }}
TF_VAR_bot_user_token: ${{ secrets.NONPROD_BOT_TOKEN }}
Expand All @@ -82,10 +87,9 @@ jobs:
continue-on-error: true
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
ARM_TENANT_ID: "1b4a4fed-fed8-4823-a8a0-3d5cea83d122"
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_NONPROD_SUBSCRIPTION_ID }}
TF_VAR_acr_subscription_id: ${{ secrets.AZURE_NONPROD_SUBSCRIPTION_ID }}
ARM_USE_OIDC: true
TF_VAR_gratibot_image: "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}"
TF_VAR_app_token: ${{ secrets.NONPROD_APP_TOKEN }}
TF_VAR_bot_user_token: ${{ secrets.NONPROD_BOT_TOKEN }}
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,11 @@ on:
env:
IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/gratibot

permissions:
id-token: write
contents: write
packages: write

jobs:
build:
name: Build and Publish Image
Expand Down Expand Up @@ -60,10 +65,9 @@ jobs:
terragrunt apply --terragrunt-non-interactive -auto-approve
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
ARM_TENANT_ID: "1b4a4fed-fed8-4823-a8a0-3d5cea83d122"
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_NONPROD_SUBSCRIPTION_ID }}
TF_VAR_acr_subscription_id: ${{ secrets.AZURE_NONPROD_SUBSCRIPTION_ID }}
ARM_USE_OIDC: true
TF_VAR_gratibot_image: "${{ env.IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}"
TF_VAR_app_token: ${{ secrets.NONPROD_APP_TOKEN }}
TF_VAR_bot_user_token: ${{ secrets.NONPROD_BOT_TOKEN }}
Expand Down
1 change: 0 additions & 1 deletion infra/terraform/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
provider "azurerm" {
subscription_id = var.acr_subscription_id
features {}
skip_provider_registration = "true"
}
5 changes: 0 additions & 5 deletions infra/terraform/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,3 @@
variable "acr_subscription_id" {
description = "Azure subscription to use for Gratibot resources"
type = string
}

variable "resource_group_name" {
description = "Azure resource group for Gratibot"
default = "gratibot-azure-data"
Expand Down

0 comments on commit 52a58d7

Please sign in to comment.