feat: use dynamic credentials

Author: mateuszjenek

README.md

@@ -269,10 +269,10 @@ Once you are finished with the reference architecture, you can remove all provis
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes |
 | location | Azure region to deploy into | `string` | n/a | yes |
 | subscription\_id | Azure Subscription (ID) to use | `string` | n/a | yes |
 | github\_org\_id | GitHub org id (required for Backstage) | `string` | `null` | no |
-| humanitec\_org\_id | Humanitec Organization ID (required for Backstage) | `string` | `null` | no |
 | vm\_size | The Azure VM instances type to use as "Agents" (aka Kubernetes Nodes) in AKS | `string` | `"Standard_D2_v2"` | no |
 | with\_backstage | Deploy Backstage | `bool` | `false` | no |
 

main.tf

@@ -3,9 +3,10 @@
 module "base" {
   source = "./modules/base"
 
-  subscription_id = var.subscription_id
-  location        = var.location
-  vm_size         = var.vm_size
+  subscription_id  = var.subscription_id
+  location         = var.location
+  vm_size          = var.vm_size
+  humanitec_org_id = var.humanitec_org_id
 }
 
 # User used for scaffolding and deploying apps

modules/base/README.md

@@ -38,10 +38,10 @@ Module that provides the reference architecture.
 | Name | Type |
 |------|------|
 | [azuread_application.main](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
+| [azuread_application_federated_identity_credential.credential](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource |
 | [azuread_group.cluster_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
 | [azuread_group_member.cluster_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member) | resource |
 | [azuread_service_principal.humanitec](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
-| [azuread_service_principal_password.humanitec](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password) | resource |
 | [azurerm_container_registry.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry) | resource |
 | [azurerm_public_ip.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
 | [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
@@ -63,6 +63,7 @@ Module that provides the reference architecture.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes |
 | location | Azure region to deploy into | `string` | n/a | yes |
 | subscription\_id | Azure Subscription (ID) to use | `string` | n/a | yes |
 | cluster\_name | Name for the AKS cluster | `string` | `"ref-arch"` | no |

modules/base/humanitec.tf

@@ -6,10 +6,8 @@ resource "humanitec_resource_account" "cluster_account" {
   type = "azure"
 
   credentials = jsonencode({
-    "appId" : azuread_service_principal.humanitec.client_id,
-    "displayName" : azuread_application.main.display_name,
-    "password" : azuread_service_principal_password.humanitec.value,
-    "tenant" : azuread_service_principal.humanitec.application_tenant_id
+    "azure_identity_tenant_id" : azuread_service_principal.humanitec.application_tenant_id
+    "azure_identity_client_id" : azuread_service_principal.humanitec.client_id
   })
 }
 

modules/base/main.tf

@@ -72,8 +72,13 @@ resource "azuread_service_principal" "humanitec" {
   owners    = [data.azuread_client_config.current.object_id]
 }
 
-resource "azuread_service_principal_password" "humanitec" {
-  service_principal_id = azuread_service_principal.humanitec.id
+resource "azuread_application_federated_identity_credential" "credential" {
+  application_id = azuread_application.main.id
+  display_name   = "AccessFromHumanitec"
+  description    = "Access From Humanitec"
+  audiences      = ["api://AzureADTokenExchange"]
+  issuer         = "https://idtoken.humanitec.io"
+  subject        = "${var.humanitec_org_id}/${humanitec_resource_account.cluster_account.id}"
 }
 
 # Required to fetch AKS credentials

modules/base/terraform.tfvars.example

@@ -8,6 +8,9 @@ container_registry_name_prefix = "humrefarch"
 # Name of the environment to be deployed into
 environment = "development"
 
+# Humanitec Organization ID
+humanitec_org_id = ""
+
 # Number of allowed unavaiable replicas for the ingress-nginx controller
 ingress_nginx_min_unavailable = 1
 

modules/base/variables.tf

@@ -49,3 +49,8 @@ variable "subscription_id" {
   description = "Azure Subscription (ID) to use"
   type        = string
 }
+
+variable "humanitec_org_id" {
+  description = "Humanitec Organization ID"
+  type        = string
+}

terraform.tfvars.example

@@ -2,7 +2,7 @@
 # GitHub org id (required for Backstage)
 github_org_id = ""
 
-# Humanitec Organization ID (required for Backstage)
+# Humanitec Organization ID
 humanitec_org_id = ""
 
 # Azure region to deploy into

variables.tf

@@ -27,7 +27,6 @@ variable "github_org_id" {
 }
 
 variable "humanitec_org_id" {
-  description = "Humanitec Organization ID (required for Backstage)"
+  description = "Humanitec Organization ID"
   type        = string
-  default     = null
 }