Merge pull request #1 from meshcloud/feature/access

chore: change replicator to access

Author: florianow

.github/workflows/workflow.yml

@@ -1,10 +1,26 @@
-name: Terraform CI
+name: build
 on:
   push:
+    branches: [ main ]
   pull_request:
+    branches: [ main ]
   merge_group:
-    types: [checks_requested]
 
 jobs:
-  build:
-    uses: meshcloud/shared-workflows/.github/workflows/terraform-meshplatform-modules-build-workflow.yml@main
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: meshcloud/setup-collie@main
+
+      - uses: nixbuild/nix-quick-install-action@v26
+        with:
+          nix_on_tmpfs: true
+
+      - uses: rrbutani/use-nix-shell-action@v1
+        with:
+          devShell: .#github_actions # use a special github actions shell
+
+      - name: ensure all pre-commit hooks pass
+        run: pre-commit run --all-files --show-diff-on-failure

README.md

@@ -90,14 +90,14 @@ After applying the configuration, you can retrieve the following outputs using `
 |------|-------------|------|---------|:--------:|
 | <a name="input_application_owners"></a> [application\_owners](#input\_application\_owners) | List of user principals that should be added as owners to the replicator service principal. | `list(string)` | `[]` | no |
 | <a name="input_create_password"></a> [create\_password](#input\_create\_password) | Create a password for the enterprise application. | `bool` | n/a | yes |
-| <a name="input_metering_additional_rules"></a> [metering\_additional\_rules](#input\_metering\_additional\_rules) | n/a | <pre>list(object({<br/>    api_groups        = list(string)<br/>    resources         = list(string)<br/>    verbs             = list(string)<br/>    resource_names    = optional(list(string))<br/>    non_resource_urls = optional(list(string))<br/>  }))</pre> | `[]` | no |
+| <a name="input_metering_additional_rules"></a> [metering\_additional\_rules](#input\_metering\_additional\_rules) | n/a | <pre>list(object({<br>    api_groups        = list(string)<br>    resources         = list(string)<br>    verbs             = list(string)<br>    resource_names    = optional(list(string))<br>    non_resource_urls = optional(list(string))<br>  }))</pre> | `[]` | no |
 | <a name="input_metering_enabled"></a> [metering\_enabled](#input\_metering\_enabled) | n/a | `bool` | `true` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | name of the namespace where the replicator and metering components should be deployed | `string` | `"meshcloud"` | no |
-| <a name="input_replicator_additional_rules"></a> [replicator\_additional\_rules](#input\_replicator\_additional\_rules) | n/a | <pre>list(object({<br/>    api_groups        = list(string)<br/>    resources         = list(string)<br/>    verbs             = list(string)<br/>    resource_names    = optional(list(string))<br/>    non_resource_urls = optional(list(string))<br/>  }))</pre> | `[]` | no |
+| <a name="input_replicator_additional_rules"></a> [replicator\_additional\_rules](#input\_replicator\_additional\_rules) | n/a | <pre>list(object({<br>    api_groups        = list(string)<br>    resources         = list(string)<br>    verbs             = list(string)<br>    resource_names    = optional(list(string))<br>    non_resource_urls = optional(list(string))<br>  }))</pre> | `[]` | no |
 | <a name="input_replicator_enabled"></a> [replicator\_enabled](#input\_replicator\_enabled) | n/a | `bool` | `true` | no |
 | <a name="input_scope"></a> [scope](#input\_scope) | The scope of the service principal. The scope is usually the id of the aks subscription | `string` | n/a | yes |
 | <a name="input_service_principal_name"></a> [service\_principal\_name](#input\_service\_principal\_name) | Display name of the replicator service principal. | `string` | n/a | yes |
-| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack. | `object({ issuer = string, replicator_subject = string })` | `null` | no |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack. | `object({ issuer = string, access_subject = string })` | `null` | no |
 
 ## Outputs
 

default.nix

@@ -0,0 +1,74 @@
+{
+  description = "Flake for terraform-aks-meshplatform";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-24.05";
+  };
+
+  outputs = { self, nixpkgs }:
+
+  let
+    # These tools are pre-installed in github actions, so we can save the time for installing them.
+    github_actions_preinstalled = pkgs:
+      with pkgs;
+      [
+        awscli2
+        (azure-cli.withExtensions [ azure-cli.extensions.account ])
+        nodejs
+      ];
+
+    # core packages required in CI and not preinstalled in github actions
+    core_packages = pkgs:
+      let
+        tofu_terraform =
+          pkgs.stdenv.mkDerivation {
+            name = "tofu-terraform";
+            phases = [ "installPhase" ];
+            installPhase = ''
+              mkdir -p $out/bin
+              echo '#!/usr/bin/env sh' > $out/bin/terraform
+              echo 'tofu "$@"' >> $out/bin/terraform
+              chmod +x $out/bin/terraform
+            '';
+          };
+      in
+      with pkgs;
+      [
+        opentofu
+        terragrunt
+        tflint
+        tfupdate
+        terraform-docs
+        tofu_terraform
+        pre-commit
+      ];
+
+    importNixpkgs = system: import nixpkgs { inherit system; };
+
+    defaultShellForSystem = system:
+      let
+        pkgs = importNixpkgs system;
+      in {
+        default = pkgs.mkShell {
+          name = "terraform-aks-meshplatform";
+          packages = (github_actions_preinstalled pkgs) ++ (core_packages pkgs);
+        };
+      };
+
+  in {
+    devShells = {
+      aarch64-darwin = defaultShellForSystem "aarch64-darwin";
+      x86_64-darwin = defaultShellForSystem "x86_64-darwin";
+      x86_64-linux = defaultShellForSystem "x86_64-linux" // {
+        github_actions =
+          let
+            pkgs = importNixpkgs "x86_64-linux";
+          in
+          pkgs.mkShell {
+            name = "meshstack-hub-ghactions";
+            packages = (core_packages pkgs);
+          };
+      };
+    };
+  };
+}

flake.lock

@@ -12,8 +12,8 @@ module "replicator_service_principal" {
   service_principal_name = var.service_principal_name
   create_password        = var.create_password
   workload_identity_federation = var.workload_identity_federation == null ? null : {
-    issuer             = var.workload_identity_federation.issuer,
-    replicator_subject = var.workload_identity_federation.replicator_subject
+    issuer         = var.workload_identity_federation.issuer,
+    access_subject = var.workload_identity_federation.access_subject
   }
   application_owners = var.application_owners
 }

flake.nix

@@ -34,7 +34,7 @@ No modules.
 | <a name="input_create_password"></a> [create\_password](#input\_create\_password) | Create a password for the enterprise application. | `bool` | n/a | yes |
 | <a name="input_scope"></a> [scope](#input\_scope) | The scope of the service principal. The scope is usually the id of the aks subscription | `string` | n/a | yes |
 | <a name="input_service_principal_name"></a> [service\_principal\_name](#input\_service\_principal\_name) | Display name of the replicator service principal. | `string` | `null` | no |
-| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack. | `object({ issuer = string, replicator_subject = string })` | `null` | no |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack. | `object({ issuer = string, access_subject = string })` | `null` | no |
 
 ## Outputs
 

main.tf

@@ -36,5 +36,5 @@ resource "azuread_application_federated_identity_credential" "meshcloud_replicat
   display_name   = var.service_principal_name
   audiences      = ["api://AzureADTokenExchange"]
   issuer         = var.workload_identity_federation.issuer
-  subject        = var.workload_identity_federation.replicator_subject
+  subject        = var.workload_identity_federation.access_subject
 }

modules/meshcloud-replicator-service-principal/README.md

@@ -12,7 +12,7 @@ variable "create_password" {
 variable "workload_identity_federation" {
   default     = null
   description = "Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack."
-  type        = object({ issuer = string, replicator_subject = string })
+  type        = object({ issuer = string, access_subject = string })
 }
 
 variable "application_owners" {

modules/meshcloud-replicator-service-principal/auth.tf

@@ -54,7 +54,7 @@ variable "create_password" {
 variable "workload_identity_federation" {
   default     = null
   description = "Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack."
-  type        = object({ issuer = string, replicator_subject = string })
+  type        = object({ issuer = string, access_subject = string })
 }
 
 variable "application_owners" {