Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/federated credentials #1782

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Feature/federated credentials #1782

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
76794c0
federated credentials
Aug 25, 2023
cb6f470
fixed aks fed cred references
Aug 25, 2023
1ea3f58
- formatting changes
Aug 25, 2023
351f4c1
- examples added for federated credentials
Aug 28, 2023
150196f
updated examples
Aug 29, 2023
3d4e55b
updated workflows
Aug 29, 2023
8ebdeab
Merge branch 'main' into feature/federated-credentials
najvv Oct 5, 2023
2333da9
merging from main
Nov 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/standalone-azuread.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@
"azuread/104-azuread-group-membership",
"azuread/105-azuread-application-with-optional-claims",
"azuread/106-azuread-application-with-api-scopes",
"azuread/201-groups-and-roles",
"azuread/202-azuread-application-federated-credentials"
"azuread/108-azuread-application-with-app-roles",
"azuread/201-groups-and-roles"
]
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/standalone-compute.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
"compute/virtual_machine/215-vm-keyvault-for-windows-extension",
"compute/virtual_machine/216-vm-linux_diagnostic_extensions",
"compute/virtual_machine/217-vm-disk-encryption-set-msi",
"compute/vmware_cluster/101-vmware_cluster"
"compute/vmware_cluster/101-vmware_cluster",
"compute/kubernetes_services/109-single-cluster-federated-credentials"
]
}
3 changes: 2 additions & 1 deletion .github/workflows/standalone-scenarios.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@
"webapps/function_app/101-function_app-private",
"webapps/function_app/102-function_app-linux",
"webapps/function_app/103-function_app-windows",
"webapps/static_site/101-simple-static-web-app"
"webapps/static_site/101-simple-static-web-app",
"managed_service_identity/101-mi-federated_credential"
]
}
12 changes: 12 additions & 0 deletions azuread_federated_credentials.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
module "azuread_federated_credentials" {
source = "./modules/azuread/federated_credentials/"
for_each = local.azuread.azuread_federated_credentials
depends_on = [module.azuread_applications_v1]
client_config = local.client_config
settings = each.value
azuread_applications = local.combined_objects_azuread_applications
}

output "azuread_federated_credentials" {
value = module.azuread_federated_credentials
}
2 changes: 2 additions & 0 deletions compute_aks_clusters.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ module "aks_clusters" {
managed_identities = local.combined_objects_managed_identities
settings = each.value
vnets = local.combined_objects_networking
azuread_applications = local.combined_objects_azuread_applications
private_endpoints = try(each.value.private_endpoints, {})

admin_group_object_ids = try(each.value.admin_groups.azuread_group_keys, null) == null ? null : try(
each.value.admin_groups.ids,
Expand Down
24 changes: 24 additions & 0 deletions examples/azuread/202-azuread-application-federated-credentials/configuration.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
azuread_applications = {
aks_auth_app = {
application_name = "app-najeeb-sandbox-aksadmin"
}
}

azuread_federated_credentials = {
cred1 = {
display_name = "app-wi-fed01"
subject = "system:serviceaccount:demo:workload-identity-sa"
oidc_issuer_url = "https://westeurope.oic.prod-aks.azure.com/"
azuread_application = {
key = "aks_auth_app"
}
}
}

azuread_service_principals = {
aks_auth_app = {
azuread_application = {
key = "aks_auth_app"
}
}
}
129 changes: 129 additions & 0 deletions examples/compute/kubernetes_services/109-single-cluster-federated-credentials/aks.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
global_settings = {
default_region = "region1"
regions = {
region1 = "australiaeast"
}
}

najvv marked this conversation as resolved.
Show resolved Hide resolved
resource_groups = {
aks_re1 = {
name = "aks-re1"
region = "region1"
}
msi_region1 = {
name = "security-rg1"
region = "region1"
}
}

aks_clusters = {
cluster_re1 = {
name = "akscluster-re1-001"
resource_group_key = "aks_re1"
os_type = "Linux"

identity = {
type = "SystemAssigned"
}

vnet_key = "spoke_aks_re1"

network_profile = {
network_plugin = "azure"
load_balancer_sku = "standard"
}

# enable_rbac = true
role_based_access_control = {
enabled = true
azure_active_directory = {
managed = true
}
}

oms_agent = {
log_analytics_key = "central_logs_region1"
}

# admin_groups = {
# # ids = []
# # azuread_groups = {
# # keys = []
# # }
# }

load_balancer_profile = {
# Only one option can be set
managed_outbound_ip_count = 1
}

default_node_pool = {
name = "sharedsvc"
vm_size = "Standard_F4s_v2"
#subnet_key = "aks_nodepool_system"
subnet = {
key = "aks_nodepool_system"
#resource_id = "/subscriptions/97958dac-xxxx-xxxx-xxxx-9f436fa73bd4/resourceGroups/qxgc-rg-aks-re1/providers/Microsoft.Network/virtualNetworks/qxgc-vnet-aks/subnets/qxgc-snet-aks_nodepool_system"
}
enabled_auto_scaling = false
enable_node_public_ip = false
max_pods = 30
node_count = 1
os_disk_size_gb = 512
tags = {
"project" = "system services"
}
}

node_resource_group_name = "aks-nodes-re1"

addon_profile = {
azure_keyvault_secrets_provider = {
secret_rotation_enabled = true
secret_rotation_interval = "2m"
}
}
azuread_federated_credentials = {
cred1 = {
display_name = "app-wi-fed02"
subject = "system:serviceaccount:demo:workload-identity-sa"
azuread_application = {
key = "aks_auth_app"
#lz_key = ""
}
}
}

mi_federated_credentials = {
cred1 = {
name = "mi-wi-demo02"
subject = "system:serviceaccount:demo:workload-identity-sa"
managed_identity = {
key = "workload_system_mi"
#lz_key = ""
}
}
}
}
}

azuread_applications = {
aks_auth_app = {
application_name = "app-najeeb-sandbox-aksadmin"
}
}

azuread_service_principals = {
aks_auth_app = {
azuread_application = {
key = "aks_auth_app"
}
}
}

managed_identities = {
workload_system_mi = {
name = "demo-mi-wi"
resource_group_key = "msi_region1"
}
}
7 changes: 7 additions & 0 deletions ...s/compute/kubernetes_services/109-single-cluster-federated-credentials/diagnostics.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
diagnostic_log_analytics = {
central_logs_region1 = {
region = "region1"
name = "logs"
resource_group_key = "aks_re1"
}
}
Loading
Loading