-
Notifications
You must be signed in to change notification settings - Fork 122
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
a49847d
commit fa5a88e
Showing
2 changed files
with
115 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
107 changes: 107 additions & 0 deletions
107
...stry/packages/azure-native/how-to-guides/azure-ts-oidc-provider-pulumi-cloud.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| --- | ||
| title: "Provisioning an OIDC Provider in Azure for Pulumi Cloud | TypeScript" | ||
| h1: "Provisioning an OIDC Provider in Azure for Pulumi Cloud" | ||
| linktitle: "Provisioning an OIDC Provider in Azure for Pulumi Cloud" | ||
| meta_desc: "Provisioning an OIDC Provider in Azure for Pulumi Cloud How-to Guide using TypeScript" | ||
| no_edit_this_page: true | ||
| cloud: azure | ||
| language: ts | ||
| layout: package | ||
| --- | ||
|
|
||
| <!-- WARNING: this page was generated by a tool. Do not edit it by hand. --> | ||
| <!-- To change it, please see https://github.com/pulumi/docs/tree/master/tools/mktutorial. --> | ||
|
|
||
| <p class="mb-4 flex"> | ||
| <a class="flex flex-wrap items-center rounded-md font-display text-lg text-white bg-blue-600 border-2 border-blue-600 px-2 mr-2 whitespace-no-wrap hover:text-white" style="height: 45px;" href="https://github.com/pulumi/examples/tree/master/azure-ts-oidc-provider-pulumi-cloud" target="_blank"> | ||
| <span><i class="fab fa-github pr-2"></i> View Code</span> | ||
| </a> | ||
| </p> | ||
|
|
||
|
|
||
| This example will create OIDC configuration between Pulumi Cloud and Azure, specifically demonstrating connectivity with [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). The program automates the process detailed in the Azure documentation for the following activities: | ||
|
|
||
| - [Create a Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) | ||
| - [Create federated credentials](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html#federated-identity-credential-for-an-azure-ad-application-1) | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| * [Install Pulumi](https://www.pulumi.com/docs/get-started/install/) | ||
| * [Configure Pulumi to Use Azure](https://www.pulumi.com/docs/clouds/azure/get-started/begin/) | ||
|
|
||
| ## Running the Example | ||
|
|
||
| Clone [the examples repo](https://github.com/pulumi/examples) and navigate to the folder for this example. | ||
|
|
||
| ```bash | ||
| git clone https://github.com/pulumi/examples.git | ||
| cd examples/azure-ts-oidc-provider-pulumi-cloud | ||
| ``` | ||
|
|
||
| Next, to deploy the application and its infrastructure, follow these steps: | ||
|
|
||
| 1. Create a new stack, which is an isolated deployment target for this example: | ||
|
|
||
| ```bash | ||
| pulumi stack init dev | ||
| ``` | ||
|
|
||
| 1. Set your Pulumi ESC environment name and desired Azure region: | ||
|
|
||
| ```bash | ||
| pulumi config set environmentName <your-environment-name> # replace with your environment name | ||
| pulumi config set azure-native:location WestUS2 # any valid Azure region will work | ||
| ``` | ||
|
|
||
| 1. Install requirements. | ||
|
|
||
| ```bash | ||
| npm install | ||
| ``` | ||
|
|
||
| 1. Run `pulumi up -y`. Once the program completes, it will output a YAML template for you to use in the next step. | ||
|
|
||
| ## Validating the OIDC Configuration | ||
|
|
||
| This next section will walk you through validating your OIDC configuration using [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). | ||
|
|
||
| 1. Start by [creating a new Pulumi ESC environment](https://www.pulumi.com/docs/pulumi-cloud/esc/get-started/#create-an-environment). | ||
| 2. Then, copy the template definition from the output in the CLI and paste it into your environment. | ||
| 3. Save your environment file and run the `pulumi env open <your-pulumi-org>/<your-environment>` command in the CLI. You should see output similar to the following: | ||
|
|
||
| ```bash | ||
| $ pulumi env open myOrg/myEnvironment | ||
| { | ||
| "azure": { | ||
| "login": { | ||
| "clientId": "b537....", | ||
| "oidc": { | ||
| "token": "eyJh...." | ||
| }, | ||
| "subscriptionId": "0282....", | ||
| "tenantId": "7061...." | ||
| } | ||
| }, | ||
| "environmentVariables": { | ||
| "ARM_CLIENT_ID": "b537....", | ||
| "ARM_OIDC_TOKEN": "eyJh....", | ||
| "ARM_SUBSCRIPTION_ID": "0282....", | ||
| "ARM_TENANT_ID": "7061....", | ||
| "ARM_USE_OIDC": "true" | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| If your identity provider does not offer an ID token directly but it does offer a way to exchange a local bearer token for an ID token, you will need to replace the `ARM_OIDC_TOKEN` environment variable with both of the following: | ||
|
|
||
| - `ARM_OIDC_REQUEST_TOKEN` | ||
| - `ARM_OIDC_REQUEST_URL` | ||
|
|
||
| ## Clean-Up Resources | ||
|
|
||
| Once you are done, you can destroy all of the resources as well as the stack: | ||
|
|
||
| ```bash | ||
| $ pulumi destroy | ||
| $ pulumi stack rm | ||
| ``` |