Merge pull request #12 from johanneswuerbach/resource-account

feat: use resource accounts
humanitec-architecture · Mar 18, 2024 · 2e365b9 · 2e365b9
2 parents 27a9d03 + a6b0ead
commit 2e365b9
Show file tree

Hide file tree

Showing 99 changed files with 599 additions and 751 deletions.
diff --git a/examples/blob-storage/README.md b/examples/blob-storage/README.md
@@ -25,12 +25,16 @@ The workload service account will automatically be assigned the necessary Azure
 | Name | Version |
 |------|---------|
 | terraform | >= 1.3.0 |
+| azuread | ~> 2.47 |
+| azurerm | ~> 3.91 |
 | humanitec | ~> 1.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
+| azuread | ~> 2.47 |
+| azurerm | ~> 3.91 |
 | humanitec | ~> 1.0 |
 
 ## Modules
@@ -52,7 +56,12 @@ The workload service account will automatically be assigned the necessary Azure
 
 | Name | Type |
 |------|------|
+| [azuread_application.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
+| [azuread_service_principal.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
+| [azuread_service_principal_password.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password) | resource |
+| [azurerm_role_assignment.resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
+| [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
 | [humanitec_resource_definition_criteria.blob_storage](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.blob_storage_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.blob_storage_reader](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
@@ -63,17 +72,15 @@ The workload service account will automatically be assigned the necessary Azure
 | [humanitec_resource_definition_criteria.role_definition_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.role_definition_reader](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | aks\_cluster\_issuer\_url | AKS OIDC Issuer URL | `string` | n/a | yes |
-| client\_id | The Client ID which should be used. | `string` | n/a | yes |
-| client\_secret | The Client Secret which should be used. | `string` | n/a | yes |
 | resource\_group\_name | Specifies the Name of the Resource Group within which created resources will reside. | `string` | n/a | yes |
 | subscription\_id | The Subscription ID which should be used. | `string` | n/a | yes |
-| tenant\_id | The Tenant ID which should be used. | `string` | n/a | yes |
 | account\_replication\_type | Defines the type of replication to use for this storage account. | `string` | `"GRS"` | no |
 | account\_tier | Defines the Tier to use for this storage account. | `string` | `"Standard"` | no |
 | container\_access\_type | The Access Level configured for this Container. | `string` | `"private"` | no |

diff --git a/examples/blob-storage/main.tf b/examples/blob-storage/main.tf
@@ -1,3 +1,41 @@
+# Service principal used by Humanitec to provision resources
+data "azurerm_resource_group" "main" {
+  name = var.resource_group_name
+}
+
+resource "azuread_application" "humanitec_provisioner" {
+  display_name = var.name
+}
+
+resource "azuread_service_principal" "humanitec_provisioner" {
+  client_id = azuread_application.humanitec_provisioner.client_id
+}
+
+resource "azuread_service_principal_password" "humanitec_provisioner" {
+  service_principal_id = azuread_service_principal.humanitec_provisioner.object_id
+}
+
+resource "azurerm_role_assignment" "resource_group" {
+  scope                = data.azurerm_resource_group.main.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.humanitec_provisioner.object_id
+}
+
+resource "humanitec_resource_account" "humanitec_provisioner" {
+  id   = var.name
+  name = var.name
+  type = "azure"
+
+  credentials = jsonencode({
+    "appId" : azuread_service_principal.humanitec_provisioner.client_id,
+    "displayName" : azuread_application.humanitec_provisioner.display_name,
+    "password" : azuread_service_principal_password.humanitec_provisioner.value,
+    "tenant" : azuread_service_principal.humanitec_provisioner.application_tenant_id
+  })
+}
+
+# Example application and resource definition criteria
+
 resource "humanitec_application" "example" {
   id   = var.name
   name = var.name
@@ -25,9 +63,8 @@ module "blob_storage" {
 
   resource_packs_azure_url = var.resource_packs_azure_url
   resource_packs_azure_rev = var.resource_packs_azure_rev
-  client_id                = var.client_id
-  client_secret            = var.client_secret
-  tenant_id                = var.tenant_id
+  append_logs_to_error     = true
+  driver_account           = humanitec_resource_account.humanitec_provisioner.id
   subscription_id          = var.subscription_id
   resource_group_name      = var.resource_group_name
   prefix                   = var.prefix
@@ -136,11 +173,9 @@ module "federated_identity" {
 
   resource_packs_azure_url = var.resource_packs_azure_url
   resource_packs_azure_rev = var.resource_packs_azure_rev
-
-  client_id       = var.client_id
-  client_secret   = var.client_secret
-  tenant_id       = var.tenant_id
-  subscription_id = var.subscription_id
+  append_logs_to_error     = true
+  driver_account           = humanitec_resource_account.humanitec_provisioner.id
+  subscription_id          = var.subscription_id
 
   prefix = var.prefix
 
@@ -161,11 +196,9 @@ module "managed_identity" {
 
   resource_packs_azure_url = var.resource_packs_azure_url
   resource_packs_azure_rev = var.resource_packs_azure_rev
-
-  client_id       = var.client_id
-  client_secret   = var.client_secret
-  tenant_id       = var.tenant_id
-  subscription_id = var.subscription_id
+  append_logs_to_error     = true
+  driver_account           = humanitec_resource_account.humanitec_provisioner.id
+  subscription_id          = var.subscription_id
 
   prefix              = var.prefix
   resource_group_name = var.resource_group_name
@@ -181,11 +214,9 @@ module "role_assignment" {
 
   resource_packs_azure_url = var.resource_packs_azure_url
   resource_packs_azure_rev = var.resource_packs_azure_rev
-
-  client_id       = var.client_id
-  client_secret   = var.client_secret
-  tenant_id       = var.tenant_id
-  subscription_id = var.subscription_id
+  append_logs_to_error     = true
+  driver_account           = humanitec_resource_account.humanitec_provisioner.id
+  subscription_id          = var.subscription_id
 
   prefix              = var.prefix
   role_definition_ids = "$${resources.workload>azure-role-definition.outputs.id}"

diff --git a/examples/blob-storage/providers.tf b/examples/blob-storage/providers.tf
@@ -1,5 +1,13 @@
 terraform {
   required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~> 2.47"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.91"
+    }
     humanitec = {
       source  = "humanitec/humanitec"
       version = "~> 1.0"
@@ -9,4 +17,14 @@ terraform {
   required_version = ">= 1.3.0"
 }
 
-provider "humanitec" {}
+provider "humanitec" {
+}
+
+provider "azuread" {
+}
+
+provider "azurerm" {
+  features {}
+
+  subscription_id = var.subscription_id
+}
diff --git a/examples/blob-storage/terraform.tfvars.example b/examples/blob-storage/terraform.tfvars.example
@@ -8,12 +8,6 @@ account_tier = "Standard"
 # AKS OIDC Issuer URL
 aks_cluster_issuer_url = ""
 
-# The Client ID which should be used.
-client_id = ""
-
-# The Client Secret which should be used.
-client_secret = ""
-
 # The Access Level configured for this Container.
 container_access_type = "private"
 
@@ -36,7 +30,4 @@ resource_packs_azure_rev = "refs/heads/main"
 resource_packs_azure_url = "https://github.com/humanitec-architecture/resource-packs-azure.git"
 
 # The Subscription ID which should be used.
-subscription_id = ""
-
-# The Tenant ID which should be used.
-tenant_id = ""
+subscription_id = ""
diff --git a/examples/blob-storage/variables.tf b/examples/blob-storage/variables.tf
@@ -10,21 +10,6 @@ variable "resource_packs_azure_rev" {
   default     = "refs/heads/main"
 }
 
-variable "client_id" {
-  description = "The Client ID which should be used."
-  type        = string
-}
-
-variable "client_secret" {
-  description = "The Client Secret which should be used."
-  type        = string
-}
-
-variable "tenant_id" {
-  description = "The Tenant ID which should be used."
-  type        = string
-}
-
 variable "subscription_id" {
   description = "The Subscription ID which should be used."
   type        = string

diff --git a/examples/dns/README.md b/examples/dns/README.md
@@ -18,12 +18,16 @@ resources:
 | Name | Version |
 |------|---------|
 | terraform | >= 1.3.0 |
+| azuread | ~> 2.47 |
+| azurerm | ~> 3.91 |
 | humanitec | ~> 1.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
+| azuread | ~> 2.47 |
+| azurerm | ~> 3.91 |
 | humanitec | ~> 1.0 |
 
 ## Modules
@@ -36,19 +40,22 @@ resources:
 
 | Name | Type |
 |------|------|
+| [azuread_application.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
+| [azuread_service_principal.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
+| [azuread_service_principal_password.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password) | resource |
+| [azurerm_role_assignment.resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
+| [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
 | [humanitec_resource_definition_criteria.dns](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [azurerm_resource_group.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| client\_id | The Client ID which should be used. | `string` | n/a | yes |
-| client\_secret | The Client Secret which should be used. | `string` | n/a | yes |
 | dns\_zone | The id of the hosted zone in which this record set will reside. | `string` | n/a | yes |
 | resource\_group\_name | Specifies the Name of the Resource Group within which this dns will reside. | `string` | n/a | yes |
 | subscription\_id | The Subscription ID which should be used. | `string` | n/a | yes |
-| tenant\_id | The Tenant ID which should be used. | `string` | n/a | yes |
 | name | Name of the example application. | `string` | `"hum-rp-dns-example"` | no |
 | prefix | Prefix of the created resources | `string` | `"hum-rp-dns-ex-"` | no |
 | resource\_packs\_azure\_rev | Azure Resource Pack git branch. | `string` | `"refs/heads/main"` | no |

diff --git a/examples/dns/main.tf b/examples/dns/main.tf
@@ -1,3 +1,40 @@
+# Service principal used by Humanitec to provision resources
+data "azurerm_resource_group" "main" {
+  name = var.resource_group_name
+}
+
+resource "azuread_application" "humanitec_provisioner" {
+  display_name = var.name
+}
+
+resource "azuread_service_principal" "humanitec_provisioner" {
+  client_id = azuread_application.humanitec_provisioner.client_id
+}
+
+resource "azuread_service_principal_password" "humanitec_provisioner" {
+  service_principal_id = azuread_service_principal.humanitec_provisioner.object_id
+}
+
+resource "azurerm_role_assignment" "resource_group" {
+  scope                = data.azurerm_resource_group.main.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.humanitec_provisioner.object_id
+}
+
+resource "humanitec_resource_account" "humanitec_provisioner" {
+  id   = var.name
+  name = var.name
+  type = "azure"
+
+  credentials = jsonencode({
+    "appId" : azuread_service_principal.humanitec_provisioner.client_id,
+    "displayName" : azuread_application.humanitec_provisioner.display_name,
+    "password" : azuread_service_principal_password.humanitec_provisioner.value,
+    "tenant" : azuread_service_principal.humanitec_provisioner.application_tenant_id
+  })
+}
+
+# Example application and resource definition criteria
 resource "humanitec_application" "example" {
   id   = var.name
   name = var.name
@@ -9,9 +46,8 @@ module "dns" {
   prefix                   = var.prefix
   resource_packs_azure_url = var.resource_packs_azure_url
   resource_packs_azure_rev = var.resource_packs_azure_rev
-  client_id                = var.client_id
-  client_secret            = var.client_secret
-  tenant_id                = var.tenant_id
+  append_logs_to_error     = true
+  driver_account           = humanitec_resource_account.humanitec_provisioner.id
   subscription_id          = var.subscription_id
   dns_zone                 = var.dns_zone
   resource_group_name      = var.resource_group_name

diff --git a/examples/dns/providers.tf b/examples/dns/providers.tf
@@ -1,5 +1,13 @@
 terraform {
   required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~> 2.47"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.91"
+    }
     humanitec = {
       source  = "humanitec/humanitec"
       version = "~> 1.0"
@@ -9,4 +17,14 @@ terraform {
   required_version = ">= 1.3.0"
 }
 
-provider "humanitec" {}
+provider "humanitec" {
+}
+
+provider "azuread" {
+}
+
+provider "azurerm" {
+  features {}
+
+  subscription_id = var.subscription_id
+}
diff --git a/examples/dns/terraform.tfvars.example b/examples/dns/terraform.tfvars.example
@@ -1,10 +1,4 @@
 
-# The Client ID which should be used.
-client_id = ""
-
-# The Client Secret which should be used.
-client_secret = ""
-
 # The id of the hosted zone in which this record set will reside.
 dns_zone = ""
 
@@ -24,7 +18,4 @@ resource_packs_azure_rev = "refs/heads/main"
 resource_packs_azure_url = "https://github.com/humanitec-architecture/resource-packs-azure.git"
 
 # The Subscription ID which should be used.
-subscription_id = ""
-
-# The Tenant ID which should be used.
-tenant_id = ""
+subscription_id = ""
diff --git a/examples/dns/variables.tf b/examples/dns/variables.tf
@@ -22,21 +22,6 @@ variable "resource_packs_azure_rev" {
   default     = "refs/heads/main"
 }
 
-variable "client_id" {
-  description = "The Client ID which should be used."
-  type        = string
-}
-
-variable "client_secret" {
-  description = "The Client Secret which should be used."
-  type        = string
-}
-
-variable "tenant_id" {
-  description = "The Tenant ID which should be used."
-  type        = string
-}
-
 variable "subscription_id" {
   description = "The Subscription ID which should be used."
   type        = string