chore: use resource accounts

examples/postgres/README.md

@@ -91,6 +91,7 @@ graph LR;
 | [azurerm_role_assignment.resource_group_resource](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.resource_group_workload](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
+| [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
 | [humanitec_resource_definition_criteria.postgres](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.postgres_instance](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [azurerm_resource_group.resource](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
@@ -101,10 +102,10 @@ graph LR;
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | resource\_group\_name | Specifies the Name of the Resource Group within which this database will reside. | `string` | n/a | yes |
-| subnet\_name | The name of the subnet where the workloads are running. | `string` | n/a | yes |
+| subnet\_name | The name of the subnet where the Private Endpoint will be allocated. | `string` | n/a | yes |
 | subscription\_id | The Subscription ID which should be used. | `string` | n/a | yes |
-| virtual\_network\_name | The name of the virtual network where the workloads are running. | `string` | n/a | yes |
-| workload\_resource\_group\_name | The name of the resource group where the workloads are running. | `string` | n/a | yes |
+| virtual\_network\_name | The name of the virtual network where Private Endpoint will be allocated. | `string` | n/a | yes |
+| workload\_resource\_group\_name | The name of the resource group where the Private Endpoint will be allocated. | `string` | n/a | yes |
 | administrator\_login | The Administrator login for the PostgreSQL Server. | `string` | `""` | no |
 | administrator\_password | The Password associated with the administrator\_login for the PostgreSQL Server. | `string` | `""` | no |
 | name | Name of the example application. | `string` | `"hum-rp-postgres-example"` | no |

examples/postgres/main.tf

@@ -24,6 +24,19 @@ resource "azurerm_role_assignment" "resource_group_workload" {
   principal_id         = azuread_service_principal.humanitec_provisioner.object_id
 }
 
+resource "humanitec_resource_account" "humanitec_provisioner" {
+  id   = var.name
+  name = var.name
+  type = "azure"
+
+  credentials = jsonencode({
+    "appId" : azuread_service_principal.humanitec_provisioner.client_id,
+    "displayName" : azuread_application.humanitec_provisioner.display_name,
+    "password" : azuread_service_principal_password.humanitec_provisioner.value,
+    "tenant" : azuread_service_principal.humanitec_provisioner.application_tenant_id
+  })
+}
+
 # Example application and resource definition criteria
 
 # Define the shared postgres-instance resource id and class
@@ -51,9 +64,8 @@ module "postgres_instance" {
   prefix                       = var.prefix
   resource_packs_azure_url     = var.resource_packs_azure_url
   resource_packs_azure_rev     = var.resource_packs_azure_rev
-  client_id                    = azuread_service_principal.humanitec_provisioner.client_id
-  client_secret                = azuread_service_principal_password.humanitec_provisioner.value
-  tenant_id                    = azuread_service_principal.humanitec_provisioner.application_tenant_id
+  append_logs_to_error         = true
+  driver_account               = humanitec_resource_account.humanitec_provisioner.id
   subscription_id              = var.subscription_id
   resource_group_name          = data.azurerm_resource_group.resource.name
   administrator_login          = var.administrator_login
@@ -84,9 +96,8 @@ module "postgres" {
   prefix                   = var.prefix
   resource_packs_azure_url = var.resource_packs_azure_url
   resource_packs_azure_rev = var.resource_packs_azure_rev
-  client_id                = azuread_service_principal.humanitec_provisioner.client_id
-  client_secret            = azuread_service_principal_password.humanitec_provisioner.value
-  tenant_id                = azuread_service_principal.humanitec_provisioner.application_tenant_id
+  append_logs_to_error     = true
+  driver_account           = humanitec_resource_account.humanitec_provisioner.id
   subscription_id          = var.subscription_id
   instance_resource        = "postgres-instance.${local.postgres_instance_class}#${local.postgres_instance_res_id}"
 

examples/postgres/terraform.tfvars.example

@@ -20,14 +20,14 @@ resource_packs_azure_rev = "refs/heads/main"
 # Azure Resource Pack git url.
 resource_packs_azure_url = "https://github.com/humanitec-architecture/resource-packs-azure.git"
 
-# The name of the subnet where the workloads are running.
+# The name of the subnet where the Private Endpoint will be allocated.
 subnet_name = ""
 
 # The Subscription ID which should be used.
 subscription_id = ""
 
-# The name of the virtual network where the workloads are running.
+# The name of the virtual network where Private Endpoint will be allocated.
 virtual_network_name = ""
 
-# The name of the resource group where the workloads are running.
+# The name of the resource group where the Private Endpoint will be allocated.
 workload_resource_group_name = ""

examples/postgres/variables.tf

@@ -45,16 +45,16 @@ variable "administrator_password" {
 }
 
 variable "virtual_network_name" {
-  description = "The name of the virtual network where the workloads are running."
+  description = "The name of the virtual network where Private Endpoint will be allocated."
   type        = string
 }
 
 variable "subnet_name" {
-  description = "The name of the subnet where the workloads are running."
+  description = "The name of the subnet where the Private Endpoint will be allocated."
   type        = string
 }
 
 variable "workload_resource_group_name" {
-  description = "The name of the resource group where the workloads are running."
+  description = "The name of the resource group where the Private Endpoint will be allocated."
   type        = string
 }

humanitec-resource-defs/postgres-instance/basic/README.md

@@ -24,14 +24,13 @@
 |------|-------------|------|---------|:--------:|
 | administrator\_login | The Administrator login for the PostgreSQL Server. | `string` | n/a | yes |
 | administrator\_password | The Password associated with the administrator\_login for the PostgreSQL Server. | `string` | n/a | yes |
-| client\_id | The Client ID which should be used. | `string` | n/a | yes |
-| client\_secret | The Client Secret which should be used. | `string` | n/a | yes |
+| driver\_account | The ID of the Resource Account which should be used. | `string` | n/a | yes |
 | resource\_group\_name | Specifies the Name of the Resource Group within which this database will reside. | `string` | n/a | yes |
-| subnet\_name | The name of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint. | `string` | n/a | yes |
+| subnet\_name | The name of the subnet where the Private Endpoint will be allocated. | `string` | n/a | yes |
 | subscription\_id | The Subscription ID which should be used. | `string` | n/a | yes |
-| tenant\_id | The Tenant ID which should be used. | `string` | n/a | yes |
 | virtual\_network\_name | The name of the virtual network where Private Endpoint will be allocated. | `string` | n/a | yes |
-| workload\_resource\_group\_name | The ID of the Application which should be used. | `string` | n/a | yes |
+| workload\_resource\_group\_name | The name of the resource group where the Private Endpoint will be allocated. | `string` | n/a | yes |
+| append\_logs\_to\_error | Append Terraform logs to error messages. | `bool` | `false` | no |
 | auto\_grow\_enabled | Enable/Disable auto-growing of the storage. Storage auto-grow prevents your server from running out of storage and becoming read-only. | `bool` | `true` | no |
 | backup\_retention\_days | Backup retention days for the server, supported values are between 7 and 35 days. | `number` | `7` | no |
 | geo\_redundant\_backup\_enabled | Turn Geo-redundant server backups on/off. | `bool` | `true` | no |

humanitec-resource-defs/postgres-instance/basic/main.tf

@@ -4,22 +4,24 @@ resource "humanitec_resource_definition" "main" {
   name        = "${var.prefix}postgres-instance-basic"
   type        = "postgres-instance"
 
+  driver_account = var.driver_account
   driver_inputs = {
-    secrets_string = jsonencode({
-      variables = {
-        client_id     = var.client_id
-        client_secret = var.client_secret
-      }
-    })
-
     values_string = jsonencode({
       source = {
         path = "modules/postgres-instance/basic"
         rev  = var.resource_packs_azure_rev
         url  = var.resource_packs_azure_url
       }
 
-      append_logs_to_error = true
+      append_logs_to_error = var.append_logs_to_error
+
+      credentials_config = {
+        environment = {
+          ARM_CLIENT_ID     = "appId"
+          ARM_CLIENT_SECRET = "password"
+          ARM_TENANT_ID     = "tenant"
+        }
+      }
 
       variables = {
         res_id = "$${context.res.id}"
@@ -28,7 +30,6 @@ resource "humanitec_resource_definition" "main" {
 
         name                         = var.name
         prefix                       = var.prefix
-        tenant_id                    = var.tenant_id
         subscription_id              = var.subscription_id
         resource_group_name          = var.resource_group_name
         administrator_login          = var.administrator_login

humanitec-resource-defs/postgres-instance/basic/terraform.tfvars.example

@@ -5,17 +5,17 @@ administrator_login = ""
 # The Password associated with the administrator_login for the PostgreSQL Server.
 administrator_password = ""
 
+# Append Terraform logs to error messages.
+append_logs_to_error = false
+
 # Enable/Disable auto-growing of the storage. Storage auto-grow prevents your server from running out of storage and becoming read-only.
 auto_grow_enabled = true
 
 # Backup retention days for the server, supported values are between 7 and 35 days.
 backup_retention_days = 7
 
-# The Client ID which should be used.
-client_id = ""
-
-# The Client Secret which should be used.
-client_secret = ""
+# The ID of the Resource Account which should be used.
+driver_account = ""
 
 # Turn Geo-redundant server backups on/off.
 geo_redundant_backup_enabled = true
@@ -44,17 +44,14 @@ sku_name = "B_Standard_B2s"
 # Max storage allowed for a server.
 storage_mb = 65536
 
-# The name of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint.
+# The name of the subnet where the Private Endpoint will be allocated.
 subnet_name = ""
 
 # The Subscription ID which should be used.
 subscription_id = ""
 
-# The Tenant ID which should be used.
-tenant_id = ""
-
 # The name of the virtual network where Private Endpoint will be allocated.
 virtual_network_name = ""
 
-# The ID of the Application which should be used.
+# The name of the resource group where the Private Endpoint will be allocated.
 workload_resource_group_name = ""

humanitec-resource-defs/postgres-instance/basic/variables.tf

@@ -22,18 +22,14 @@ variable "resource_packs_azure_rev" {
   default     = "refs/heads/main"
 }
 
-variable "client_id" {
-  description = "The Client ID which should be used."
-  type        = string
-}
-
-variable "client_secret" {
-  description = "The Client Secret which should be used."
-  type        = string
+variable "append_logs_to_error" {
+  description = "Append Terraform logs to error messages."
+  type        = bool
+  default     = false
 }
 
-variable "tenant_id" {
-  description = "The Tenant ID which should be used."
+variable "driver_account" {
+  description = "The ID of the Resource Account which should be used."
   type        = string
 }
 
@@ -99,11 +95,11 @@ variable "virtual_network_name" {
 }
 
 variable "subnet_name" {
-  description = "The name of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint."
+  description = "The name of the subnet where the Private Endpoint will be allocated."
   type        = string
 }
 
 variable "workload_resource_group_name" {
-  description = "The ID of the Application which should be used."
+  description = "The name of the resource group where the Private Endpoint will be allocated."
   type        = string
 }

humanitec-resource-defs/postgres/basic/README.md

@@ -22,11 +22,10 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| client\_id | The Client ID which should be used. | `string` | n/a | yes |
-| client\_secret | The Client Secret which should be used. | `string` | n/a | yes |
+| driver\_account | The ID of the Resource Account which should be used. | `string` | n/a | yes |
 | instance\_resource | Identifier of the PostgreSQL instance resource. | `string` | n/a | yes |
 | subscription\_id | The Subscription ID which should be used. | `string` | n/a | yes |
-| tenant\_id | The Tenant ID which should be used. | `string` | n/a | yes |
+| append\_logs\_to\_error | Append Terraform logs to error messages. | `bool` | `false` | no |
 | prefix | Specifies the prefix used in default name for created resources. | `string` | `""` | no |
 | resource\_packs\_azure\_rev | Azure Resource Pack git branch. | `string` | `"refs/heads/main"` | no |
 | resource\_packs\_azure\_url | Azure Resource Pack git url. | `string` | `"https://github.com/humanitec-architecture/resource-packs-azure.git"` | no |

humanitec-resource-defs/postgres/basic/main.tf

@@ -4,12 +4,10 @@ resource "humanitec_resource_definition" "main" {
   name        = "${var.prefix}postgres-basic"
   type        = "postgres"
 
+  driver_account = var.driver_account
   driver_inputs = {
     secrets_string = jsonencode({
       variables = {
-        client_id     = var.client_id
-        client_secret = var.client_secret
-
         administrator_login    = "$${resources['${var.instance_resource}'].outputs.username}"
         administrator_password = "$${resources['${var.instance_resource}'].outputs.password}"
       }
@@ -22,12 +20,21 @@ resource "humanitec_resource_definition" "main" {
         url  = var.resource_packs_azure_url
       }
 
+      append_logs_to_error = var.append_logs_to_error
+
+      credentials_config = {
+        environment = {
+          ARM_CLIENT_ID     = "appId"
+          ARM_CLIENT_SECRET = "password"
+          ARM_TENANT_ID     = "tenant"
+        }
+      }
+
       variables = {
         res_id = "$${context.res.id}"
         app_id = "$${context.app.id}"
         env_id = "$${context.env.id}"
 
-        tenant_id       = var.tenant_id
         subscription_id = var.subscription_id
         server_id       = "$${resources['${var.instance_resource}'].outputs.server_id}"
         host            = "$${resources['${var.instance_resource}'].outputs.host}"

humanitec-resource-defs/postgres/basic/terraform.tfvars.example

@@ -1,9 +1,9 @@
 
-# The Client ID which should be used.
-client_id = ""
+# Append Terraform logs to error messages.
+append_logs_to_error = false
 
-# The Client Secret which should be used.
-client_secret = ""
+# The ID of the Resource Account which should be used.
+driver_account = ""
 
 # Identifier of the PostgreSQL instance resource.
 instance_resource = ""
@@ -18,7 +18,4 @@ resource_packs_azure_rev = "refs/heads/main"
 resource_packs_azure_url = "https://github.com/humanitec-architecture/resource-packs-azure.git"
 
 # The Subscription ID which should be used.
-subscription_id = ""
-
-# The Tenant ID which should be used.
-tenant_id = ""
+subscription_id = ""

humanitec-resource-defs/postgres/basic/variables.tf

@@ -16,18 +16,14 @@ variable "resource_packs_azure_rev" {
   default     = "refs/heads/main"
 }
 
-variable "client_id" {
-  description = "The Client ID which should be used."
-  type        = string
-}
-
-variable "client_secret" {
-  description = "The Client Secret which should be used."
-  type        = string
+variable "append_logs_to_error" {
+  description = "Append Terraform logs to error messages."
+  type        = bool
+  default     = false
 }
 
-variable "tenant_id" {
-  description = "The Tenant ID which should be used."
+variable "driver_account" {
+  description = "The ID of the Resource Account which should be used."
   type        = string
 }
 

modules/postgres-instance/basic/README.md

@@ -35,8 +35,6 @@
 | app\_id | n/a | `string` | n/a | yes |
 | auto\_grow\_enabled | Enable/Disable auto-growing of the storage. Storage auto-grow prevents your server from running out of storage and becoming read-only. | `bool` | n/a | yes |
 | backup\_retention\_days | Backup retention days for the server, supported values are between 7 and 35 days. | `number` | n/a | yes |
-| client\_id | The Client ID which should be used. | `string` | n/a | yes |
-| client\_secret | The Client Secret which should be used. | `string` | n/a | yes |
 | env\_id | n/a | `string` | n/a | yes |
 | geo\_redundant\_backup\_enabled | Turn Geo-redundant server backups on/off. | `bool` | n/a | yes |
 | postgres\_version | Specifies the version of PostgreSQL to use. | `string` | n/a | yes |
@@ -46,7 +44,6 @@
 | storage\_mb | Max storage allowed for a server. | `number` | n/a | yes |
 | subnet\_name | The name of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint. | `string` | n/a | yes |
 | subscription\_id | The Subscription ID which should be used. | `string` | n/a | yes |
-| tenant\_id | The Tenant ID which should be used. | `string` | n/a | yes |
 | virtual\_network\_name | The name of the virtual network where Private Endpoint will be allocated. | `string` | n/a | yes |
 | workload\_resource\_group\_name | Specifies the Name of the Resource Group within which created resources will reside. | `string` | n/a | yes |
 | name | Specifies the Name for created resources. (Leave empty for the default one) | `string` | `""` | no |

modules/postgres-instance/basic/provider.tf

@@ -16,8 +16,5 @@ terraform {
 provider "azurerm" {
   features {}
 
-  client_id       = var.client_id
-  client_secret   = var.client_secret
-  tenant_id       = var.tenant_id
   subscription_id = var.subscription_id
 }

modules/postgres-instance/basic/terraform.tfvars.example

@@ -13,12 +13,6 @@ auto_grow_enabled = ""
 # Backup retention days for the server, supported values are between 7 and 35 days.
 backup_retention_days = ""
 
-# The Client ID which should be used.
-client_id = ""
-
-# The Client Secret which should be used.
-client_secret = ""
-
 env_id = ""
 
 # Turn Geo-redundant server backups on/off.
@@ -50,9 +44,6 @@ subnet_name = ""
 # The Subscription ID which should be used.
 subscription_id = ""
 
-# The Tenant ID which should be used.
-tenant_id = ""
-
 # The name of the virtual network where Private Endpoint will be allocated.
 virtual_network_name = ""