feat: workload identity federation

Allow metering and replicator service principals to use workload identity federation instead of passwords.
meshcloud · Mar 8, 2024 · 5d057a7 · 5d057a7
1 parent 2ae3425
commit 5d057a7
Show file tree

Hide file tree

Showing 10 changed files with 79 additions and 20 deletions.
diff --git a/main.tf b/main.tf
@@ -47,6 +47,10 @@ module "replicator_service_principal" {
 
   additional_required_resource_accesses = var.additional_required_resource_accesses
   additional_permissions                = var.additional_permissions
+  workload_identity_federation = var.workload_identity_federation == null ? null : {
+    issuer  = var.workload_identity_federation.issuer,
+    subject = var.workload_identity_federation.replicator_subject
+  }
 }
 
 module "metering_service_principal" {
@@ -55,6 +59,10 @@ module "metering_service_principal" {
 
   service_principal_name = var.metering_service_principal_name
   assignment_scopes      = local.metering_assignment_scopes
+  workload_identity_federation = var.workload_identity_federation == null ? null : {
+    issuer  = var.workload_identity_federation.issuer,
+    subject = var.workload_identity_federation.kraken_subject
+  }
 }
 
 module "sso_service_principal" {

diff --git a/modules/meshcloud-metering-service-principal/module.tf b/modules/meshcloud-metering-service-principal/module.tf
@@ -59,13 +59,17 @@ resource "azuread_service_principal" "meshcloud_metering" {
 // Create a password for the Enterprise application
 //---------------------------------------------------------------------------
 resource "time_rotating" "replicator_secret_rotation" {
+  count = var.workload_identity_federation == null ? 1 : 0
+
   rotation_days = 365
 }
 
 resource "azuread_application_password" "application_pw" {
+  count = var.workload_identity_federation == null ? 1 : 0
+
   application_id = azuread_application.meshcloud_metering.id
   rotate_when_changed = {
-    rotation = time_rotating.replicator_secret_rotation.id
+    rotation = time_rotating.replicator_secret_rotation[0].id
   }
 }
 
@@ -83,3 +87,16 @@ moved {
   from = azuread_service_principal.meshcloud_kraken
   to   = azuread_service_principal.meshcloud_metering
 }
+
+//---------------------------------------------------------------------------
+// Create federated identity credentials
+//---------------------------------------------------------------------------
+resource "azuread_application_federated_identity_credential" "meshcloud_replicator" {
+  count = var.workload_identity_federation == null ? 0 : 1
+
+  application_id = azuread_application.meshcloud_metering.id
+  display_name   = var.service_principal_name
+  audiences      = ["api://AzureADTokenExchange"]
+  issuer         = var.workload_identity_federation.issuer
+  subject        = var.workload_identity_federation.subject
+}
diff --git a/modules/meshcloud-metering-service-principal/outputs.tf b/modules/meshcloud-metering-service-principal/outputs.tf
@@ -3,12 +3,12 @@ output "credentials" {
   value = {
     Enterprise_Application_Object_ID = azuread_service_principal.meshcloud_metering.id
     Application_Client_ID            = azuread_application.meshcloud_metering.client_id
-    Client_Secret                    = "Execute `terraform output metering_client_secret` to see the password"
+    Client_Secret                    = var.workload_identity_federation == null ? "Execute `terraform output metering_service_principal_password` to see the password" : "Not applicable when using workload identity federation"
   }
 }
 
 output "application_client_secret" {
   description = "Client Secret Of the Application."
-  value       = azuread_application_password.application_pw.value
+  value       = var.workload_identity_federation == null ? azuread_application_password.application_pw[0].value : null
   sensitive   = true
 }
diff --git a/modules/meshcloud-metering-service-principal/variables.tf b/modules/meshcloud-metering-service-principal/variables.tf
@@ -7,3 +7,9 @@ variable "assignment_scopes" {
   type        = list(string)
   description = "The scopes to which Service Principal permissions should be assigned to. Usually this is the management group id of form `/providers/Microsoft.Management/managementGroups/<tenantId>` that sits atop the subscriptions."
 }
+
+variable "workload_identity_federation" {
+  default     = null
+  description = "Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack."
+  type        = object({ issuer = string, subject = string })
+}
diff --git a/modules/meshcloud-replicator-service-principal/auth.tf b/modules/meshcloud-replicator-service-principal/auth.tf
@@ -0,0 +1,30 @@
+//---------------------------------------------------------------------------
+// Create new client secret and associate it with the application
+//---------------------------------------------------------------------------
+resource "time_rotating" "replicator_secret_rotation" {
+  count = var.workload_identity_federation == null ? 1 : 0
+
+  rotation_days = 365
+}
+
+resource "azuread_application_password" "application_pw" {
+  count = var.workload_identity_federation == null ? 1 : 0
+
+  application_id = azuread_application.meshcloud_replicator.id
+  rotate_when_changed = {
+    rotation = time_rotating.replicator_secret_rotation[0].id
+  }
+}
+
+//---------------------------------------------------------------------------
+// Create federated identity credentials
+//---------------------------------------------------------------------------
+resource "azuread_application_federated_identity_credential" "meshcloud_replicator" {
+  count = var.workload_identity_federation == null ? 0 : 1
+
+  application_id = azuread_application.meshcloud_replicator.id
+  display_name   = var.service_principal_name
+  audiences      = ["api://AzureADTokenExchange"]
+  issuer         = var.workload_identity_federation.issuer
+  subject        = var.workload_identity_federation.subject
+}
diff --git a/modules/meshcloud-replicator-service-principal/module.tf b/modules/meshcloud-replicator-service-principal/module.tf
@@ -132,20 +132,7 @@ resource "azuread_application" "meshcloud_replicator" {
 }
 
 //---------------------------------------------------------------------------
-// Create new client secret and associate it with the previous application
-//---------------------------------------------------------------------------
-resource "time_rotating" "replicator_secret_rotation" {
-  rotation_days = 365
-}
-resource "azuread_application_password" "application_pw" {
-  application_id = azuread_application.meshcloud_replicator.id
-  rotate_when_changed = {
-    rotation = time_rotating.replicator_secret_rotation.id
-  }
-}
-
-//---------------------------------------------------------------------------
-// Create new Enterprise Application and associate it with the previous application
+// Create new Enterprise Application and associate it with the application
 //---------------------------------------------------------------------------
 resource "azuread_service_principal" "meshcloud_replicator" {
   client_id = azuread_application.meshcloud_replicator.client_id

diff --git a/modules/meshcloud-replicator-service-principal/outputs.tf b/modules/meshcloud-replicator-service-principal/outputs.tf
@@ -3,12 +3,12 @@ output "credentials" {
   value = {
     Enterprise_Application_Object_ID = azuread_service_principal.meshcloud_replicator.id
     Application_Client_ID            = azuread_application.meshcloud_replicator.client_id
-    Client_Secret                    = "Execute `terraform output replicator_client_secret` to see the password"
+    Client_Secret                    = var.workload_identity_federation == null ? "Execute `terraform output replicator_service_principal_password` to see the password" : "Not applicable when using workload identity federation"
   }
 }
 
 output "application_client_secret" {
   description = "Client Secret Of the Application."
-  value       = azuread_application_password.application_pw.value
+  value       = var.workload_identity_federation == null ? azuread_application_password.application_pw[0].value : null
   sensitive   = true
 }
diff --git a/modules/meshcloud-replicator-service-principal/variables.tf b/modules/meshcloud-replicator-service-principal/variables.tf
@@ -30,3 +30,9 @@ variable "replicator_rg_enabled" {
   default     = false
   description = "Whether the created replicator Service Principal should be usable for Azure Resource Group based replication."
 }
+
+variable "workload_identity_federation" {
+  default     = null
+  description = "Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack."
+  type        = object({ issuer = string, subject = string })
+}
diff --git a/outputs.tf b/outputs.tf
@@ -1,4 +1,3 @@
-
 output "replicator_service_principal" {
   description = "Replicator Service Principal."
   value       = length(module.replicator_service_principal) > 0 ? module.replicator_service_principal[0].credentials : null

diff --git a/variables.tf b/variables.tf
@@ -80,3 +80,9 @@ variable "additional_permissions" {
   default     = []
   description = "Additional Subscription-Level Permissions the Service Principal needs."
 }
+
+variable "workload_identity_federation" {
+  default     = null
+  description = "Enable workload identity federation instead of using a password by providing these additional settings. Usually you should receive the required settings when attempting to configure a platform with workload identity federation in meshStack."
+  type        = object({ issuer = string, replicator_subject = string, kraken_subject = string })
+}