Merge branch 'main' into IOPID-1514

.identity/03_github_environment_cd.tf

@@ -19,25 +19,49 @@ resource "github_repository_environment" "github_repository_environment_cd" {
   }
 }
 
+# TODO: remove when all workflows read values from ARM_** secrets
 #tfsec:ignore:github-actions-no-plain-text-action-secrets # not real secret
-resource "github_actions_environment_secret" "azure_cd_tenant_id" {
+resource "github_actions_environment_secret" "azure_cd_tenant_id_azure" {
   repository      = local.repository
   environment     = "${var.env}-cd"
   secret_name     = "AZURE_TENANT_ID"
   plaintext_value = data.azurerm_client_config.current.tenant_id
 }
 
+resource "github_actions_environment_secret" "azure_cd_tenant_id" {
+  repository      = local.repository
+  environment     = "${var.env}-cd"
+  secret_name     = "ARM_TENANT_ID"
+  plaintext_value = data.azurerm_client_config.current.tenant_id
+}
+
+# TODO: remove when all workflows read values from ARM_** secrets
 #tfsec:ignore:github-actions-no-plain-text-action-secrets # not real secret
-resource "github_actions_environment_secret" "azure_cd_subscription_id" {
+resource "github_actions_environment_secret" "azure_cd_subscription_id_azure" {
   repository      = local.repository
   environment     = "${var.env}-cd"
   secret_name     = "AZURE_SUBSCRIPTION_ID"
   plaintext_value = data.azurerm_subscription.current.subscription_id
 }
 
-resource "github_actions_environment_secret" "azure_client_id_cd" {
+resource "github_actions_environment_secret" "azure_cd_subscription_id" {
+  repository      = local.repository
+  environment     = "${var.env}-cd"
+  secret_name     = "ARM_SUBSCRIPTION_ID"
+  plaintext_value = data.azurerm_subscription.current.subscription_id
+}
+
+# TODO: remove when all workflows read values from ARM_** secrets
+resource "github_actions_environment_secret" "azure_client_id_cd_azure" {
   repository      = local.repository
   environment     = "${var.env}-cd"
   secret_name     = "AZURE_CLIENT_ID"
   plaintext_value = module.identity_cd.identity_client_id
 }
+
+resource "github_actions_environment_secret" "azure_client_id_cd" {
+  repository      = local.repository
+  environment     = "${var.env}-cd"
+  secret_name     = "ARM_CLIENT_ID"
+  plaintext_value = module.identity_cd.identity_client_id
+}

.identity/03_github_environment_ci.tf

@@ -7,25 +7,50 @@ resource "github_repository_environment" "github_repository_environment_ci" {
   }
 }
 
+# TODO: remove when all workflows read values from ARM_** secrets
 #tfsec:ignore:github-actions-no-plain-text-action-secrets # not real secret
-resource "github_actions_environment_secret" "azure_ci_tenant_id" {
+resource "github_actions_environment_secret" "azure_ci_tenant_id_azure" {
   repository      = local.repository
   environment     = "${var.env}-ci"
   secret_name     = "AZURE_TENANT_ID"
   plaintext_value = data.azurerm_client_config.current.tenant_id
 }
 
 #tfsec:ignore:github-actions-no-plain-text-action-secrets # not real secret
-resource "github_actions_environment_secret" "azure_ci_subscription_id" {
+resource "github_actions_environment_secret" "azure_ci_tenant_id" {
+  repository      = local.repository
+  environment     = "${var.env}-ci"
+  secret_name     = "ARM_TENANT_ID"
+  plaintext_value = data.azurerm_client_config.current.tenant_id
+}
+
+# TODO: remove when all workflows read values from ARM_** secrets
+#tfsec:ignore:github-actions-no-plain-text-action-secrets # not real secret
+resource "github_actions_environment_secret" "azure_ci_subscription_id_azure" {
   repository      = local.repository
   environment     = "${var.env}-ci"
   secret_name     = "AZURE_SUBSCRIPTION_ID"
   plaintext_value = data.azurerm_subscription.current.subscription_id
 }
 
-resource "github_actions_environment_secret" "azure_client_id_ci" {
+resource "github_actions_environment_secret" "azure_ci_subscription_id" {
+  repository      = local.repository
+  environment     = "${var.env}-ci"
+  secret_name     = "ARM_SUBSCRIPTION_ID"
+  plaintext_value = data.azurerm_subscription.current.subscription_id
+}
+
+# TODO: remove when all workflows read values from ARM_** secrets
+resource "github_actions_environment_secret" "azure_client_id_ci_azure" {
   repository      = local.repository
   environment     = "${var.env}-ci"
   secret_name     = "AZURE_CLIENT_ID"
   plaintext_value = module.identity_ci.identity_client_id
 }
+
+resource "github_actions_environment_secret" "azure_client_id_ci" {
+  repository      = local.repository
+  environment     = "${var.env}-ci"
+  secret_name     = "ARM_CLIENT_ID"
+  plaintext_value = module.identity_ci.identity_client_id
+}

.identity/README.md

@@ -25,11 +25,17 @@
 | [azuread_directory_role.directory_readers](https://registry.terraform.io/providers/hashicorp/azuread/2.30.0/docs/resources/directory_role) | resource |
 | [azurerm_resource_group.identity_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [github_actions_environment_secret.azure_cd_subscription_id](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/actions_environment_secret) | resource |
+| [github_actions_environment_secret.azure_cd_subscription_id_azure](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/actions_environment_secret) | resource |
 | [github_actions_environment_secret.azure_cd_tenant_id](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/actions_environment_secret) | resource |
+| [github_actions_environment_secret.azure_cd_tenant_id_azure](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/actions_environment_secret) | resource |
 | [github_actions_environment_secret.azure_ci_subscription_id](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/actions_environment_secret) | resource |
+| [github_actions_environment_secret.azure_ci_subscription_id_azure](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/actions_environment_secret) | resource |
 | [github_actions_environment_secret.azure_ci_tenant_id](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/actions_environment_secret) | resource |
+| [github_actions_environment_secret.azure_ci_tenant_id_azure](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/actions_environment_secret) | resource |
 | [github_actions_environment_secret.azure_client_id_cd](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/actions_environment_secret) | resource |
+| [github_actions_environment_secret.azure_client_id_cd_azure](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/actions_environment_secret) | resource |
 | [github_actions_environment_secret.azure_client_id_ci](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/actions_environment_secret) | resource |
+| [github_actions_environment_secret.azure_client_id_ci_azure](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/actions_environment_secret) | resource |
 | [github_repository_environment.github_repository_environment_cd](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/repository_environment) | resource |
 | [github_repository_environment.github_repository_environment_ci](https://registry.terraform.io/providers/integrations/github/5.45.0/docs/resources/repository_environment) | resource |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |