Switch to using OIDC (tjcorr#5)

JDGrillo · Jun 8, 2022 · bfbdc78 · bfbdc78
1 parent 1596be8
commit bfbdc78
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 39 deletions.
diff --git a/.github/workflows/oidc-test.yml b/.github/workflows/oidc-test.yml
diff --git a/.github/workflows/terraform.yml → .github/workflows/tf-plan-apply.yml b/.github/workflows/terraform.yml → .github/workflows/tf-plan-apply.yml
@@ -8,20 +8,26 @@ on:
     branches:
     - main
 
+#Special permissions required for OIDC authentication
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
 
-#These environment variables are used by the terraform azure provider to authenticate. 
-#To eliminate the use of stored secrets consider switching to OIDD.
+#These environment variables are used by the terraform azure provider to setup OIDD authenticate. 
 env:
-  ARM_CLIENT_ID: "${{ secrets.ARM_CLIENT_ID }}"
-  ARM_CLIENT_SECRET: "${{ secrets.ARM_CLIENT_SECRET }}"
-  ARM_SUBSCRIPTION_ID: "${{ secrets.ARM_SUBSCRIPTION_ID }}"
-  ARM_TENANT_ID: "${{ secrets.ARM_TENANT_ID }}"
+  ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
+  ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+  ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
 
 jobs:
   terraform-plan:
     name: 'Terraform Plan'
     runs-on: ubuntu-latest
-    environment: production
+    environment: production-readonly
+    env:
+      #this is needed since we are running terraform with read-only permissions
+      ARM_SKIP_PROVIDER_REGISTRATION: true
     outputs:
       tfplanExitCode: ${{ steps.tf-plan.outputs.exitcode }}
 
@@ -35,6 +41,7 @@ jobs:
       uses: hashicorp/setup-terraform@v1
       with:
         terraform_wrapper: false
+
 
     # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
     - name: Terraform Init
@@ -115,7 +122,7 @@ jobs:
     name: 'Terraform Apply'
     if: github.ref == 'refs/heads/main' && needs.terraform-plan.outputs.tfplanExitCode == 2
     runs-on: ubuntu-latest
-    environment: production-approval
+    environment: production-readwrite
     needs: [terraform-plan]
 
     steps:
@@ -126,7 +133,7 @@ jobs:
     # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v1
-      
+
     # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
     - name: Terraform Init
       run: terraform init

diff --git a/main.tf b/main.tf
@@ -2,20 +2,22 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 2.62"
+      version = ">= 3.7.0"
     }
   }
 
   backend "azurerm" {
     resource_group_name  = "rg-tf-pipeline-demo-state"
-    storage_account_name = "tfpipelinedemostate"
+    storage_account_name = "tfpipelinedemo"
     container_name       = "tfstate"
     key                  = "terraform.tfstate"
+    use_oidc             = true
   }
 }
 
 provider "azurerm" {
   features {}
+  use_oidc = true
 }
 
 resource "azurerm_resource_group" "rg-aks" {

diff --git a/terraform.tfvars b/terraform.tfvars
@@ -1,2 +1,2 @@
-resource_group_name = "rg-tf-pipeline-demo3"
+resource_group_name = "rg-tf-pipeline-demo"
 location            = "eastus"