PAGOPA-1594 federated identity

pagopa · Mar 27, 2024 · 39fb4be · 39fb4be
1 parent 573a6e0
commit 39fb4be
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 90 deletions.
diff --git a/.github/workflows/deploy_with_github_runner.yml b/.github/workflows/deploy_with_github_runner.yml
@@ -31,7 +31,7 @@ jobs:
         # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
         uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
         with:
-          client_id: ${{ secrets.CLIENT_ID }}
+          client_id: ${{ secrets.CD_CLIENT_ID }}
           tenant_id: ${{ secrets.TENANT_ID }}
           subscription_id: ${{ secrets.SUBSCRIPTION_ID }}
           container_app_environment_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_NAME }}
@@ -48,7 +48,7 @@ jobs:
         uses: pagopa/github-actions-template/aks-deploy@main
         with:
           branch: ${{ github.ref_name }}
-          client_id: ${{ secrets.CLIENT_ID }}
+          client_id: ${{ secrets.CD_CLIENT_ID }}
           subscription_id: ${{ secrets.SUBSCRIPTION_ID }}
           tenant_id: ${{ secrets.TENANT_ID }}
           env: ${{ inputs.environment }}
@@ -71,7 +71,7 @@ jobs:
         # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action
         uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@0ee2f58fd46d10ac7f00bce4304b98db3dbdbe9a
         with:
-          client_id: ${{ secrets.CLIENT_ID }}
+          client_id: ${{ secrets.CD_CLIENT_ID }}
           tenant_id: ${{ secrets.TENANT_ID }}
           subscription_id: ${{ secrets.SUBSCRIPTION_ID }}
           resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }}
@@ -103,7 +103,7 @@ jobs:
 #        # from https://github.com/Azure/login/commits/master
 #        uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
 #        with:
-#          client-id: ${{ secrets.CLIENT_ID }}
+#          client-id: ${{ secrets.CD_CLIENT_ID }}
 #          tenant-id: ${{ secrets.TENANT_ID }}
 #          subscription-id: ${{ secrets.SUBSCRIPTION_ID }}
 #
@@ -112,7 +112,7 @@ jobs:
 #        shell: bash
 #        run: |
 #          cd ./infra
-#          export ARM_CLIENT_ID="${{ secrets.CLIENT_ID }}"
+#          export ARM_CLIENT_ID="${{ secrets.CD_CLIENT_ID }}"
 #          export ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
 #          export ARM_TENANT_ID=$(az account show --query tenantId --output tsv)
 #          export ARM_USE_OIDC=true

diff --git a/.identity/00_data.tf b/.identity/00_data.tf
@@ -1,3 +1,8 @@
+data "azurerm_user_assigned_identity" "identity_cd" {
+  resource_group_name = "${local.product}-identity-rg"
+  name                = "${local.product}-${local.domain}-01-github-cd-identity"
+}
+
 data "azurerm_resource_group" "dashboards" {
   name = "dashboards"
 }

diff --git a/.identity/02_application_action.tf b/.identity/02_application_action.tf
diff --git a/.identity/03_github_environment.tf b/.identity/03_github_environment.tf
@@ -21,7 +21,7 @@ resource "github_repository_environment" "github_repository_environment" {
 
 locals {
   env_secrets = {
-    "CLIENT_ID" : module.github_runner_app.application_id,
+    "CD_CLIENT_ID" : data.azurerm_user_assigned_identity.identity_cd.client_id,
     "TENANT_ID" : data.azurerm_client_config.current.tenant_id,
     "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id,
     "ISSUER_RANGE_TABLE" : "${local.prefix}${var.env_short}${local.location_short}${local.domain}saissuerrangetable",