use signle identity

pluralsh · Oct 5, 2023 · 787180c · 787180c
1 parent 2b95918
commit 787180c
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 26 deletions.
diff --git a/bootstrap/helm/cluster-api-provider-azure/values.yaml.tpl b/bootstrap/helm/cluster-api-provider-azure/values.yaml.tpl
@@ -2,4 +2,4 @@ cluster-api-provider-azure:
   asoControllerSettings:
     azureSubscriptionId: {{ .Context.SubscriptionId }}
     azureTenantId: {{ .Context.TenantId }}
-    azureClientId: {{ importValue "Terraform" "aso_assigned_identity_client_id" }}
+    azureClientId: {{ importValue "Terraform" "capz_assigned_identity_client_id" }}
diff --git a/bootstrap/terraform/azure-bootstrap/deps.yaml b/bootstrap/terraform/azure-bootstrap/deps.yaml
@@ -17,7 +17,6 @@ spec:
     kubelet_msi_id: kubelet_msi_id
     node_resource_group: node_resource_group
     capz_assigned_identity_client_id: capz_assigned_identity_client_id
-    aso_assigned_identity_client_id: aso_assigned_identity_client_id
   provider_wirings:
     cluster: module.azure-bootstrap.cluster
   provider_vsn: "0.1.4"
diff --git a/bootstrap/terraform/azure-bootstrap/main.tf b/bootstrap/terraform/azure-bootstrap/main.tf
@@ -180,14 +180,8 @@ resource "azurerm_user_assigned_identity" "capz" {
   resource_group_name = data.azurerm_resource_group.group.name
 }
 
-resource "azurerm_role_assignment" "rg-contributor" {
-  scope                = data.azurerm_resource_group.group.id
-  role_definition_name = "Contributor"
-  principal_id         = azurerm_user_assigned_identity.capz.principal_id
-}
-
-resource "azurerm_role_assignment" "node-rg-contributor" {
-  scope                = data.azurerm_resource_group.node_group.id
+resource "azurerm_role_assignment" "capz-sub-contributor" {
+  scope                = data.azurerm_subscription.sub.id
   role_definition_name = "Contributor"
   principal_id         = azurerm_user_assigned_identity.capz.principal_id
 }
@@ -201,24 +195,12 @@ resource "azurerm_federated_identity_credential" "capz" {
   subject             = "system:serviceaccount:${var.namespace}:bootstrap-capz-capz-manager"
 }
 
-resource "azurerm_user_assigned_identity" "aso" {
-  location            = data.azurerm_resource_group.group.location
-  name                = "${var.name}-capz-aso"
-  resource_group_name = data.azurerm_resource_group.group.name
-}
-
-resource "azurerm_role_assignment" "aso-sub-contributor" {
-  scope                = data.azurerm_subscription.sub.id
-  role_definition_name = "Contributor"
-  principal_id         = azurerm_user_assigned_identity.aso.principal_id
-}
-
 resource "azurerm_federated_identity_credential" "aso" {
   name                = "${var.name}-aso-federated-identity"
   resource_group_name = data.azurerm_resource_group.group.name
   audience            = ["api://AzureADTokenExchange"]
   issuer              = var.cluster_api ? one(data.azurerm_kubernetes_cluster.cluster[*].oidc_issuer_url) : one(module.aks[*].oidc_issuer_url)
-  parent_id           = azurerm_user_assigned_identity.aso.id
+  parent_id           = azurerm_user_assigned_identity.capz.id
   subject             = "system:serviceaccount:${var.namespace}:bootstrap-capz-aso-default"
 }
 

diff --git a/bootstrap/terraform/azure-bootstrap/outputs.tf b/bootstrap/terraform/azure-bootstrap/outputs.tf
@@ -32,6 +32,3 @@ output "capz_assigned_identity_client_id" {
   value = azurerm_user_assigned_identity.capz.client_id
 }
 
-output "aso_assigned_identity_client_id" {
-  value = azurerm_user_assigned_identity.aso.client_id
-}