From aa757360ed281084a9a1cec68dd4e5bf7a4191b9 Mon Sep 17 00:00:00 2001
From: Marcin Maciaszczyk <marcin9yk@icloud.com>
Date: Wed, 27 Sep 2023 17:42:56 +0200
Subject: [PATCH] update CAPZ service account name add ASO identity to service
 account

---
 bootstrap/terraform/azure-bootstrap/main.tf | 29 ++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/bootstrap/terraform/azure-bootstrap/main.tf b/bootstrap/terraform/azure-bootstrap/main.tf
index e7f63460d..43e5cb2eb 100644
--- a/bootstrap/terraform/azure-bootstrap/main.tf
+++ b/bootstrap/terraform/azure-bootstrap/main.tf
@@ -195,7 +195,34 @@ resource "azurerm_federated_identity_credential" "capz" {
   audience            = ["api://AzureADTokenExchange"]
   issuer              = var.cluster_api ? one(data.azurerm_kubernetes_cluster.cluster[*].oidc_issuer_url) : one(module.aks[*].oidc_issuer_url)
   parent_id           = azurerm_user_assigned_identity.capz.id
-  subject             = "system:serviceaccount:${var.namespace}:bootstrap-cluster-api-provider-azure"
+  subject             = "system:serviceaccount:${var.namespace}:bootstrap-capz-capz-manager"
+}
+
+resource "azurerm_user_assigned_identity" "aso" {
+  location            = data.azurerm_resource_group.group.location
+  name                = "${var.name}-capz-aso"
+  resource_group_name = data.azurerm_resource_group.group.name
+}
+
+resource "azurerm_role_assignment" "rg-contributor" {
+  scope                = data.azurerm_resource_group.group.id
+  role_definition_name = "Contributor"
+  principal_id         = azurerm_user_assigned_identity.aso.principal_id
+}
+
+resource "azurerm_role_assignment" "node-rg-contributor" {
+  scope                = data.azurerm_resource_group.node_group.id
+  role_definition_name = "Contributor"
+  principal_id         = azurerm_user_assigned_identity.aso.principal_id
+}
+
+resource "azurerm_federated_identity_credential" "aso" {
+  name                = "${var.name}-aso-federated-identity"
+  resource_group_name = data.azurerm_resource_group.group.name
+  audience            = ["api://AzureADTokenExchange"]
+  issuer              = var.cluster_api ? one(data.azurerm_kubernetes_cluster.cluster[*].oidc_issuer_url) : one(module.aks[*].oidc_issuer_url)
+  parent_id           = azurerm_user_assigned_identity.aso.id
+  subject             = "system:serviceaccount:${var.namespace}:bootstrap-capz-aso-default"
 }
 
 resource "kubernetes_namespace" "bootstrap" {