diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index bdad5b5c..c33e87be 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -5,6 +5,10 @@ on: branches: [main] tags: ["*"] +permissions: + id-token: write + contents: read + jobs: build_and_publish: @@ -16,12 +20,11 @@ jobs: - name: Log in with Azure uses: azure/login@v1 with: - creds: '${{ secrets.AZURE_CREDENTIALS }}' + client-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }} + tenant-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }} + subscription-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }} - name: Authenticate - env: - CLIENT_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }} - CLIENT_SECRET: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }} run: ./scripts/ciauthenticate - name: Run cibuild @@ -54,6 +57,13 @@ jobs: - build_and_publish steps: - uses: actions/checkout@v3 + + - name: Log in with Azure + uses: azure/login@v1 + with: + client-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }} + tenant-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }} + subscription-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }} - name: Get image tag id: get_image_tag @@ -73,7 +83,7 @@ jobs: env: IMAGE_TAG: ${{needs.build_and_publish.outputs.image_tag}} ENVIRONMENT: staging - ARM_CLIENT_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }} - ARM_CLIENT_SECRET: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }} - ARM_SUBSCRIPTION_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).subscriptionId }} - ARM_TENANT_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }} + ARM_CLIENT_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }} + ARM_SUBSCRIPTION_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }} + ARM_TENANT_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }} + ARM_USE_OIDC: true \ No newline at end of file diff --git a/deployment/Dockerfile b/deployment/Dockerfile index cb72f7d6..027f3567 100644 --- a/deployment/Dockerfile +++ b/deployment/Dockerfile @@ -16,9 +16,9 @@ RUN echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu RUN apt-get update && apt-get install -y azure-functions-core-tools-4 -# Install Terraform 0.14.4 +# Install Terraform 1.8.2 -RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/0.14.4/terraform_0.14.4_linux_amd64.zip +RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/1.8.2/terraform_1.8.2_linux_amd64.zip RUN unzip terraform.zip RUN mv terraform /usr/local/bin diff --git a/deployment/bin/deploy b/deployment/bin/deploy index 09714740..2e0b2e89 100755 --- a/deployment/bin/deploy +++ b/deployment/bin/deploy @@ -61,8 +61,8 @@ fi require_env "IMAGE_TAG" require_env "GIT_COMMIT" require_env "ARM_CLIENT_ID" -require_env "ARM_CLIENT_SECRET" require_env "ARM_TENANT_ID" +require_env "ARM_USE_OIDC" # Directory for rendered values and templates CONF_DIR='/opt/conf' @@ -84,7 +84,6 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then # Add IP to KV firewall # ######################### - bin/azlogin bin/kv_add_ip ##################### diff --git a/deployment/bin/lib b/deployment/bin/lib index 4cae1706..b931f1c8 100755 --- a/deployment/bin/lib +++ b/deployment/bin/lib @@ -71,8 +71,6 @@ function azlogin() { function cluster_login() { echo "Logging into the cluster..." - azlogin; - az aks get-credentials \ --resource-group ${RESOURCE_GROUP} \ --name ${CLUSTER_NAME} \ @@ -84,9 +82,7 @@ function cluster_login() { # So we export to a kubeconfig file echo "Converting kubeconfig..." kubelogin convert-kubeconfig \ - --login spn \ - --client-id ${ARM_CLIENT_ID} \ - --client-secret ${ARM_CLIENT_SECRET} \ + -l azurecli \ --kubeconfig=kubeconfig export KUBECONFIG=kubeconfig } @@ -128,8 +124,6 @@ function prepare_funcs() { function deploy_funcs() { require_env "FUNCTION_APP_NAME" - azlogin - prepare_funcs pushd /opt/src/pcfuncs_deploy diff --git a/deployment/docker-compose.yml b/deployment/docker-compose.yml index 33604808..81044367 100644 --- a/deployment/docker-compose.yml +++ b/deployment/docker-compose.yml @@ -14,7 +14,12 @@ services: - ARM_SUBSCRIPTION_ID - ARM_TENANT_ID - ARM_CLIENT_ID - - ARM_CLIENT_SECRET + - ARM_USE_OIDC + - ARM_OIDC_TOKEN + - ACTIONS_ID_TOKEN_REQUEST_URL + - ACTIONS_ID_TOKEN_REQUEST_TOKEN + - ARM_OIDC_REQUEST_TOKEN + - ARM_OIDC_REQUEST_URL # Used in the dev stack as an identifier - TF_VAR_username=${USER} @@ -32,3 +37,4 @@ services: - ../deployment:/opt/src/deployment - ../pccommon:/opt/src/pccommon:ro - ../pcfuncs:/opt/src/pcfuncs:ro + - ~/.azure:/root/.azure diff --git a/deployment/terraform/resources/providers.tf b/deployment/terraform/resources/providers.tf index 0c06d28c..5671a49f 100644 --- a/deployment/terraform/resources/providers.tf +++ b/deployment/terraform/resources/providers.tf @@ -1,5 +1,6 @@ provider azurerm { features {} + use_oidc = true } terraform { @@ -8,7 +9,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "3.77.0" + version = "3.97.1" } } } diff --git a/deployment/terraform/staging/main.tf b/deployment/terraform/staging/main.tf index 26150b1a..359f899a 100644 --- a/deployment/terraform/staging/main.tf +++ b/deployment/terraform/staging/main.tf @@ -32,6 +32,7 @@ terraform { storage_account_name = "pctesttfstate" container_name = "pc-test-api" key = "pqe-apis.tfstate" + use_oidc = true } } diff --git a/scripts/ciauthenticate b/scripts/ciauthenticate index dacdc98f..c718cce4 100755 --- a/scripts/ciauthenticate +++ b/scripts/ciauthenticate @@ -15,5 +15,4 @@ CI authentication for this project. # curl -sL https://aka.ms/InstallAzureCLIDeb | bash # az login --service-principal --username ${CLIENT_ID} --tenant "microsoft.onmicrosoft.com" --password ${CLIENT_SECRET} -az acr login --name pccomponentstest -docker login pccomponentstest.azurecr.io --username ${CLIENT_ID} --password ${CLIENT_SECRET} \ No newline at end of file +az acr login --name pccomponentstest \ No newline at end of file