Giter Site home page Giter Site logo

azure-workload-identity-terraform's Introduction

Azure Workload Identity w/ Terraform

Terraform modules to create an AKS Cluster with active OIDC that integrates with Workload Identity, allowing your pods to connect to Azure resources using Azure AD Application.

This example is a Terraform implementation of the Workload Identity Quick Start guideline.

Architecture

The overall architecture of the solution and it's main components that are managed by Terraform.

Solution

Project Structure

This project is composed by the following Terraform modules:

  • Azure - Create the RG, AKS cluster w/oidc, KV, App Reg, Service Principal.
  • Helm - Install the Azure Workload Identity System objects.
  • Kubernetes - Create the Service Account and deploy a quick-start workload.

Modules are isolated for individual apply commands, following this warning from the Kubernetes provider.

Deployment Steps

You can deploy this example solution following these steps:

1 - Pre-Requisites

Check the installation docs in Managed Azure Kubernetes Service (AKS) and make sure the required feature flags are enabled.

2 - Project Setup

Create the local variables from the example file:

# Copy from the template
cp .config/example.local.tfvars .local.tfvars

# Set is as relative to work from the modules root
tfvars="../.local.tfvars"

You might want to change the app_name value to avoid conflict with existing resources. Just make sure that kv-${app_name} won't exceed 24 characters, as this is the Key Vault limit.

All other variables are optional and have default values, but you may edit to fit your needs.

3 - Deploy the Resources

Create the Azure Cloud resources:

terraform -chdir="azure" init
terraform -chdir="azure" apply -var-file=$tfvars -auto-approve

Apply the Helm module:

terraform -chdir="helm" init
terraform -chdir="helm" apply -var-file=$tfvars -auto-approve

Apply the Kubernetes module:

terraform -chdir="kubernetes" init
terraform -chdir="kubernetes" apply -var-file=$tfvars -auto-approve

On your own solutions you might choose to use yaml files, but here we are making it everything managed by TF for convenience.

That's it! You can now copy the output aks_get_credentials_command variable to test Workload Identity with the quick-start container.

4 - Test with Workload

Connect using kubectl and check the response:

az aks get-credentials -g "<resource-group-name>" -n "<aks-name>"

kubectl logs quick-start

You should see the output: successfully got secret, secret=Hello!

Clean Up

Delete the resources to avoid unwanted costs:

terraform -chdir='azure' destroy -var-file=$tfvars -auto-approve

azure-workload-identity-terraform's People

Contributors

epomatti avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

masonsmorales gorometala jayar95 mazilu88

azure-workload-identity-terraform's Issues

lock.hcl together with used versions in required providers throw errors

Hi,

thanks for your code! It helps me to implement workload identities.

One thing I have to mention is, that with the hardcoded versions in azure -> in required providers and the terraform.lock.hcl in azure it stops after the terraform plan:

│ Error: expected "object_id" to be a valid UUID, got │ │ with azurerm_key_vault_access_policy.superadmin, │ on main.tf line 112, in resource "azurerm_key_vault_access_policy" "superadmin": │ 112: object_id = data.azurerm_client_config.current.object_id

After removing the versions out of the providers block and removing of the .lock.hcl, it works without errors with the hashicorp/azuread v2.31.0 and hashicorp/azurerm v3.34.0 versions.

So the solution is to remove the lock files here.

Cheers,
Michael

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.