feat: add federated logins

bicep/main.bicep

@@ -80,7 +80,6 @@ module KeyVault 'modules/kv.bicep' = {
     location: location
     tags: tags
 
-    getPrincipalIds: ManagedIdentities.outputs.getPrincipalIds
+    identities: ManagedIdentities.outputs.identities
-    listPrincipalIds: ManagedIdentities.outputs.listPrincipalIds
   }
 }

bicep/modules/id.bicep

@@ -2,35 +2,32 @@ param nameFormat string
 param location string
 param tags object
 
-resource managedIdentityNone 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+param identityEnvironments array = [
-  name: format(nameFormat, 'ID', 1)
+  'none'
-  location: location
+  'get'
-  tags: tags
+  'list'
-}
+  'getlist'
-
-resource managedIdentityGet 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: format(nameFormat, 'ID', 2)
-  location: location
-  tags: tags
-}
-
-resource managedIdentityList 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: format(nameFormat, 'ID', 3)
-  location: location
-  tags: tags
-}
-
-resource managedIdentityGetList 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: format(nameFormat, 'ID', 4)
-  location: location
-  tags: tags
-}
-
-output getPrincipalIds array = [
-  managedIdentityGet.properties.principalId
-  managedIdentityGetList.properties.principalId
-]
-output listPrincipalIds array = [
-  managedIdentityList.properties.principalId
-  managedIdentityGetList.properties.principalId
 ]
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = [for (environment, index) in identityEnvironments: {
+  name: format(nameFormat, 'ID', index+1)
+  location: location
+  tags: tags
+}]
+
+resource federatedCredential 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = [for (environment, index) in identityEnvironments: {
+  name: environment
+  parent: managedIdentity[index+1]
+  properties: {
+    issuer: 'https://token.actions.githubusercontent.com'
+    subject: 'repo:bartvdbraak/keyweave:environment:${environment}'
+    audiences: [
+      'api://AzureADTokenExchange'
+    ]
+  }
+}]
+
+output identities array = [for (environment, index) in identityEnvironments: {
+  name: environment
+  id: managedIdentity[index+1].properties.principalId
+}]

bicep/modules/kv.bicep

@@ -2,14 +2,13 @@ param nameFormat string
 param location string
 param tags object
 
-param getPrincipalIds array
+param identities array
-param listPrincipalIds array
 
-var accessPolicies = [for id in union(getPrincipalIds, listPrincipalIds): {
+var accessPolicies = [for identity in identities: {
   tenantId: tenant().tenantId
-  objectId: id
+  objectId: identity.id
   permissions: {
-    secrets: contains(getPrincipalIds, id) && contains(listPrincipalIds, id) ? ['Get', 'List'] : contains(listPrincipalIds, id) ? ['List'] : ['Get']
+    secrets: contains(identity.name, 'get') && contains(identity.name, 'list') ? ['Get', 'List'] : contains(identity.name, 'get') ? ['Get'] : ['List']
   }
 }]