feat: add federated logins

2025-04-28 15:21:21 +00:00 · 2023-11-21 18:51:26 +01:00 · 2023-11-21 18:51:26 +01:00 · bfb45cefa0
commit bfb45cefa0
parent 3fd2ad2f7c
3 changed files with 33 additions and 38 deletions
--- a/bicep/main.bicep
+++ b/bicep/main.bicep
@ -80,7 +80,6 @@ module KeyVault 'modules/kv.bicep' = {
    location: location
    tags: tags

-    getPrincipalIds: ManagedIdentities.outputs.getPrincipalIds
-    listPrincipalIds: ManagedIdentities.outputs.listPrincipalIds
+    identities: ManagedIdentities.outputs.identities
  }
 }
--- a/bicep/modules/id.bicep
+++ b/bicep/modules/id.bicep
@ -2,35 +2,32 @@ param nameFormat string
 param location string
 param tags object

-resource managedIdentityNone 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: format(nameFormat, 'ID', 1)
-  location: location
-  tags: tags
-}
-
-resource managedIdentityGet 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: format(nameFormat, 'ID', 2)
-  location: location
-  tags: tags
-}
-
-resource managedIdentityList 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: format(nameFormat, 'ID', 3)
-  location: location
-  tags: tags
-}
-
-resource managedIdentityGetList 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: format(nameFormat, 'ID', 4)
-  location: location
-  tags: tags
-}
-
-output getPrincipalIds array = [
-  managedIdentityGet.properties.principalId
-  managedIdentityGetList.properties.principalId
-]
-output listPrincipalIds array = [
-  managedIdentityList.properties.principalId
-  managedIdentityGetList.properties.principalId
+param identityEnvironments array = [
+  'none'
+  'get'
+  'list'
+  'getlist'
 ]
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = [for (environment, index) in identityEnvironments: {
+  name: format(nameFormat, 'ID', index+1)
+  location: location
+  tags: tags
+}]
+
+resource federatedCredential 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = [for (environment, index) in identityEnvironments: {
+  name: environment
+  parent: managedIdentity[index+1]
+  properties: {
+    issuer: 'https://token.actions.githubusercontent.com'
+    subject: 'repo:bartvdbraak/keyweave:environment:${environment}'
+    audiences: [
+      'api://AzureADTokenExchange'
+    ]
+  }
+}]
+
+output identities array = [for (environment, index) in identityEnvironments: {
+  name: environment
+  id: managedIdentity[index+1].properties.principalId
+}]
--- a/bicep/modules/kv.bicep
+++ b/bicep/modules/kv.bicep
@ -2,14 +2,13 @@ param nameFormat string
 param location string
 param tags object

-param getPrincipalIds array
-param listPrincipalIds array
+param identities array

-var accessPolicies = [for id in union(getPrincipalIds, listPrincipalIds): {
+var accessPolicies = [for identity in identities: {
  tenantId: tenant().tenantId
-  objectId: id
+  objectId: identity.id
  permissions: {
-    secrets: contains(getPrincipalIds, id) && contains(listPrincipalIds, id) ? ['Get', 'List'] : contains(listPrincipalIds, id) ? ['List'] : ['Get']
+    secrets: contains(identity.name, 'get') && contains(identity.name, 'list') ? ['Get', 'List'] : contains(identity.name, 'get') ? ['Get'] : ['List']
  }
 }]