cli: use uami for in-cluter authentication (#1820)

2025-05-02 14:26:23 -04:00 · 2023-05-26 11:45:03 +02:00 · 2023-05-26 11:45:03 +02:00 · 661f084ffa
commit 661f084ffa
parent 9502bc8ff4
13 changed files with 65 additions and 117 deletions
--- a/cli/internal/terraform/terraform.go
+++ b/cli/internal/terraform/terraform.go
@ -185,11 +185,9 @@ type GCPIAMOutput struct {

 // AzureIAMOutput contains the output information of the Terraform IAM operation on Microsoft Azure.
 type AzureIAMOutput struct {
-	SubscriptionID               string
-	TenantID                     string
-	ApplicationID                string
-	UAMIID                       string
-	ApplicationClientSecretValue string
+	SubscriptionID string
+	TenantID       string
+	UAMIID         string
 }

 // AWSIAMOutput contains the output information of the Terraform IAM operation on GCP.
@ -249,14 +247,6 @@ func (c *Client) CreateIAMConfig(ctx context.Context, provider cloudprovider.Pro
 		if !ok {
 			return IAMOutput{}, errors.New("invalid type in tenant id output: not a string")
 		}
-		applicationIDRaw, ok := tfState.Values.Outputs["application_id"]
-		if !ok {
-			return IAMOutput{}, errors.New("no application id output found")
-		}
-		applicationIDOutput, ok := applicationIDRaw.Value.(string)
-		if !ok {
-			return IAMOutput{}, errors.New("invalid type in application id output: not a string")
-		}
 		uamiIDRaw, ok := tfState.Values.Outputs["uami_id"]
 		if !ok {
 			return IAMOutput{}, errors.New("no UAMI id output found")
@ -265,21 +255,11 @@ func (c *Client) CreateIAMConfig(ctx context.Context, provider cloudprovider.Pro
 		if !ok {
 			return IAMOutput{}, errors.New("invalid type in UAMI id output: not a string")
 		}
-		appClientSecretRaw, ok := tfState.Values.Outputs["application_client_secret_value"]
-		if !ok {
-			return IAMOutput{}, errors.New("no application client secret value output found")
-		}
-		appClientSecretOutput, ok := appClientSecretRaw.Value.(string)
-		if !ok {
-			return IAMOutput{}, errors.New("invalid type in application client secret valueoutput: not a string")
-		}
 		return IAMOutput{
 			Azure: AzureIAMOutput{
-				SubscriptionID:               subscriptionIDOutput,
-				TenantID:                     tenantIDOutput,
-				ApplicationID:                applicationIDOutput,
-				UAMIID:                       uamiIDOutput,
-				ApplicationClientSecretValue: appClientSecretOutput,
+				SubscriptionID: subscriptionIDOutput,
+				TenantID:       tenantIDOutput,
+				UAMIID:         uamiIDOutput,
 			},
 		}, nil
 	case cloudprovider.AWS:
--- a/cli/internal/terraform/terraform/iam/azure/main.tf
+++ b/cli/internal/terraform/terraform/iam/azure/main.tf
@ -68,31 +68,3 @@ resource "azurerm_role_assignment" "uami_owner_role" {
  role_definition_name = "Owner"
  principal_id         = azurerm_user_assigned_identity.identity_uami.principal_id
 }
-
-# the app registration, application secrets
-# and role assignments below will be removed in the future
-# TODO(malt3): remove app registration as planned by AB#2961
-
-# Create application registration
-resource "azuread_application" "base_application" {
-  display_name = "${var.resource_group_name}-application"
-  owners       = [data.azuread_client_config.current.object_id]
-}
-
-resource "azuread_service_principal" "application_principal" {
-  application_id               = azuread_application.base_application.application_id
-  app_role_assignment_required = false
-  owners                       = [data.azuread_client_config.current.object_id]
-}
-
-# Set identity as base resource group owner
-resource "azurerm_role_assignment" "app_registration_owner_role" {
-  scope                = azurerm_resource_group.base_resource_group.id
-  role_definition_name = "Owner"
-  principal_id         = azuread_service_principal.application_principal.object_id
-}
-
-# Create application secret (password)
-resource "azuread_application_password" "base_application_secret" {
-  application_object_id = azuread_application.base_application.object_id
-}
--- a/cli/internal/terraform/terraform/iam/azure/outputs.tf
+++ b/cli/internal/terraform/terraform/iam/azure/outputs.tf
@ -6,15 +6,6 @@ output "tenant_id" {
  value = data.azurerm_subscription.current.tenant_id
 }

-output "application_id" {
-  value = azuread_application.base_application.application_id
-}
-
 output "uami_id" {
  value = azurerm_user_assigned_identity.identity_uami.id
 }
-
-output "application_client_secret_value" {
-  value     = azuread_application_password.base_application_secret.value
-  sensitive = true
-}
--- a/cli/internal/terraform/terraform_test.go
+++ b/cli/internal/terraform/terraform_test.go
@ -116,9 +116,8 @@ func TestPrepareIAM(t *testing.T) {
 		ServiceAccountID: "const-test-case",
 	}
 	azureVars := &AzureIAMVariables{
-		Region:           "westus",
-		ServicePrincipal: "constell-test-sp",
-		ResourceGroup:    "constell-test-rg",
+		Region:        "westus",
+		ResourceGroup: "constell-test-rg",
 	}
 	awsVars := &AWSIAMVariables{
 		Region: "eu-east-2a",
@ -480,9 +479,8 @@ func TestCreateIAM(t *testing.T) {
 		ServiceAccountID: "const-test-case",
 	}
 	azureVars := &AzureIAMVariables{
-		Region:           "westus",
-		ServicePrincipal: "constell-test-sp",
-		ResourceGroup:    "constell-test-rg",
+		Region:        "westus",
+		ResourceGroup: "constell-test-rg",
 	}
 	awsVars := &AWSIAMVariables{
 		Region: "eu-east-2a",
@ -581,11 +579,9 @@ func TestCreateIAM(t *testing.T) {
 			tf:       &stubTerraform{showState: newTestState()},
 			fs:       afero.NewMemMapFs(),
 			want: IAMOutput{Azure: AzureIAMOutput{
-				SubscriptionID:               "test_subscription_id",
-				TenantID:                     "test_tenant_id",
-				ApplicationID:                "test_application_id",
-				ApplicationClientSecretValue: "test_application_client_secret_value",
-				UAMIID:                       "test_uami_id",
+				SubscriptionID: "test_subscription_id",
+				TenantID:       "test_tenant_id",
+				UAMIID:         "test_uami_id",
 			}},
 		},
 		"azure init fails": {