🌩️ Terraform Module For Provisioning Azure Workload Identities 🌩️
Report Bug or Request Feature
| Name | Version Used | Help | Required |
|---|---|---|---|
| Terraform | >= 1.3.0 |
Install Terraform | Yes |
| Azure Account | N/A |
Create Azure account | Yes |
⭐️ Please consider following me on GitHub 👉 and giving a star ⭐ to the repository for future updates. ⭐️
🚀 This module is your ticket to effortlessly create a Azure Workload Identities. Whether you're a seasoned cloud architect or just getting started, this module streamlines the process, giving you more time to focus on what truly matters. 🚀
- Multiple Azure built-in roles assignments.
- Multiple Azure custom roles assignment.
- Combination of Azure built-in and custom roles on the same identity.
- Optional Kubernetes Service Account and Namespace creation when using with Azure Kubernetes Service.
- Examples to use the module.
- Support for GitHub Workflows federated user assigned identities.
locals {
prefix = "azure-wi"
}
resource "azurerm_resource_group" "this" {
location = "North Europe"
name = "${local.prefix}-resources"
}
module "simple" {
source = "ishuar/workload-identity/azure"
version = "0.4.0"
resource_group_name = azurerm_resource_group.this.name
location = azurerm_resource_group.this.location
oidc_issuer_url = "https://token.actions.githubusercontent.com"
create_github_workflow_credentials = true
github_owner = "ishuar"
github_repository_name = "terraform-azure-workload-identity"
github_entity_type = "pull_request" ## DEFAULT VALUE
role_assignments = [
############## Azure built-in role ###############
{
role_definition_name = "Contributor"
scope = azurerm_resource_group.this.id
},
############## Azure custom role ###############
{
role_definition_name = "blob-reader"
create_custom_role = true
scope = azurerm_resource_group.this.id
custom_role_data_actions = [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
]
}
]
}
Examples are availabe in examples directory.
⭐️ Please consider following me on GitHub 👉 and giving a star ⭐ to the repository for future updates. ⭐️
| Name | Version |
|---|---|
| terraform | >= 1.3 |
| azurerm | ~> 3.55 |
| kubernetes | ~>2.24 |
| Name | Version |
|---|---|
| azurerm | ~> 3.55 |
| kubernetes | ~>2.24 |
No modules.
| Name | Type |
|---|---|
| azurerm_federated_identity_credential.this | resource |
| azurerm_role_assignment.azure | resource |
| azurerm_role_assignment.custom | resource |
| azurerm_role_definition.this | resource |
| azurerm_user_assigned_identity.this | resource |
| kubernetes_namespace_v1.this | resource |
| kubernetes_service_account_v1.this | resource |
| azurerm_client_config.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| location | (optional) The Azure Region where the User Assigned Identity exists. | string |
n/a | yes |
| oidc_issuer_url | (Required)The URL of the OIDC issuer for the cluster | string |
n/a | yes |
| resource_group_name | (optional) Resource group name. If not set, the default resource group will be used. | string |
n/a | yes |
| additional_service_account_annotations | (optional) Additional Annotations for the new service account created. | map(string) |
{} |
no |
| automount_service_account_token | (Optional) To enable automatic mounting of the service account token. Defaults to true | bool |
false |
no |
| create_github_workflow_credentials | (optional) Whether to create federated credentials for GitHub workflow or not?. Default is to to create credentials for Azure kubernetes service accounts. If set to true, then github_owner, 'github_entity_type' and github_repository_name must be set. |
bool |
false |
no |
| create_kubernetes_namespace | (optional) Whether or not to create kubernetes namespace via terraform-kubernetes-provider resource? Set to true if need to create a new namespace and helm release attribute 'create_namespace' is set to false | bool |
false |
no |
| create_service_account | (optional) Whether or not to create kubernetes service account via terraform-kubernetes-provider? Use this if helm chart supports existing service account name. | bool |
false |
no |
| github_branch_name | (optional) GitHub branch name which uses the github workflow with federated credentials. Required when github_entity_type is set to branch. |
string |
"" |
no |
| github_entity_type | (optional) The filter used to scope the OIDC requests from GitHub workflows. This field is used to generate the subject claim. Accepted values are 'environment', 'branch', 'tag' or 'pull_request'. Required when create_github_actions_credential is set to true. |
string |
"pull_request" |
no |
| github_environment_name | (optional) GitHub environment name which uses the github workflow with federated credentials. Required when github_entity_type is set to environment. |
string |
"" |
no |
| github_owner | (optional) GitHub organization name or GitHub username that owns the repository where github workflow will use federated credentials. Required when create_github_actions_credential is set to true. |
string |
"" |
no |
| github_repository_name | (optional)GitHub Repository name where github workflow will use federated credentials. Required when create_github_actions_credential is set to true. |
string |
"" |
no |
| github_tag_name | (optional) GitHub tag name which uses the github workflow with federated credentials. Required when github_entity_type is set to tag. |
string |
"" |
no |
| namespace | (optional) The namespace where service account will be created. New will be created if value is not equeal to kube-sytem and default.Required when create_github_actions_credential is set to false. |
string |
"" |
no |
| namespace_annotations | (optional) Annotations for namespace created via terraform-kubernetes-provider resource. | map(string) |
{} |
no |
| namespace_labels | (optional) Labels for namespace created via terraform-kubernetes-provider resource. | map(string) |
{} |
no |
| role_assignments | (optional) The role assignments for the service account.role_definition_name: The name of a role which either needs to be used (azure built-in) or new one you want to create.name : A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.condition: The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.condition_version: (Optional) The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.create_custom_role : Whether or not to create a custom role. If set to true, then any of the custom_role_actions,custom_role_data_actions, custom_role_not_actions, custom_role_not_data_actions, custom_role_assignable_scopes are required.scope : The scope at which the role assignment or custom role will be created.custom_role_definition_id: (Optional) A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.Only valid for custom role.custom_role_actions: One or more Allowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See Azure Resource Manager resource provider operations for details. Only valid for custom role.custom_role_data_actions : One or more Allowed Data Actions, such as *, Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read. See Azure Resource Manager resource provider operations for details. Only valid for custom role.custom_role_not_actions : One or more Denied Actions, such as Microsoft.Compute/virtualMachines/write.See Azure Resource Manager resource provider operations for details. Only valid for custom role.custom_role_not_data_actions : One or more Disallowed Data Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/readcustom_role_assignable_scopes : One or more assignable scopes for this Role Definition. The value for scope is automatically included in this list if no other values suppliedcustom_role_description : A description of the role. Only valid for custom role definition. |
set(object({ |
[] |
no |
| service_account_name | (optional) The name of the service account which is using the workload identity. Required when create_github_actions_credential is set to false. |
string |
"" |
no |
| service_account_token_expiration_seconds | (optional) Represents the expirationSeconds field for the projected service account token | number |
86400 |
no |
| tags | (Optional) A mapping of tags which should be assigned to the User Assigned Identity. | map(string) |
{} |
no |
| use_existing_resource_group | (optional) Whether to use existing resource group or create a new one? | string |
true |
no |
| user_assigned_identity_name | (optional) Name of User Assigned Identity to create. | string |
"" |
no |
| Name | Description |
|---|---|
| client_id | The ID of the app associated with the Identity |
| id | The ID of the User Assigned Identity. |
| principal_id | The ID of the Service Principal object associated with the created Identity. |
| subject | The subject for this Federated Identity Credential |
| tenant_id | The ID of the Tenant which the Identity belongs to |
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have any suggestion that would make this project better, feel free to fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement" with your suggestion.
⭐️ Don't forget to give the project a star! Thanks again! ⭐️
Released under MIT by @ishuar.