Merge pull request #29 from SulakshanaBandara/workload-1.0

Integrate workload identity
wso2 · Feb 1, 2024 · cbd1b82 · cbd1b82
2 parents 184e905 + 6a43729
commit cbd1b82
Show file tree

Hide file tree

Showing 6 changed files with 98 additions and 0 deletions.
diff --git a/modules/azurerm/AKS-Firewall/aks_cluster.tf b/modules/azurerm/AKS-Firewall/aks_cluster.tf
@@ -24,6 +24,8 @@ resource "azurerm_kubernetes_cluster" "aks_cluster" {
   role_based_access_control_enabled   = true
   azure_policy_enabled                = var.azure_policy_enabled
   http_application_routing_enabled    = var.http_application_routing_enabled
+  workload_identity_enabled           = var.workload_identity_enabled
+  oidc_issuer_enabled                 = var.oidc_issuer_enabled
   tags                                = var.tags
   depends_on                          = [azurerm_subnet.aks_node_pool_subnet]
 

diff --git a/modules/azurerm/AKS-Firewall/outputs.tf b/modules/azurerm/AKS-Firewall/outputs.tf
@@ -83,3 +83,8 @@ output "aks_key_vault_secrets_provider_identity" {
   depends_on = [azurerm_kubernetes_cluster.aks_cluster]
   value      = azurerm_kubernetes_cluster.aks_cluster.key_vault_secrets_provider[0].secret_identity[0].object_id
 }
+
+output "oidc_issuer_url" {
+  depends_on = [azurerm_kubernetes_cluster.aks_cluster]
+  value      = azurerm_kubernetes_cluster.aks_cluster.oidc_issuer_url
+}
diff --git a/modules/azurerm/AKS-Firewall/variables.tf b/modules/azurerm/AKS-Firewall/variables.tf
@@ -284,3 +284,15 @@ variable "nsg_rule_apgw_inbound_allow_enabled" {
   type        = bool
   default     = false
 }
+
+variable "workload_identity_enabled" {
+  default     = false
+  description = "Enable workload identity in AKS cluster"
+  type        = bool
+}
+
+variable "oidc_issuer_enabled" {
+  default     = false
+  description = "Enable OIDC URL in AKS cluster"
+  type        = bool
+}
diff --git a/modules/azurerm/Federated-Identity/federated-Credentials.tf b/modules/azurerm/Federated-Identity/federated-Credentials.tf
@@ -0,0 +1,19 @@
+# -------------------------------------------------------------------------------------
+#
+# Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). All Rights Reserved.
+#
+# This software is the property of WSO2 LLC. and its suppliers, if any.
+# Dissemination of any information or reproduction of any material contained
+# herein in any form is strictly forbidden, unless permitted by WSO2 expressly.
+# You may not alter or remove any copyright or other notice from copies of this content.
+#
+# --------------------------------------------------------------------------------------
+
+resource "azurerm_federated_identity_credential" "federated_credentials" {
+  name                = var.name
+  resource_group_name = var.resource_group_name
+  parent_id           = var.azurerm_user_assigned_identity_principal_id
+  audience            = var.audience
+  issuer              = var.oidc_issuer_url
+  subject             = var.subject
+}
diff --git a/modules/azurerm/Federated-Identity/variables.tf b/modules/azurerm/Federated-Identity/variables.tf
@@ -0,0 +1,40 @@
+# -------------------------------------------------------------------------------------
+#
+# Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). All Rights Reserved.
+#
+# This software is the property of WSO2 LLC. and its suppliers, if any.
+# Dissemination of any information or reproduction of any material contained
+# herein in any form is strictly forbidden, unless permitted by WSO2 expressly.
+# You may not alter or remove any copyright or other notice from copies of this content.
+#
+# --------------------------------------------------------------------------------------
+
+variable "resource_group_name" {
+  description = "Resource group name"
+  type        = string
+}
+
+variable "name" {
+  description = "Name of the Federated Identity Credential"
+  type        = string
+}
+
+variable "azurerm_user_assigned_identity_principal_id" {
+  description = "User assigned managed identity client ID"
+  type        = string
+}
+
+variable "oidc_issuer_url" {
+  description = "OIDC issuer url"
+  type        = string
+}
+
+variable "audience" {
+  description = "Audience for the Federated Identity Credential"
+  type        = list(string)
+}
+
+variable "subject" {
+  description = "Subject for the Federated Identity Credential"
+  type        = string
+}
diff --git a/modules/azurerm/Federated-Identity/versions.tf b/modules/azurerm/Federated-Identity/versions.tf
@@ -0,0 +1,20 @@
+# -------------------------------------------------------------------------------------
+#
+# Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com). All Rights Reserved.
+#
+# This software is the property of WSO2 LLC. and its suppliers, if any.
+# Dissemination of any information or reproduction of any material contained
+# herein in any form is strictly forbidden, unless permitted by WSO2 expressly.
+# You may not alter or remove any copyright or other notice from copies of this content.
+#
+# --------------------------------------------------------------------------------------
+
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.0.0"
+    }
+  }
+}