Add support for service principal

docker/go-tf-prepare/main.go

@@ -45,6 +45,7 @@ func main() {
 }
 
 func azureAction(ctx context.Context, cli *cli.Context) error {
+	servicePrincipalObjectID := cli.String("service-principal-object-id")
 	subscriptionID := cli.String("subscription-id")
 	tenantID := cli.String("tenant-id")
 	resourceGroupName := cli.String("resource-group-name")
@@ -89,7 +90,7 @@ func azureAction(ctx context.Context, cli *cli.Context) error {
 		}
 	}
 
-	err = azure.CreateKeyVaultAccessPolicy(ctx, resourceGroupName, resourceGroupLocation, keyVaultName, subscriptionID, tenantID)
+	err = azure.CreateKeyVaultAccessPolicy(ctx, resourceGroupName, resourceGroupLocation, keyVaultName, subscriptionID, tenantID, servicePrincipalObjectID)
 	if err != nil {
 		return err
 	}
@@ -104,6 +105,12 @@ func azureAction(ctx context.Context, cli *cli.Context) error {
 
 func azureFlags() []cli.Flag {
 	flags := []cli.Flag{
+		&cli.StringFlag{
+			Name:     "service-principal-object-id",
+			Usage:    "Service Principal Object ID",
+			Required: false,
+			EnvVars:  []string{"AZURE_SERVICE_PRINCIPAL_OBJECT_ID"},
+		},
 		&cli.StringFlag{
 			Name:     "subscription-id",
 			Usage:    "Azure Subscription ID",

docker/go-tf-prepare/pkg/azure/azure.go

@@ -229,13 +229,20 @@ func CreateKeyVault(ctx context.Context, resourceGroupName, resourceGroupLocatio
 }
 
 // CreateKeyVaultAccessPolicy creates Azure Key Vault Access Policy (if it doesn't exist) or returns error
-func CreateKeyVaultAccessPolicy(ctx context.Context, resourceGroupName, resourceGroupLocation, keyVaultName, subscriptionID, tenantID string) error {
+func CreateKeyVaultAccessPolicy(ctx context.Context, resourceGroupName, resourceGroupLocation, keyVaultName, subscriptionID, tenantID, servicePrincipalObjectID string) error {
 	log := logr.FromContext(ctx)
 
-	currentUserObjectID, err := getCurrentUserObjectID(ctx, tenantID)
-	if err != nil {
-		log.Error(err, "getCurrentUserObjectID")
-		return err
+	var currentUserObjectID string
+	if servicePrincipalObjectID == "" {
+		var err error
+		currentUserObjectID, err = getCurrentUserObjectID(ctx, tenantID)
+		if err != nil {
+			log.Error(err, "getCurrentUserObjectID")
+			return err
+		}
+	}
+	if servicePrincipalObjectID != "" {
+		currentUserObjectID = servicePrincipalObjectID
 	}
 
 	cred, err := azidentity.NewDefaultAzureCredential(nil)

docker/terraform.sh

@@ -22,9 +22,19 @@ if [ -z "${OPA_BLAST_RADIUS}" ]; then
 fi
 
 prepare () {
-  AZURE_SUBSCRIPTION_ID=$(az account show --output tsv --query id)
-  AZURE_TENANT_ID=$(az account show --output tsv --query tenantId)
-  tf-prepare --resource-group-name="${BACKEND_RG}" --resource-group-location="${RG_LOCATION_LONG}" --subscription-id="${AZURE_SUBSCRIPTION_ID}" --tenant-id="${AZURE_TENANT_ID}" --storage-account-name="${BACKEND_NAME}" --storage-account-container="${CONTAINER_NAME}" --keyvault-name="${BACKEND_KV}" --keyvault-key-name="${BACKEND_KV_KEY}"
+  AZ_ACCOUNT_TYPE="$(az account show --query user.type --output tsv)"
+  if [[ "${AZ_ACCOUNT_TYPE}" = "servicePrincipal" ]]; then
+    export AZURE_SERVICE_PRINCIPAL_OBJECT_ID="$(az account show --query user.name --output tsv)"
+  fi
+  export AZURE_SUBSCRIPTION_ID=$(az account show --output tsv --query id)
+  export AZURE_TENANT_ID=$(az account show --output tsv --query tenantId)
+  export AZURE_RESOURCE_GROUP_NAME="${BACKEND_RG}"
+  export AZURE_RESOURCE_GROUP_LOCATION="${RG_LOCATION_LONG}"
+  export AZURE_STORAGE_ACCOUNT_NAME="${BACKEND_NAME}"
+  export AZURE_STORAGE_ACCOUNT_CONTAINER="${CONTAINER_NAME}"
+  export AZURE_KEYVAULT_NAME="${BACKEND_KV}"
+  export AZURE_KEYVAULT_KEY_NAME="${BACKEND_KV_KEY}"
+  tf-prepare azure
 }
 
 plan () {