diff --git a/docker/go-tf-prepare/main.go b/docker/go-tf-prepare/main.go index 3d59b43..bb453e7 100644 --- a/docker/go-tf-prepare/main.go +++ b/docker/go-tf-prepare/main.go @@ -45,6 +45,7 @@ func main() { } func azureAction(ctx context.Context, cli *cli.Context) error { + servicePrincipalObjectID := cli.String("service-principal-object-id") subscriptionID := cli.String("subscription-id") tenantID := cli.String("tenant-id") resourceGroupName := cli.String("resource-group-name") @@ -89,7 +90,7 @@ func azureAction(ctx context.Context, cli *cli.Context) error { } } - err = azure.CreateKeyVaultAccessPolicy(ctx, resourceGroupName, resourceGroupLocation, keyVaultName, subscriptionID, tenantID) + err = azure.CreateKeyVaultAccessPolicy(ctx, resourceGroupName, resourceGroupLocation, keyVaultName, subscriptionID, tenantID, servicePrincipalObjectID) if err != nil { return err } @@ -104,6 +105,12 @@ func azureAction(ctx context.Context, cli *cli.Context) error { func azureFlags() []cli.Flag { flags := []cli.Flag{ + &cli.StringFlag{ + Name: "service-principal-object-id", + Usage: "Service Principal Object ID", + Required: false, + EnvVars: []string{"AZURE_SERVICE_PRINCIPAL_OBJECT_ID"}, + }, &cli.StringFlag{ Name: "subscription-id", Usage: "Azure Subscription ID", diff --git a/docker/go-tf-prepare/pkg/azure/azure.go b/docker/go-tf-prepare/pkg/azure/azure.go index bda08e0..08507c7 100644 --- a/docker/go-tf-prepare/pkg/azure/azure.go +++ b/docker/go-tf-prepare/pkg/azure/azure.go @@ -229,13 +229,20 @@ func CreateKeyVault(ctx context.Context, resourceGroupName, resourceGroupLocatio } // CreateKeyVaultAccessPolicy creates Azure Key Vault Access Policy (if it doesn't exist) or returns error -func CreateKeyVaultAccessPolicy(ctx context.Context, resourceGroupName, resourceGroupLocation, keyVaultName, subscriptionID, tenantID string) error { +func CreateKeyVaultAccessPolicy(ctx context.Context, resourceGroupName, resourceGroupLocation, keyVaultName, subscriptionID, tenantID, servicePrincipalObjectID string) error { log := logr.FromContext(ctx) - currentUserObjectID, err := getCurrentUserObjectID(ctx, tenantID) - if err != nil { - log.Error(err, "getCurrentUserObjectID") - return err + var currentUserObjectID string + if servicePrincipalObjectID == "" { + var err error + currentUserObjectID, err = getCurrentUserObjectID(ctx, tenantID) + if err != nil { + log.Error(err, "getCurrentUserObjectID") + return err + } + } + if servicePrincipalObjectID != "" { + currentUserObjectID = servicePrincipalObjectID } cred, err := azidentity.NewDefaultAzureCredential(nil) diff --git a/docker/terraform.sh b/docker/terraform.sh index e6cfe7d..2f34e9d 100755 --- a/docker/terraform.sh +++ b/docker/terraform.sh @@ -22,9 +22,19 @@ if [ -z "${OPA_BLAST_RADIUS}" ]; then fi prepare () { - AZURE_SUBSCRIPTION_ID=$(az account show --output tsv --query id) - AZURE_TENANT_ID=$(az account show --output tsv --query tenantId) - tf-prepare --resource-group-name="${BACKEND_RG}" --resource-group-location="${RG_LOCATION_LONG}" --subscription-id="${AZURE_SUBSCRIPTION_ID}" --tenant-id="${AZURE_TENANT_ID}" --storage-account-name="${BACKEND_NAME}" --storage-account-container="${CONTAINER_NAME}" --keyvault-name="${BACKEND_KV}" --keyvault-key-name="${BACKEND_KV_KEY}" + AZ_ACCOUNT_TYPE="$(az account show --query user.type --output tsv)" + if [[ "${AZ_ACCOUNT_TYPE}" = "servicePrincipal" ]]; then + export AZURE_SERVICE_PRINCIPAL_OBJECT_ID="$(az account show --query user.name --output tsv)" + fi + export AZURE_SUBSCRIPTION_ID=$(az account show --output tsv --query id) + export AZURE_TENANT_ID=$(az account show --output tsv --query tenantId) + export AZURE_RESOURCE_GROUP_NAME="${BACKEND_RG}" + export AZURE_RESOURCE_GROUP_LOCATION="${RG_LOCATION_LONG}" + export AZURE_STORAGE_ACCOUNT_NAME="${BACKEND_NAME}" + export AZURE_STORAGE_ACCOUNT_CONTAINER="${CONTAINER_NAME}" + export AZURE_KEYVAULT_NAME="${BACKEND_KV}" + export AZURE_KEYVAULT_KEY_NAME="${BACKEND_KV_KEY}" + tf-prepare azure } plan () {