Updating the CI build to have valid credentials

I've updated the CI build to have valid credentials for a service principal. This new SP has no access to anything - I've just added it to allow the packer validate step to work. I've also just hard-coded the client IDs into the actions on the grounds that they aren't credentials and don't need to be in secrets.
spacelift-io · Sep 13, 2024 · 57f2312 · 57f2312
1 parent 5f26f59
commit 57f2312
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 8 deletions.
diff --git a/.github/workflows/build_gcp_azure_manual.yml b/.github/workflows/build_gcp_azure_manual.yml
@@ -20,9 +20,11 @@ jobs:
       PKR_VAR_image_base_name: spacelift-worker
       PKR_VAR_image_family: spacelift-worker
       # Azure
-      PKR_VAR_client_id: ${{ secrets.AZURE_CLIENT_ID }}
+      PKR_VAR_client_id: "976e4a6e-c619-417e-9add-50e2d674e2db"
       PKR_VAR_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
       PKR_VAR_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      PKR_VAR_oidc_request_url: "${ACTIONS_ID_TOKEN_REQUEST_URL}"
+      PKR_VAR_oidc_request_token: "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}"
       PKR_VAR_image_resource_group: rg-worker_images-public-westeurope
       PKR_VAR_packer_work_group: rg-worker_images_packer-public-westeurope
       PKR_VAR_gallery_resource_group: rg-worker_images-public-westeurope

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,6 +15,9 @@ jobs:
       matrix:
         cloud: [aws, azure, gcp]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     env:
       # AWS
       PKR_VAR_encrypt_boot: false
@@ -24,10 +27,11 @@ jobs:
       PKR_VAR_image_base_name: spacelift-worker
       PKR_VAR_image_family: spacelift-worker
       # Azure
-      PKR_VAR_client_id: ${{ secrets.AZURE_CLIENT_ID }}
-      PKR_VAR_client_oidc_token: "not-supplied"
+      PKR_VAR_client_id: "433d3ca3-1866-4dfa-b9bf-65d6c4391ec7"
       PKR_VAR_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
       PKR_VAR_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      PKR_VAR_oidc_request_url: "${ACTIONS_ID_TOKEN_REQUEST_URL}"
+      PKR_VAR_oidc_request_token: "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}"
       PKR_VAR_image_resource_group: rg-worker_images-public-westeurope
       PKR_VAR_packer_work_group: rg-worker_images_packer-public-westeurope
       PKR_VAR_gallery_resource_group: rg-worker_images-public-westeurope

diff --git a/azure.pkr.hcl b/azure.pkr.hcl
@@ -12,7 +12,12 @@ variable "client_id" {
   default = ""
 }
 
-variable "client_oidc_token" {
+variable "oidc_request_url" {
+  type    = string
+  default = ""
+}
+
+variable "oidc_request_token" {
   type    = string
   default = ""
 }
@@ -97,10 +102,11 @@ variable "packer_work_group" {
 }
 
 source "azure-arm" "spacelift" {
-  client_id       = var.client_id
-  client_jwt      = var.client_oidc_token
-  subscription_id = var.subscription_id
-  tenant_id       = var.tenant_id
+  client_id          = var.client_id
+  subscription_id    = var.subscription_id
+  tenant_id          = var.tenant_id
+  oidc_request_url   = var.oidc_request_url
+  oidc_request_token = var.oidc_request_token
 
   managed_image_name                = var.image_name
   managed_image_resource_group_name = var.image_resource_group