ci: switch to OIDC Federation for Azure

Updating the packer build for Azure to use OIDC Federation instead of a static credential. I've updated the CI build to have valid credentials for a service principal. This new SP has no access to anything - I've just added it to allow the packer validate step to work. I've also just hard-coded the client IDs into the actions on the grounds that they aren't credentials and don't need to be in secrets.
spacelift-io · Sep 13, 2024 · 655e060 · 655e060
1 parent b14b40a
commit 655e060
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 13 deletions.
diff --git a/.github/workflows/build_gcp_azure_manual.yml b/.github/workflows/build_gcp_azure_manual.yml
@@ -20,10 +20,11 @@ jobs:
       PKR_VAR_image_base_name: spacelift-worker
       PKR_VAR_image_family: spacelift-worker
       # Azure
-      PKR_VAR_client_id: ${{ secrets.AZURE_CLIENT_ID }}
-      PKR_VAR_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+      PKR_VAR_client_id: "976e4a6e-c619-417e-9add-50e2d674e2db"
       PKR_VAR_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
       PKR_VAR_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      PKR_VAR_oidc_request_url: "${ACTIONS_ID_TOKEN_REQUEST_URL}"
+      PKR_VAR_oidc_request_token: "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}"
       PKR_VAR_image_resource_group: rg-worker_images-public-westeurope
       PKR_VAR_packer_work_group: rg-worker_images_packer-public-westeurope
       PKR_VAR_gallery_resource_group: rg-worker_images-public-westeurope
@@ -63,6 +64,11 @@ jobs:
         run: |
           echo "PKR_VAR_suffix=$(date +%s)-$(cat /dev/urandom | tr -dc 'a-z0-9' | head -c 8)" >> $GITHUB_ENV
 
+      - name: Authenticate with Azure
+        if: matrix.cloud == 'azure'
+        run: |
+          echo "PKR_VAR_client_oidc_token=$(curl -H "Accept: application/json; api-version=2.0" -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" -H "Content-Type: application/json" -G --data-urlencode "audience=api://AzureADTokenExchange" "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')"  >>${GITHUB_ENV}
+
       - name: Setup packer
         uses: hashicorp/setup-packer@main
         with:
@@ -74,7 +80,7 @@ jobs:
       - name: Azure => Build the AMI using Packer
         if: matrix.cloud == 'azure'
         run: packer build azure.pkr.hcl
-      
+
       - name: GCP => Build the AMI using Packer for US
         if: matrix.cloud == 'gcp'
         run: packer build gcp.pkr.hcl
@@ -152,9 +158,9 @@ jobs:
 
             content = fs.readFileSync("./manifest_gcp.json", "utf8");
             manifest = JSON.parse(content);
-            
+
             const gcpLinesToPrint = [];
-            
+
             manifest["builds"].forEach((build) => {
                 artifact = build["artifact_id"];
                 if (artifact.indexOf("-us-") > 0) {
@@ -167,7 +173,7 @@ jobs:
                     gcpLinesToPrint.push(` - Asia | \`${artifact}\``);
                 }
             });
-            
+
             console.log("## Azure");
             console.log("");
             console.log(`- Publisher | \`spaceliftinc1625499025476\`.`);

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,6 +15,9 @@ jobs:
       matrix:
         cloud: [aws, azure, gcp]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     env:
       # AWS
       PKR_VAR_encrypt_boot: false
@@ -24,10 +27,11 @@ jobs:
       PKR_VAR_image_base_name: spacelift-worker
       PKR_VAR_image_family: spacelift-worker
       # Azure
-      PKR_VAR_client_id: ${{ secrets.AZURE_CLIENT_ID }}
-      PKR_VAR_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+      PKR_VAR_client_id: "433d3ca3-1866-4dfa-b9bf-65d6c4391ec7"
       PKR_VAR_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
       PKR_VAR_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      PKR_VAR_oidc_request_url: "${ACTIONS_ID_TOKEN_REQUEST_URL}"
+      PKR_VAR_oidc_request_token: "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}"
       PKR_VAR_image_resource_group: rg-worker_images-public-westeurope
       PKR_VAR_packer_work_group: rg-worker_images_packer-public-westeurope
       PKR_VAR_gallery_resource_group: rg-worker_images-public-westeurope

diff --git a/azure.pkr.hcl b/azure.pkr.hcl
@@ -12,7 +12,12 @@ variable "client_id" {
   default = ""
 }
 
-variable "client_secret" {
+variable "oidc_request_url" {
+  type    = string
+  default = ""
+}
+
+variable "oidc_request_token" {
   type    = string
   default = ""
 }
@@ -97,10 +102,11 @@ variable "packer_work_group" {
 }
 
 source "azure-arm" "spacelift" {
-  client_id       = var.client_id
-  client_secret   = var.client_secret
-  subscription_id = var.subscription_id
-  tenant_id       = var.tenant_id
+  client_id          = var.client_id
+  subscription_id    = var.subscription_id
+  tenant_id          = var.tenant_id
+  oidc_request_url   = var.oidc_request_url
+  oidc_request_token = var.oidc_request_token
 
   managed_image_name                = var.image_name
   managed_image_resource_group_name = var.image_resource_group