From cead5457397027528679c57f3bc5f3b68672e1cd Mon Sep 17 00:00:00 2001
From: Adam Connelly <adam.rpconnelly@gmail.com>
Date: Fri, 13 Sep 2024 15:46:32 +0100
Subject: [PATCH] ci: switch to OIDC Federation for Azure

Updating the packer build for Azure to use OIDC Federation instead of a static credential.
---
 .github/workflows/build_gcp_azure_manual.yml | 14 +++++++++-----
 azure.pkr.hcl                                |  4 ++--
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build_gcp_azure_manual.yml b/.github/workflows/build_gcp_azure_manual.yml
index f6e696a..415c1ce 100644
--- a/.github/workflows/build_gcp_azure_manual.yml
+++ b/.github/workflows/build_gcp_azure_manual.yml
@@ -21,7 +21,6 @@ jobs:
       PKR_VAR_image_family: spacelift-worker
       # Azure
       PKR_VAR_client_id: ${{ secrets.AZURE_CLIENT_ID }}
-      PKR_VAR_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
       PKR_VAR_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
       PKR_VAR_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       PKR_VAR_image_resource_group: rg-worker_images-public-westeurope
@@ -63,6 +62,11 @@ jobs:
         run: |
           echo "PKR_VAR_suffix=$(date +%s)-$(cat /dev/urandom | tr -dc 'a-z0-9' | head -c 8)" >> $GITHUB_ENV
 
+      - name: Authenticate with Azure
+        if: matrix.cloud == 'azure'
+        run: |
+          echo "PKR_VAR_client_oidc_token=$(curl -H "Accept: application/json; api-version=2.0" -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" -H "Content-Type: application/json" -G --data-urlencode "audience=api://AzureADTokenExchange" "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')"  >>${GITHUB_ENV}
+
       - name: Setup packer
         uses: hashicorp/setup-packer@main
         with:
@@ -74,7 +78,7 @@ jobs:
       - name: Azure => Build the AMI using Packer
         if: matrix.cloud == 'azure'
         run: packer build azure.pkr.hcl
-      
+
       - name: GCP => Build the AMI using Packer for US
         if: matrix.cloud == 'gcp'
         run: packer build gcp.pkr.hcl
@@ -152,9 +156,9 @@ jobs:
 
             content = fs.readFileSync("./manifest_gcp.json", "utf8");
             manifest = JSON.parse(content);
-            
+
             const gcpLinesToPrint = [];
-            
+
             manifest["builds"].forEach((build) => {
                 artifact = build["artifact_id"];
                 if (artifact.indexOf("-us-") > 0) {
@@ -167,7 +171,7 @@ jobs:
                     gcpLinesToPrint.push(` - Asia | \`${artifact}\``);
                 }
             });
-            
+
             console.log("## Azure");
             console.log("");
             console.log(`- Publisher | \`spaceliftinc1625499025476\`.`);
diff --git a/azure.pkr.hcl b/azure.pkr.hcl
index eaf20d2..6f24ebd 100644
--- a/azure.pkr.hcl
+++ b/azure.pkr.hcl
@@ -12,7 +12,7 @@ variable "client_id" {
   default = ""
 }
 
-variable "client_secret" {
+variable "client_oidc_token" {
   type    = string
   default = ""
 }
@@ -98,7 +98,7 @@ variable "packer_work_group" {
 
 source "azure-arm" "spacelift" {
   client_id       = var.client_id
-  client_secret   = var.client_secret
+  client_jwt      = var.client_oidc_token
   subscription_id = var.subscription_id
   tenant_id       = var.tenant_id