Epic Terraform OIDC Conversion
Epic Terraform OIDC Conversion
Introduction
Due to the high failure rate of Dynamic Service principals in all workspaces, the Epic Azure platform will migrate to OIDC authentication and authorization over a short period of time. The purpose of this document is to record the high level steps necessary and the reasoning behind each step.
Step 1 - Rename the workspaces
Start by renaming the workspace-creation workspace, then go through each workspace and rename and validate each to the new naming convention, which starts with aide-xxxx
Step 2 - Create Service principals and assign to workspaces
Using [https://secure.optum.com] , create the service principals with the required naming convention. Keep a CSV file to associate each workspace with a new service principle, with 10 workspaces max per Service Principle.
Step 3 - Grant Permissions on Service principals
Run a script for the repository that grants each of the workspaces the required Contributor access to each of the Resource groups. A shell script has been written that assigns the permissions to the service principals, it serves as an example at a point in time.
Step 4 - Grant Golden Image Access to Service principals
This requires a service now ticket to the group Public Cloud Developer Toolkit - ENG and request granting the Service principals access to the Golden Images
Step 5 - Create Federated Credentials using Service principals
Create/maintain a csv file that is of the form:
A script must be run against the csv file, by somone who owns every service principal listed in the csv file. Hopefully this can be improved upon.
The script can be found here:
ClientID,WorkspaceName
87f1cb81-c572-4bbd-8410-dd43dbba6e9a,aide-0085665-tfews-epic-cloudtesteast-shared-wus3-01
87f1cb81-c572-4bbd-8410-dd43dbba6e9a,aide-0085665-tfews-epic-odb-eastepic-test-wus3-01
Step 6 - Update Workspace Variables
The variable: TFC_VAULT_BACKED_AZURE_AUTH needs to be set to false.
These variables need to be added:
- TFC_AZURE_PROVIDER_AUTH - true
- TFC_AZURE_RUN_CLIENT_ID - Client ID GUID you are mapping it to.
Step 7 - Update Terraform for workspaces
The provider.tf files currently look like this:
variable "tfc_vault_backed_azure_dynamic_credentials" {
description = "Object containing Vault-backed Azure dynamic credentials configuration"
type = object({
default = object({
client_id_file_path = string
client_secret_file_path = string
})
aliases = map(object({
client_id_file_path = string
client_secret_file_path = string
}))
})
}
provider "azurerm" {
features {}
use_cli = false
client_id_file_path = var.tfc_vault_backed_azure_dynamic_credentials.default.client_id_file_path
client_secret_file_path = var.tfc_vault_backed_azure_dynamic_credentials.default.client_secret_file_path
tenant_id = var.tenant_id
subscription_id = var.subscription_id
}
This needs to be modified to:
variable "tfc_azure_dynamic_credentials" {
description = "Object containing Azure dynamic credentials configuration"
type = object({
default = object({
client_id_file_path = string
oidc_token_file_path = string
})
aliases = map(object({
client_id_file_path = string
oidc_token_file_path = string
}))
})
}
provider "azurerm" {
features {}
use_cli = false
use_oidc = true
client_id_file_path = var.tfc_azure_dynamic_credentials.default.client_id_file_path
oidc_token_file_path = var.tfc_azure_dynamic_credentials.default.oidc_token_file_path
subscription_id = var.subscription_id
tenant_id = var.tenant_id
}
Additionally, many of our workspaces have multiple azurerm provider blocks. These are often found in files named acn-main.tf Each of these blocks needs to be updated from
client_id_file_path = var.tfc_vault_backed_azure_dynamic_credentials.default.client_id_file_path
client_secret_file_path = var.tfc_vault_backed_azure_dynamic_credentials.default.client_secret_file_path
to:
use_oidc = true
client_id_file_path = var.tfc_azure_dynamic_credentials.default.client_id_file_path
oidc_token_file_path = var.tfc_azure_dynamic_credentials.default.oidc_token_file_path
Note: you may find provider blocks in other files. Please make sure to update every provider block.
Here is a set of commands to run on a Mac that will modify the providers.tf file properly
cp providers.tf providers.tf.bak
cat providers.tf | sed '/provider[[:space:]]*"azurerm"/a\
use_oidc = true
;' | sed 's/client_id_file_path.*vault_backed.*$/client_id_file_path = var.tfc_azure_dynamic_credentials.default.client_id_file_path/;s/client_secret_file_path.*/oidc_token_file_path = var.tfc_azure_dynamic_credentials.default.oidc_token_file_path/;' \
> providers_new.tf && mv providers_new.tf providers.tf
Step 8 - Test each workspace
Run Terraform on each space.