kubelogin arguments for Github actions OIDC

Required for configuring the kubernetes provider when running in a workflow where OIDC is enabled
DFE-Digital · Dec 19, 2024 · fcf2292 · fcf2292
1 parent 440927a
commit fcf2292
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/aks/cluster_data/outputs.tf b/aks/cluster_data/outputs.tf
@@ -31,7 +31,15 @@ output "ingress_domain" {
 }
 
 output "kubelogin_args" {
-  value = local.spn_authentication ? local.kubelogin_args_map["spn"] : local.kubelogin_args_map["azurecli"]
+  description = "Kubelogin arguments to use configure the kubernetes provider. Allows workload identity, service principal secret and azure cli"
+  # If running in github actions, use either spn secret authentication or workload identity. If not, use azure cli.
+  value = (local.running_in_github_actions ? (
+    local.spn_secret_authentication ?
+    local.kubelogin_args_map["spn"] :
+    local.kubelogin_args_map["workloadidentity"]
+    ) :
+    local.kubelogin_args_map["azurecli"]
+  )
 }
 output "azure_RBAC_enabled" {
   value = local.azure_RBAC_enabled

diff --git a/aks/cluster_data/tfdocs.md b/aks/cluster_data/tfdocs.md
@@ -36,7 +36,7 @@ No modules.
 | <a name="output_azure_RBAC_enabled"></a> [azure\_RBAC\_enabled](#output\_azure\_RBAC\_enabled) | n/a |
 | <a name="output_configuration_map"></a> [configuration\_map](#output\_configuration\_map) | n/a |
 | <a name="output_ingress_domain"></a> [ingress\_domain](#output\_ingress\_domain) | n/a |
-| <a name="output_kubelogin_args"></a> [kubelogin\_args](#output\_kubelogin\_args) | n/a |
+| <a name="output_kubelogin_args"></a> [kubelogin\_args](#output\_kubelogin\_args) | Kubelogin arguments to use configure the kubernetes provider. Allows workload identity, service principal secret and azure cli |
 | <a name="output_kubernetes_client_certificate"></a> [kubernetes\_client\_certificate](#output\_kubernetes\_client\_certificate) | n/a |
 | <a name="output_kubernetes_client_key"></a> [kubernetes\_client\_key](#output\_kubernetes\_client\_key) | n/a |
 | <a name="output_kubernetes_cluster_ca_certificate"></a> [kubernetes\_cluster\_ca\_certificate](#output\_kubernetes\_cluster\_ca\_certificate) | n/a |

diff --git a/aks/cluster_data/variables.tf b/aks/cluster_data/variables.tf
@@ -90,10 +90,18 @@ locals {
       "azurecli",
       "--server-id",
       "6dae42f8-4368-4678-94ff-3960e28e3630"
+    ],
+    workloadidentity = [
+      "get-token",
+      "--login",
+      "workloadidentity",
+      "--server-id",
+      "6dae42f8-4368-4678-94ff-3960e28e3630"
     ]
   }
 
   azure_RBAC_enabled = length(data.azurerm_kubernetes_cluster.main.azure_active_directory_role_based_access_control) > 0
 
-  spn_authentication = contains(keys(data.environment_variables.github_actions.items), "GITHUB_ACTIONS")
+  running_in_github_actions = contains(keys(data.environment_variables.github_actions.items), "GITHUB_ACTIONS")
+  spn_secret_authentication = contains(keys(data.environment_variables.github_actions.items), "AAD_SERVICE_PRINCIPAL_CLIENT_SECRET")
 }