Merge pull request #17 from IFRCGo/feature/aks-workload-id-and-key-va…

…ult-changes enable key vault provider and workload identities on aks cluster
IFRCGo · Oct 16, 2024 · 2cb2865 · 2cb2865
2 parents 9148253 + bdad0a0
commit 2cb2865
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 3 deletions.
diff --git a/base-infrastructure/terraform/resources/aks.tf b/base-infrastructure/terraform/resources/aks.tf
@@ -1,7 +1,7 @@
 resource "azurerm_kubernetes_cluster" "ifrcgo" {
-  lifecycle {
-    ignore_changes = all
-  }
+#  lifecycle {
+#    ignore_changes = all
+#  }
 
   name                = "${local.prefix}-cluster"
   location            = data.azurerm_resource_group.ifrcgo.location
@@ -27,6 +27,14 @@ resource "azurerm_kubernetes_cluster" "ifrcgo" {
     Environment = var.environment
     ManagedBy   = "IFRCGo"
   }
+
+  key_vault_secrets_provider {
+    secret_rotation_enabled  = true
+    secret_rotation_interval = var.secret_rotation_interval
+  }
+
+  oidc_issuer_enabled       = true
+  workload_identity_enabled = true
 }
 
 # add the role to the identity the kubernetes cluster was assigned

diff --git a/base-infrastructure/terraform/resources/variables.tf b/base-infrastructure/terraform/resources/variables.tf
@@ -21,6 +21,18 @@ variable "RESOURCES_DB_SERVER" {
   default = ""
 }
 
+variable "secret_rotation_interval" {
+  type        = string
+  description = "How frequently the cluster should check for secret changes in minutes, in the form of '2m', '3m', etc."
+  default     = "2m"
+
+  validation {
+    condition     = can(regex("^[1-9][0-9]*m$", var.secret_rotation_interval))
+    error_message = "The secret_rotation_interval value must be a string in the form of 'Xm' where X is a positive integer, e.g., '2m', '10m', etc."
+  }
+}
+
+
 # -----------------
 # Attach ACR
 # Defaults to common resources