From 0f8e3d7e722e5f64a5de02cbc89fe42946dbdf5e Mon Sep 17 00:00:00 2001
From: Alessio Cialini <alessio.cialini@emeal.nttdata.com>
Date: Mon, 30 Oct 2023 17:27:52 +0100
Subject: [PATCH] [PRDP-175] feat: migrating to federated identity

---
 .identity/00_data.tf                  |  5 +++++
 .identity/02_application_main.tf      | 16 ++++++++++++++++
 .identity/02_application_main_auth.tf | 22 ++++++++++++++++++++++
 3 files changed, 43 insertions(+)
 create mode 100644 .identity/02_application_main.tf
 create mode 100644 .identity/02_application_main_auth.tf

diff --git a/.identity/00_data.tf b/.identity/00_data.tf
index 52369b08..faf40662 100644
--- a/.identity/00_data.tf
+++ b/.identity/00_data.tf
@@ -2,6 +2,11 @@ data "azurerm_resource_group" "dashboards" {
   name = "dashboards"
 }
 
+data "azurerm_storage_account" "tfstate_app" {
+  name                = "pagopainfraterraform${var.env}"
+  resource_group_name = "io-infra-rg"
+}
+
 data "azurerm_kubernetes_cluster" "aks" {
   name                = local.aks_cluster.name
   resource_group_name = local.aks_cluster.resource_group_name
diff --git a/.identity/02_application_main.tf b/.identity/02_application_main.tf
new file mode 100644
index 00000000..01eb057b
--- /dev/null
+++ b/.identity/02_application_main.tf
@@ -0,0 +1,16 @@
+resource "azuread_application" "main" {
+  display_name = "${local.app_name}-main"
+}
+
+resource "azuread_service_principal" "main" {
+  application_id = azuread_application.main.application_id
+}
+
+resource "azuread_application_federated_identity_credential" "main" {
+  application_object_id = azuread_application.main.object_id
+  display_name          = "github-federated"
+  description           = "github-federated"
+  audiences             = ["api://AzureADTokenExchange"]
+  issuer                = "https://token.actions.githubusercontent.com"
+  subject               = "repo:${local.github.org}/${local.github.repository}:environment:${var.env}"
+}
\ No newline at end of file
diff --git a/.identity/02_application_main_auth.tf b/.identity/02_application_main_auth.tf
new file mode 100644
index 00000000..ef810610
--- /dev/null
+++ b/.identity/02_application_main_auth.tf
@@ -0,0 +1,22 @@
+resource "azurerm_role_assignment" "main_terraform_subscription" {
+  scope                = data.azurerm_subscription.current.id
+  role_definition_name = "Reader"
+  principal_id         = azuread_service_principal.main.object_id
+}
+
+resource "azurerm_role_assignment" "main_terraform_storage_account_tfstate_app" {
+  scope                = data.azurerm_storage_account.tfstate_app.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.main.object_id
+}
+resource "azurerm_role_assignment" "main_terraform_storage_account_tfstate_app_github_aks" {
+  scope                = data.azurerm_storage_account.tfstate_app.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
+}
+
+resource "azurerm_role_assignment" "main_terraform_resource_group_dashboards" {
+  scope                = data.azurerm_resource_group.dashboards.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.main.object_id
+}
\ No newline at end of file