diff --git a/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml b/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml index c8e5a083..61ccbb7b 100644 --- a/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml +++ b/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml @@ -1,9 +1,12 @@ # https://github.com/Azure/aad-pod-identity/blob/b3ee1d07209f26c47a96abf3ba20749932763de6/website/content/en/docs/Concepts/azureidentity.md +# +# Note, while the ${} values are not required for kustomize to work, they signify which values are +# eligible for configuration. apiVersion: aadpodidentity.k8s.io/v1 kind: AzureIdentity metadata: - name: podmi-caf-rover-platform-level0 + name: ${azureidentity_name} spec: type: 0 resourceID: ${resource_id} @@ -12,8 +15,8 @@ spec: apiVersion: aadpodidentity.k8s.io/v1 kind: AzureIdentityBinding metadata: - name: podmi-gitlab-runner-binding + name: ${azureidentitybinding_name} spec: - azureIdentity: podmi-caf-rover-platform-level0 - selector: podmi-caf-rover-platform-level0 + azureIdentity: ${azureidentity_name} + selector: ${azureidentity_selector} diff --git a/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf b/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf index 800058f1..2b7d6385 100644 --- a/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf +++ b/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf @@ -27,6 +27,18 @@ data "kustomization_overlay" "aad_pod_identity" { namespace = var.aad_pod_identity.namespace + patches { + patch = <<-EOF + - op: replace + path: /metadata/name + value: ${each.value.name} + EOF + + target = { + kind = "AzureIdentity" + } + } + patches { patch = <<-EOF - op: replace @@ -87,11 +99,13 @@ data "kustomization_overlay" "aad_pod_identity" { } } + # You can provide a managed_identities..aadpodidentity_selector to specify the value here, + # alternatively provide none to have the MSI name used as the selector. patches { patch = <<-EOF - op: replace path: /spec/selector - value: ${each.value.name} + value: ${each.value.selector} EOF target = { @@ -112,6 +126,7 @@ locals { for msi_key in value.msi_keys : { key = key msi_key = msi_key + selector = try(value.aadpodidentity_selector, local.remote.managed_identities[value.lz_key][msi_key].name) client_id = local.remote.managed_identities[value.lz_key][msi_key].client_id id = local.remote.managed_identities[value.lz_key][msi_key].id name = local.remote.managed_identities[value.lz_key][msi_key].name