Merge pull request #208 from microsoft/remove-secret-from-cicd

Remove secret from cicd

.github/workflows/cicd.yml

@@ -5,6 +5,10 @@ on:
     branches: [main]
     tags: ["*"]
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   build_and_publish:
 
@@ -16,12 +20,11 @@ jobs:
       - name: Log in with Azure
         uses: azure/login@v1
         with:
-          creds: '${{ secrets.AZURE_CREDENTIALS }}'
+          client-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }}
+          tenant-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }}
+          subscription-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }}
 
       - name: Authenticate
-        env:
-          CLIENT_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }}
-          CLIENT_SECRET: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }}
         run: ./scripts/ciauthenticate
 
       - name: Run cibuild
@@ -54,6 +57,13 @@ jobs:
       - build_and_publish
     steps:
       - uses: actions/checkout@v3
+      
+      - name: Log in with Azure
+        uses: azure/login@v1
+        with:
+          client-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }}
+          tenant-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }}
+          subscription-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }}
 
       - name: Get image tag
         id: get_image_tag
@@ -73,7 +83,7 @@ jobs:
         env:
           IMAGE_TAG: ${{needs.build_and_publish.outputs.image_tag}}
           ENVIRONMENT: staging
-          ARM_CLIENT_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }}
-          ARM_CLIENT_SECRET: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }}
-          ARM_SUBSCRIPTION_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).subscriptionId }}
-          ARM_TENANT_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }}
+          ARM_CLIENT_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }}
+          ARM_SUBSCRIPTION_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }}
+          ARM_TENANT_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }}
+          ARM_USE_OIDC: true

deployment/Dockerfile

@@ -16,9 +16,9 @@ RUN echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu
 
 RUN apt-get update && apt-get install -y azure-functions-core-tools-4
 
-# Install Terraform 0.14.4
+# Install Terraform 1.8.2
 
-RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/0.14.4/terraform_0.14.4_linux_amd64.zip
+RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/1.8.2/terraform_1.8.2_linux_amd64.zip
 RUN unzip terraform.zip
 RUN mv terraform /usr/local/bin
 

deployment/bin/deploy

@@ -61,8 +61,8 @@ fi
 require_env "IMAGE_TAG"
 require_env "GIT_COMMIT"
 require_env "ARM_CLIENT_ID"
-require_env "ARM_CLIENT_SECRET"
 require_env "ARM_TENANT_ID"
+require_env "ARM_USE_OIDC"
 
 # Directory for rendered values and templates
 CONF_DIR='/opt/conf'
@@ -84,7 +84,6 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
     # Add IP to KV firewall #
     #########################
 
-    bin/azlogin
     bin/kv_add_ip
 
     #####################

deployment/bin/lib

@@ -71,8 +71,6 @@ function azlogin() {
 function cluster_login() {
     echo "Logging into the cluster..."
 
-    azlogin;
-
     az aks get-credentials \
         --resource-group ${RESOURCE_GROUP} \
         --name ${CLUSTER_NAME} \
@@ -84,9 +82,7 @@ function cluster_login() {
     # So we export to a kubeconfig file
     echo "Converting kubeconfig..."
     kubelogin convert-kubeconfig \
-        --login spn \
-        --client-id ${ARM_CLIENT_ID} \
-        --client-secret ${ARM_CLIENT_SECRET} \
+        -l azurecli \
         --kubeconfig=kubeconfig
     export KUBECONFIG=kubeconfig
 }
@@ -128,8 +124,6 @@ function prepare_funcs() {
 function deploy_funcs() {
     require_env "FUNCTION_APP_NAME"
 
-    azlogin
-
     prepare_funcs
 
     pushd /opt/src/pcfuncs_deploy

deployment/docker-compose.yml

@@ -14,7 +14,12 @@ services:
       - ARM_SUBSCRIPTION_ID
       - ARM_TENANT_ID
       - ARM_CLIENT_ID
-      - ARM_CLIENT_SECRET
+      - ARM_USE_OIDC
+      - ARM_OIDC_TOKEN
+      - ACTIONS_ID_TOKEN_REQUEST_URL
+      - ACTIONS_ID_TOKEN_REQUEST_TOKEN
+      - ARM_OIDC_REQUEST_TOKEN
+      - ARM_OIDC_REQUEST_URL
 
       # Used in the dev stack as an identifier
       - TF_VAR_username=${USER}
@@ -32,3 +37,4 @@ services:
       - ../deployment:/opt/src/deployment
       - ../pccommon:/opt/src/pccommon:ro
       - ../pcfuncs:/opt/src/pcfuncs:ro
+      - ~/.azure:/root/.azure

deployment/terraform/resources/providers.tf

@@ -1,5 +1,6 @@
 provider azurerm {
   features {}
+  use_oidc = true
 }
 
 terraform {
@@ -8,7 +9,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.77.0"
+      version = "3.97.1"
     }
   }
 }

deployment/terraform/staging/main.tf

@@ -32,6 +32,7 @@ terraform {
     storage_account_name = "pctesttfstate"
     container_name       = "pc-test-api"
     key                  = "pqe-apis.tfstate"
+    use_oidc = true
   }
 }
 

scripts/ciauthenticate

@@ -15,5 +15,4 @@ CI authentication for this project.
 
 # curl -sL https://aka.ms/InstallAzureCLIDeb | bash
 # az login --service-principal --username ${CLIENT_ID} --tenant "microsoft.onmicrosoft.com" --password ${CLIENT_SECRET}
-az acr login --name pccomponentstest
-docker login pccomponentstest.azurecr.io --username ${CLIENT_ID} --password ${CLIENT_SECRET}
+az acr login --name pccomponentstest