Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 11 additions & 12 deletions docs/guides/workload_identity_federation.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,7 @@ execute terraform on the main branch, we will configure the service account "Fed
Azure DevOps supports OIDC authentication using the public issuer "https://vstoken.azure.com" (for Azure DevOps Server you should check your issuer URL) and setting information like organization, project, and pipeline
as part of the OIDC token claims.

Using a hypothetical pipeline named `terraform-ado-oidc` inside the project 'https://myorg.azure.com/project-abc` as example and assuming that we want to
execute terraform on the main branch, we will configure the service account "Federated identity Provider" with the following configuration:
Using a hypothetical pipeline named `terraform-ado-oidc` inside the project 'https://myorg.azure.com/project-abc` as example, we will configure the service account "Federated identity Provider" with the following configuration:
- **Provider Name**: AzureDevOps # This is just an example, you can choose any name you want
- **Issuer URL**: https://vstoken.dev.azure.com/{ORGANIZATION_ID} # This is the public issuer for Azure DevOps OIDC tokens
- For most organizations, the URL uses `vstoken.dev.azure.com`, but some legacy organizations might use 'vstoken.azure.com'. To be 100% sure, you can inspect the `iss` claim in a decoded OIDC token from your pipeline.
Expand All @@ -50,8 +49,7 @@ execute terraform on the main branch, we will configure the service account "Fed
- Via Pipeline: Add a script step echo $(System.CollectionId) to print it during a run.
- **Assertions**:
- **aud**->equals->api://AzureADTokenExchange # Mandatory value
- **sub**->equals->p://myorg/project-abc/terraform-ado-oidc # This is the pipeline where the process is running
- **rpo_ref**->equals->refs/heads/main # This is the branch where the pipeline will run
- **sub**->equals->sc://myorg/project-abc/stackit-service-connection # This is the service connection that is being used to authenticate with STACKIT.

> Note: This is just an example, you can use more or less fine-grained assertions.

Expand Down Expand Up @@ -150,6 +148,9 @@ jobs:

### Azure Pipeline

For Azure DevOps, use the STACKIT Azure DevOps extension and authenticate with the [`StackitAuthenticate`](https://marketplace.visualstudio.com/items?itemName=SchwarzDigits.stackit-service-connection) task.
Create a STACKIT Service Connection using Workload Identity Federation (WIF) in your project and reference it in the task input.

```yaml
trigger:
branches:
Expand All @@ -160,15 +161,18 @@ pool:
vmImage: "ubuntu-latest"

variables:
STACKIT_USE_OIDC: "1"
STACKIT_SERVICE_ACCOUNT_EMAIL: "terraform-example@sa.stackit.cloud"

jobs:
- job: demo-job
displayName: "Workload Identity Federation with STACKIT"
steps:
- checkout: self

- task: StackitAuthenticate@1
inputs:
serviceConnection: "My STACKIT Connection (WIF)"
displayName: "Authenticate with STACKIT (WIF)"

- task: TerraformInstaller@1
inputs:
terraformVersion: "latest"
Expand All @@ -186,6 +190,7 @@ jobs:

provider "stackit" {
default_region = "eu01"
use_oidc = true
}

resource "stackit_service_account" "sa" {
Expand All @@ -199,23 +204,17 @@ jobs:
terraform init
displayName: "Terraform Init"
env:
STACKIT_USE_OIDC: $(STACKIT_USE_OIDC)
STACKIT_SERVICE_ACCOUNT_EMAIL: $(STACKIT_SERVICE_ACCOUNT_EMAIL)
SYSTEM_ACCESSTOKEN: $(System.AccessToken)

- script: |
terraform plan -out=tfplan
displayName: "Terraform Plan"
env:
STACKIT_USE_OIDC: $(STACKIT_USE_OIDC)
STACKIT_SERVICE_ACCOUNT_EMAIL: $(STACKIT_SERVICE_ACCOUNT_EMAIL)
SYSTEM_ACCESSTOKEN: $(System.AccessToken)

- script: |
terraform apply -auto-approve tfplan
displayName: "Terraform Apply"
env:
STACKIT_USE_OIDC: $(STACKIT_USE_OIDC)
STACKIT_SERVICE_ACCOUNT_EMAIL: $(STACKIT_SERVICE_ACCOUNT_EMAIL)
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
```
1 change: 1 addition & 0 deletions docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,7 @@ Note: AWS specific checks must be skipped as they do not work on STACKIT. For de
- `service_account_key` (String) Service account key used for authentication. If set, the key flow will be used to authenticate all operations.
- `service_account_key_path` (String) Path for the service account key used for authentication. If set, the key flow will be used to authenticate all operations.
- `service_account_token` (String, Deprecated) Token used for authentication. If set, the token flow will be used to authenticate all operations.
- `service_connection_id` (String) The ID of the Azure DevOps pipeline service connection. For use when authenticating as a Service Account using OpenID Connect.
- `service_enablement_custom_endpoint` (String) Custom endpoint for the Service Enablement API
- `sfs_custom_endpoint` (String) Custom endpoint for the Stackit Filestorage API
- `ske_custom_endpoint` (String) Custom endpoint for the Kubernetes Engine (SKE) service
Expand Down
8 changes: 7 additions & 1 deletion stackit/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,7 @@ type providerModel struct {
TokenCustomEndpoint types.String `tfsdk:"token_custom_endpoint"`
VpnCustomEndpoint types.String `tfsdk:"vpn_custom_endpoint"`
OIDCTokenRequestURL types.String `tfsdk:"oidc_request_url"`
ServiceConnectionID types.String `tfsdk:"service_connection_id"`
OIDCTokenRequestToken types.String `tfsdk:"oidc_request_token"`

EnableBetaResources types.Bool `tfsdk:"enable_beta_resources"`
Expand All @@ -232,6 +233,7 @@ func (p *Provider) Schema(_ context.Context, _ provider.SchemaRequest, resp *pro
"service_account_federated_token_path": "Path for workload identity assertion. It can also be set using the environment variable STACKIT_FEDERATED_TOKEN_FILE.",
"service_account_federated_token": "The OIDC ID token for use when authenticating as a Service Account using OpenID Connect.",
"use_oidc": "Enables OIDC for Authentication. This can also be sourced from the `STACKIT_USE_OIDC` Environment Variable. Defaults to `false`.",
"service_connection_id": "The ID of the Azure DevOps pipeline service connection. For use when authenticating as a Service Account using OpenID Connect.",
"oidc_request_url": "The URL for the OIDC provider from which to request an ID token. For use when authenticating as a Service Account using OpenID Connect.",
"oidc_request_token": "The bearer token for the request to the OIDC provider. For use when authenticating as a Service Account using OpenID Connect.",
"region": "Region will be used as the default location for regional services. Not all services require a region, some are global",
Expand Down Expand Up @@ -322,6 +324,10 @@ func (p *Provider) Schema(_ context.Context, _ provider.SchemaRequest, resp *pro
Optional: true,
Description: descriptions["use_oidc"],
},
"service_connection_id": schema.StringAttribute{
Optional: true,
Description: descriptions["service_connection_id"],
},
"oidc_request_token": schema.StringAttribute{
Optional: true,
Description: descriptions["oidc_request_token"],
Expand Down Expand Up @@ -634,7 +640,7 @@ func (p *Provider) Configure(ctx context.Context, req provider.ConfigureRequest,
oidcReqToken = utils.GetEnvStringOrDefault(providerConfig.OIDCTokenRequestToken, "SYSTEM_ACCESSTOKEN", "")
// This can be set to the ID of the service connection to restrict the token exchange to that connection, not supported by default to avoid additional configuration
// for users that don't need it, can be added as an additional provider config parameter in the future if there is demand
serviceConnectionID := ""
serviceConnectionID := utils.GetEnvStringOrDefault(providerConfig.ServiceConnectionID, "STACKIT_SERVICE_CONNECTION_ID", "")
if oidcReqURL != "" && oidcReqToken != "" {
sdkConfig.ServiceAccountFederatedTokenFunc = oidcadapters.RequestAzureDevOpsOIDCToken(oidcReqURL, oidcReqToken, serviceConnectionID)
}
Expand Down
23 changes: 11 additions & 12 deletions templates/guides/workload_identity_federation.md.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,7 @@ execute terraform on the main branch, we will configure the service account "Fed
Azure DevOps supports OIDC authentication using the public issuer "https://vstoken.azure.com" (for Azure DevOps Server you should check your issuer URL) and setting information like organization, project, and pipeline
as part of the OIDC token claims.

Using a hypothetical pipeline named `terraform-ado-oidc` inside the project 'https://myorg.azure.com/project-abc` as example and assuming that we want to
execute terraform on the main branch, we will configure the service account "Federated identity Provider" with the following configuration:
Using a hypothetical pipeline named `terraform-ado-oidc` inside the project 'https://myorg.azure.com/project-abc` as example, we will configure the service account "Federated identity Provider" with the following configuration:
- **Provider Name**: AzureDevOps # This is just an example, you can choose any name you want
- **Issuer URL**: https://vstoken.dev.azure.com/{ORGANIZATION_ID} # This is the public issuer for Azure DevOps OIDC tokens
- For most organizations, the URL uses `vstoken.dev.azure.com`, but some legacy organizations might use 'vstoken.azure.com'. To be 100% sure, you can inspect the `iss` claim in a decoded OIDC token from your pipeline.
Expand All @@ -50,8 +49,7 @@ execute terraform on the main branch, we will configure the service account "Fed
- Via Pipeline: Add a script step echo $(System.CollectionId) to print it during a run.
- **Assertions**:
- **aud**->equals->api://AzureADTokenExchange # Mandatory value
- **sub**->equals->p://myorg/project-abc/terraform-ado-oidc # This is the pipeline where the process is running
- **rpo_ref**->equals->refs/heads/main # This is the branch where the pipeline will run
- **sub**->equals->sc://myorg/project-abc/stackit-service-connection # This is the service connection that is being used to authenticate with STACKIT.

> Note: This is just an example, you can use more or less fine-grained assertions.

Expand Down Expand Up @@ -150,6 +148,9 @@ jobs:

### Azure Pipeline

For Azure DevOps, use the STACKIT Azure DevOps extension and authenticate with the [`StackitAuthenticate`](https://marketplace.visualstudio.com/items?itemName=SchwarzDigits.stackit-service-connection) task.
Create a STACKIT Service Connection using Workload Identity Federation (WIF) in your project and reference it in the task input.

```yaml
trigger:
branches:
Expand All @@ -160,15 +161,18 @@ pool:
vmImage: "ubuntu-latest"

variables:
STACKIT_USE_OIDC: "1"
STACKIT_SERVICE_ACCOUNT_EMAIL: "terraform-example@sa.stackit.cloud"

jobs:
- job: demo-job
displayName: "Workload Identity Federation with STACKIT"
steps:
- checkout: self

- task: StackitAuthenticate@1
inputs:
serviceConnection: "My STACKIT Connection (WIF)"
displayName: "Authenticate with STACKIT (WIF)"

- task: TerraformInstaller@1
inputs:
terraformVersion: "latest"
Expand All @@ -186,6 +190,7 @@ jobs:

provider "stackit" {
default_region = "eu01"
use_oidc = true
}

resource "stackit_service_account" "sa" {
Expand All @@ -199,23 +204,17 @@ jobs:
terraform init
displayName: "Terraform Init"
env:
STACKIT_USE_OIDC: $(STACKIT_USE_OIDC)
STACKIT_SERVICE_ACCOUNT_EMAIL: $(STACKIT_SERVICE_ACCOUNT_EMAIL)
SYSTEM_ACCESSTOKEN: $(System.AccessToken)

- script: |
terraform plan -out=tfplan
displayName: "Terraform Plan"
env:
STACKIT_USE_OIDC: $(STACKIT_USE_OIDC)
STACKIT_SERVICE_ACCOUNT_EMAIL: $(STACKIT_SERVICE_ACCOUNT_EMAIL)
SYSTEM_ACCESSTOKEN: $(System.AccessToken)

- script: |
terraform apply -auto-approve tfplan
displayName: "Terraform Apply"
env:
STACKIT_USE_OIDC: $(STACKIT_USE_OIDC)
STACKIT_SERVICE_ACCOUNT_EMAIL: $(STACKIT_SERVICE_ACCOUNT_EMAIL)
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
```
Loading