Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] BREAKING change: Discuss CI environment secrets naming #1565

Open
eriqua opened this issue Jun 21, 2022 · 5 comments
Open

[Feature Request] BREAKING change: Discuss CI environment secrets naming #1565

eriqua opened this issue Jun 21, 2022 · 5 comments
Labels
blocked if an issue is blocked [cat] needs further discussion enhancement New feature or request

Comments

@eriqua
Copy link
Contributor

eriqua commented Jun 21, 2022

Description

This discussion needs to take place before issues #1450 #1465 #1085

  1. [Feature Request] BREAKING change: Authenticate to Azure from GH with OpenID Connect #1450 Leverage same naming documented here https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-github-actions?tabs=openid%2CCLI#configure-the-github-secrets
    GitHub/ADO Secret Active Directory Application
    AZURE_CLIENT_ID Application (client) ID
    AZURE_TENANT_ID Directory (tenant) ID
    AZURE_SUBSCRIPTION_ID Subscription ID
  2. [Feature Request] BREAKING change: Rename DEPLOYMENT_SP_ID to DEPLOYMENT_SPN_ENTAPP_OBJID #1465 Discuss a name consistent with the above
  3. [Feature Request] BREAKING change: Add options to split validation and publication resources #1085 Discuss if we want the same SP to deploy to both subscriptions (requires ownership on both) or if we want to support 2 different SP each mapped to a different subscription. Depending on that decision:
    • 2 subs, 1 SP -> the subscription secret decided above needs to be duplicated, e.g. AZURE_SUBSCRIPTION_ID_VALIDATION, AZURE_SUBSCRIPTION_ID_PUBLISHING
    • 2 subs, 2 SPs -> Also AZURE_CLIENT_ID need to be duplicated e.g. AZURE_CLIENT_ID_VALIDATION, AZURE_CLIENT_ID_PUBLISHING. Secret decided at point 2 doesn't need to be duplicated since it's only used for validation purposes
@eriqua eriqua added enhancement New feature or request [prio] high importance of the issue: high priority [cat] needs further discussion labels Jun 21, 2022
@eriqua eriqua added this to the Release 0.7 milestone Jun 21, 2022
@MariusStorhaug
Copy link
Contributor

MariusStorhaug commented Jun 26, 2022
edited
Loading

POC and implementation of this is covered in:

@MariusStorhaug
Copy link
Contributor

Also, #1465 could potentially be made obsolete by #1605

@MariusStorhaug
Copy link
Contributor

MariusStorhaug commented Jun 26, 2022
edited
Loading

And I would suggest we add possibility for consumers to use 2 subs, 2 SPs, and even 2 tenants, as you might need a validation tenant and or MG to validate changes. Maybe the ARM_MGMTGROUP_ID should be in the validation environment or prefixed with VALIDATION_MG_ID ?

@MariusStorhaug MariusStorhaug linked a pull request Jun 26, 2022 that will close this issue
[CI Environment] [MAJOR/BREAKING] Introducing OIDC and dual environment support #1608
Draft
26 tasks
@MariusStorhaug MariusStorhaug removed a link to a pull request Jun 27, 2022
[CI Environment] [MAJOR/BREAKING] Introducing OIDC and dual environment support #1608
Draft
26 tasks
@eriqua eriqua changed the title [Feature Request]: Discuss CI environment secrets naming [Feature Request] BREAKING change: Discuss CI environment secrets naming Jul 25, 2022
@eriqua eriqua mentioned this issue Sep 1, 2022
Closed
3 tasks
@eriqua
Copy link
Contributor Author

eriqua commented Sep 1, 2022

Removing from upcoming release 0.7, will be worked on in the next one

@eriqua eriqua removed this from the Release 0.7 milestone Sep 1, 2022
@eriqua eriqua removed the [prio] high importance of the issue: high priority label Sep 2, 2022
@AlexanderSehr
Copy link
Contributor

It was decided to hold on to the environment split until we figured out whether we can use Open ID connect or not (#1450) - even though it is only relevant for GitHub & not ADO

@rahalan rahalan added the blocked if an issue is blocked label Nov 17, 2022
@rahalan rahalan added this to Backlog Dec 11, 2022
@rahalan rahalan moved this to Blocked in Backlog Dec 11, 2022
@AlexanderSehr AlexanderSehr added this to the Azure Verfified Modules (AVM) - CI Issues milestone May 19, 2024
@AlexanderSehr AlexanderSehr removed this from the Azure Verfified Modules (AVM) - CI Issues milestone Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked if an issue is blocked [cat] needs further discussion enhancement New feature or request
Projects
Backlog
Status: Blocked
Milestone
No milestone
Development

No branches or pull requests
4 participants
@AlexanderSehr @MariusStorhaug @eriqua @rahalan