Azure Dynamic provider credentials support

[alfespa17]

This pull request add support to manage Azure Dynamic Provider credentials so Terrakube can automatically authenticate with Azure without storing any service principal secret.

Generate Public and Private Key.

To use Azure Dynamic Provider credentials we need to genera a public and private key that will be use to generate a validate the federated tokens, we can use the following commands

openssl genrsa -out private_temp.pem 2048
openssl rsa -in private_temp.pem -outform PEM -pubout -out public.pem

You need to make sure the private key starts with "-----BEGIN PRIVATE KEY-----" if not the following command can be used to transform the private key to the correct format

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private_temp.pem -out private.pem

The public and private key need to be mounted inside the container and the path should be specify in the following environment variables

• DynamicCredentialPublicKeyPath
• DynamicCredentialPrivateKeyPath

Public Endpoints Requirements

To use Azure Dynamic Provider credentials the following public endpoints were added and need to be accessible so Azure Entra can validate the federated token.

GET https://TERRAKUBE.MYSUPERDOMAIN.COM/.well-known/openid-configuration
{
  "issuer": "https://TERRAKUBE.MYSUPERDOMAIN.COM",
  "jwks_uri": "https://TERRAKUBE.MYSUPERDOMAIN.COM/.well-known/jwks",
  "response_types_supported": [
    "id_token"
  ],
  "claims_supported": [
    "sub",
    "aud",
    "exp",
    "iat",
    "iss",
    "jti",
    "terrakube_workspace_id",
    "terrakube_organization_id",
    "terrakube_job_id"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "public"
  ]
}

GET https://TERRAKUBE.MYSUPERDOMAIN.COM/.well-known/jwks
{
  "keys": [
    {
      "kty": "RSA",
      "use": "sig",
      "n": "ALEzGE4Rn2WhxOhIuXAzq7e-WvRLCJfoqrHMUXtpt6gefNmWGo9trbea84KyeKdvzE9wBwWxnz_U5d_utmLLztVA2FLdDfnndh7pF4Fp7hB-lhaT1hV2EsiFsc9oefCYmkzXmHylfNQOuqNlRA_2Xu5pHovrF79WW01hWSjhGTkpj6pxFG4t7Tl54SWnJ83CvGDAKuoO9c1M1iTKikB3ENMK8WfU-wZJ4oLTAfhSydqZxZuGRhiwPGsEQOpRynyHJ54XWZHmFdsWs_eGRsfs1iTPbiQSBZbaEwz36HF4QdqFzzLGd67sTtZku_YEsUbJW8cbK6nOFEdR0BSTtSV-lPk=",
      "e": "AQAB",
      "kid": "03446895-220d-47e1-9564-4eeaa3691b42",
      "alg": "RS256"
    }
  ]
}

Environment Variables:

The following environment variables were added:

• DynamicCredentialId = This will be the kid in the JWKS endpoint (Default value: 03446895-220d-47e1-9564-4eeaa3691b42)
• DynamicCredentialTtl= The TTL for the federated token generated internally in Terrakube (Defafult: 30)
• DynamicCredentialPublicKeyPath= The path to the public key to validate the federated tokens
• DynamicCredentialPrivateKeyPath=The path to the private key to generate the federated tokens

Register Application

We need to register a new application in Microsoft Entra like the following example:

Once we have the application we need to add a federated credential.

Select type "Other" and fill the following information:

• Issuer: https://terrakube-api.mysuperdomain.com
• Subject: organization:MY_ORGANIZATION_NAME:workspace:MY_WORKSPACE_NAME
• Audience: api://AzureADTokenExchange

You need to grant access to your azure resources to the application, for example "Contributor" or any other role

Inside our workspace you will have to add the following environment variables

• ARM_TENANT_ID=YOUR AZURE TENANT ID
• ARM_SUBSCRIPTION_ID=YOUR AZURE SUBSCRIPTION ID
• ARM_CLIENT_ID=YOUR AZURE APPLICATION ID
• ARM_USE_OIDC=true
• ENABLE_DYNAMIC_CREDENTIALS_AZURE=true
• WORKLOAD_IDENTITY_AUDIENCE_AZURE=api://AzureADTokenExchange

When running a job Terrakube will correctly authenticate to Azure without any credentials inside the workspace

Terraform example using the CLI driven workflow:

terraform {

  cloud {
    organization = "simple"
    hostname = "8080-azbuilder-terrakube-tr6130m2jsz.ws-us110.gitpod.io"

    workspaces {
      name = "simple"
    }
  }
}

# Configure the Microsoft Azure Provider
provider "azurerm" {
  features {}
  use_cli              = false

}

resource "azurerm_resource_group" "example" {
  name     = "example2"
  location = "East US 2"
}

Running example:

user@pop-os:~/git/dynamic_creds$ terraform apply

Running apply in Terraform Cloud. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit:
https://8080-azbuilder-terrakube-tr6130m2jsz.ws-us110.gitpod.io/app/simple/simple/runs/2

Waiting for the plan to start...

***************************************
Running Terraform PLAN
***************************************

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # azurerm_resource_group.example will be created
  + resource "azurerm_resource_group" "example" {
      + id       = (known after apply)
      + location = "eastus2"
      + name     = "example2"
    }

Plan: 1 to add, 0 to change, 0 to destroy.


Do you want to perform these actions in workspace "simple"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azurerm_resource_group.example: Creating...
azurerm_resource_group.example: Creation complete after 2s [id=/subscriptions/583006a4-7a57-4a3d-899c-620faa582f6d/resourceGroups/example2]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

[sonarcloud]

Quality Gate passed

Issues
13 New issues
0 Accepted issues

Measures
0 Security Hotspots
5.6% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud