Merge pull request #279 from brk3/feature/custom-aadpodidentity-selector

Allow full kustomisation of aad-msi-binding.yaml
Azure · Dec 8, 2021 · 5f8f241 · 5f8f241
2 parents 4bd83a3 + e125497
commit 5f8f241
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 5 deletions.
diff --git a/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml b/caf_solution/add-ons/aad-pod-identity/aad-msi-binding.yaml
@@ -1,9 +1,12 @@
 # https://github.com/Azure/aad-pod-identity/blob/b3ee1d07209f26c47a96abf3ba20749932763de6/website/content/en/docs/Concepts/azureidentity.md
+#
+# Note, while the ${} values are not required for kustomize to work, they signify which values are
+# eligible for configuration.
 
 apiVersion: aadpodidentity.k8s.io/v1
 kind: AzureIdentity
 metadata:
-    name: podmi-caf-rover-platform-level0
+    name: ${azureidentity_name}
 spec:
     type: 0
     resourceID: ${resource_id}
@@ -12,8 +15,8 @@ spec:
 apiVersion: aadpodidentity.k8s.io/v1
 kind: AzureIdentityBinding
 metadata:
-    name: podmi-gitlab-runner-binding
+    name: ${azureidentitybinding_name}
 spec:
-    azureIdentity: podmi-caf-rover-platform-level0
-    selector: podmi-caf-rover-platform-level0
+    azureIdentity: ${azureidentity_name}
+    selector: ${azureidentity_selector}
 
diff --git a/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf b/caf_solution/add-ons/aad-pod-identity/aad_pod_identity.tf
@@ -27,6 +27,18 @@ data "kustomization_overlay" "aad_pod_identity" {
 
   namespace = var.aad_pod_identity.namespace
 
+  patches {
+    patch = <<-EOF
+      - op: replace
+        path: /metadata/name
+        value: ${each.value.name}
+    EOF
+
+    target = {
+      kind = "AzureIdentity"
+    }
+  }
+
   patches {
     patch = <<-EOF
       - op: replace
@@ -87,11 +99,13 @@ data "kustomization_overlay" "aad_pod_identity" {
     }
   }
 
+  # You can provide a managed_identities.<key>.aadpodidentity_selector to specify the value here,
+  # alternatively provide none to have the MSI name used as the selector.
   patches {
     patch = <<-EOF
       - op: replace
         path: /spec/selector
-        value: ${each.value.name}
+        value: ${each.value.selector}
     EOF
 
     target = {
@@ -112,6 +126,7 @@ locals {
           for msi_key in value.msi_keys : {
             key       = key
             msi_key   = msi_key
+            selector  = try(value.aadpodidentity_selector, local.remote.managed_identities[value.lz_key][msi_key].name)
             client_id = local.remote.managed_identities[value.lz_key][msi_key].client_id
             id        = local.remote.managed_identities[value.lz_key][msi_key].id
             name      = local.remote.managed_identities[value.lz_key][msi_key].name