-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does tf-controller support workload identity for Azure? #561
Comments
it looks like a Terraform error. To me it seem like backend isn't configured properly |
Thank you immediately answer. When I tried the method using this inject sidecar, I was able to set it to the backend.
In the above, since the authentication error has disappeared, it seems that the cause is not the backend setting, but the azure workload identity is not supported. If you have a successful track record of azure workload identity, I would be happy if you could let me know. |
It does. I have tf-controller running on AKS with workload identity with no problem. Env variables that should be set on the runner pod. - name: ARM_USE_OIDC
value: "true"
- name: ARM_OIDC_TOKEN_FILE_PATH
value: "/var/run/secrets/azure/tokens/azure-identity-token" Example yaml: apiVersion: infra.contrib.fluxcd.io/v1alpha1
kind: Terraform
metadata:
name: terraformhello
namespace: default
spec:
tfstate:
forceUnlock: auto
backendConfig:
customConfiguration: |
backend "azurerm" {
resource_group_name = "l"
storage_account_name = ""
container_name = "tfstate"
key = "helloworld.tfstate"
use_oidc = true
}
interval: 1m
serviceAccountName: service_account_registered_in_aad
approvePlan: auto
destroy: true
path: ./tests/fixture
sourceRef:
kind: GitRepository
name: terraformhello
namespace: flux-system
runnerPodTemplate:
spec:
image: azure_cli_runner.xxx
env:
- name: ARM_USE_OIDC
value: "true"
- name: ARM_SUBSCRIPTION_ID
value: ""
- name: ARM_TENANT_ID
value: ""
- name: ARM_CLIENT_ID
value: ""
- name: ARM_OIDC_TOKEN_FILE_PATH
value: "/var/run/secrets/azure/tokens/azure-identity-token" |
hey,If I want to use it to import existing resources from azure, create/update/delete azure resources and tencentcloud resources, is it workable for me ? the doc is too simple to understand. |
I do not see why not. Import existing resources to some tfstate stored on a storage account and that's it. I haven't been looking into the tf controller recently, and I am unsure how to integrate existing infra with TFstate stored in K8s as a secret. |
i wt find a mature solution,however,so little docs for best practices,and there is npractice and multicloud management best practice |
Candidate for writing up in "How to tf-controller with Azure", or does it need more investigation @chanwit? |
@squaremo No further investigation needed. We can go straight to writing docs. |
Does Terraform Controller support workload identity for Azure?(see https://github.com/Azure/azure-workload-identity)
After helmrelease the terraform controller to Azure, when I deploy the Terraform resource, I get the following authentication error in tf-runner pod.
Appropriate Azure Managed ID privileges are granted to the workload identity for the serviceaccount, so if Terraform Controller supports it, an authentication error should not occur, but is it not currently supported?
The text was updated successfully, but these errors were encountered: