Open hundredacres opened 4 months ago
[!IMPORTANT] The "Needs: Triage :mag:" label must be removed once the triage process is complete!
[!TIP] For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation.
[!NOTE] This label was added as per ITA06.
You can see a working example here: https://github.com/Azure/bicep-registry-modules/pull/2093
[!WARNING] Tagging the AVM Core Team (@Azure/avm-core-team-technical-bicep) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.
[!TIP]
- To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.
- To avoid this rule being (re)triggered, the ""Needs: Triage :mag:" label must be removed as part of the triage process (when the issue is first responded to)!
[!NOTE] This message was posted as per ITA01BCP.
[!CAUTION] This issue requires the AVM Core Team's (@Azure/avm-core-team-technical-bicep) immediate attention as it hasn't been responded to within 6 business days.
[!TIP]
- To avoid this rule being (re)triggered, the "Needs: Triage :mag:" and "Status: Response Overdue :triangular_flag_on_post:" labels must be removed when the issue is first responded to!
- Remove the "Needs: Immediate Attention :bangbang:" label once the issue has been responded to.
Several options have been investigated and the resulting suggested approach is the one implemented in PR #2701: auth-type SERVICE_PRINCIPAL + Entity type Environment
The 2 main criteria leading to the above are:
Background:
SERVICE_PRINCIPAL
and IDENTITY
(managed identity). Authentication via msi has been discarded since only supported by self-hosted runners.GitHub Actions deploying Azure resources
Federated credential scenario, Azure supports 4 entity types
Tested options have been Branch and Environment.
Note: the implementation proposed in PR #2701 is backward compatible, meaning after being merged, contributors not yet setting up OIDC in their fork will continue to be supported by azure login via service principal secrets
Next steps:
Check for previous/existing GitHub issues
Description
Guidance is to not use secrets in Service Principal connections and the contribution docs have steps for setting up this connection with a secret. Are there plans to replace secrets with federated credentials?