Closed pmatthews05 closed 2 years ago
I see this has failed checks. Could someone advise what I need to do?
@pmatthews05 This is related to the security credentials the CI is using to test your PR (https://github.community/t/allow-secrets-to-be-shared-with-forks-from-trusted-actions/16525). I will merge it to an integration branch to fix this issue.
Hi @pmatthews05 as discussed in in #218, we are replacing with --impersonate-from-keyvault in order to simplify operations.
@arnaudlh thank you. Is there documentation on how to setup and use the --impersonate-from-keyvault?
@pmatthews05 I can document this if I remember :) In general its basically:
sp-client-id
, sp-client-secret
and sp-tenant-id
to the vaultrover --impersonate-sp-from-keyvault-url https://myvault.vault.azure.net
When first deploy LandingZones with level0 it is deployed with a user account. During the deployment of Level0 the following Service Principal is created - [prefix]-caf_launchpad_level0.
The clientID, Secret is stored within Level0 keyvault [prefix]-kv-level0 as the following 3 values: aadapp-caf-launchpad-level0-client-id aadapp-caf-launchpad-level0-client-secret aadapp-caf-launchpad-level0-tenant-id
launchpad-secret-prefix <- Currently missing from the scenerio 200.
With those 4 values above in the keyvault, it then allows the user to use the service principal going forward instead of a user account.
The code get's the ClientID and Secret, logs in as the service principal and apply terraform as that service principal.
The changes made in this pull request:
TF_VAR_logged_user_objectId
orTF_VAR_logged_aad_app_objectId
is correctly set instead of both as they are currently. This change is to help in fixing the issue https://github.com/aztfmod/terraform-azurerm-caf/issues/541. This pull request on it's own will not fix the issue. As I need to submit pull requests for: