The current azure bootstrap module implements a very simple deployment workflow by delegating all permissions to an cloudfoundation_tf_deploy SPN and setting that up as the authentication for collie's platform modules (via terragrunt).
This means controlling access to the terraform state (which contains the secret for the SPN) = controlling access to who can deploy cloud foundation. This is currently done via an azure ad group (platform_engineers group). Bootstrapping requires an "out of band" admin user.
Where this solution falls short is the following
we regularly need to perform bootstrap in order to rotate SPN credential
it's difficult to give "read only" access to an automation pipeline (in order to generate terraform plans, but not have a CI/CD system wield power to actually deploy changes see #102 )
On GCP we can use ServiceAccount impersonation for this as it lets us get rid of the credential, but Azure does not have this.
The current azure bootstrap module implements a very simple deployment workflow by delegating all permissions to an
cloudfoundation_tf_deploySPN and setting that up as the authentication for collie's platform modules (via terragrunt).This means controlling access to the terraform state (which contains the secret for the SPN) = controlling access to who can deploy cloud foundation. This is currently done via an azure ad group (
platform_engineersgroup). Bootstrapping requires an "out of band" admin user.Where this solution falls short is the following
On GCP we can use ServiceAccount impersonation for this as it lets us get rid of the credential, but Azure does not have this.