create MI and federated credential for each branch defined in gh_repos (

#1128)

terraform/subscriptions/s941/dev/federatedcredential/main.tf

@@ -1,9 +1,15 @@
+locals {
+  userassignedidentities      = local.external_outputs.userassignedidentity.data
+  gh_repo_branch_combinations = local.external_outputs.global.data.gh_repo_branch_combinations
+}
+
 module "federatedcredential" {
+  for_each            = local.userassignedidentities
   source              = "../../../modules/federatedcredential"
-  parent_id           = local.external_outputs.userassignedidentity.data.id
+  parent_id           = each.value.data.id
   audiences           = ["api://AzureADTokenExchange"]
-  name                = "radix-canary-master"
+  name                = each.key
   issuer              = "https://token.actions.githubusercontent.com"
-  subject             = "repo:equinor/radix-canary:ref:refs/heads/master"
+  subject             = "repo:equinor/${local.gh_repo_branch_combinations[each.key].repo}:ref:refs/heads/${local.gh_repo_branch_combinations[each.key].branch}"
   resource_group_name = local.external_outputs.common.data.resource_group
 }

terraform/subscriptions/s941/dev/federatedcredential/outputs.tf

@@ -1,3 +1,3 @@
 output "data" {
-  value = module.federatedcredential.data
+  value = module.federatedcredential
 }

terraform/subscriptions/s941/dev/userassignedidentity/main.tf

@@ -1,10 +1,20 @@
+locals {
+  aad_radix_group             = local.external_outputs.global.data.aad_radix_group
+  environment                 = local.external_outputs.clusters.data.enviroment
+  gh_repo_branch_combinations = local.external_outputs.global.data.gh_repo_branch_combinations
+  gh_repos                    = local.external_outputs.global.data.gh_repos
+  location                    = local.external_outputs.common.data.location
+  resource_group              = local.external_outputs.common.data.resource_group
+}
+
 data "azuread_group" "radix_group" {
-  display_name = local.external_outputs.global.data.aad_radix_group
+  display_name = local.aad_radix_group
 }
 
 module "userassignedidentity" {
+  for_each            = local.gh_repo_branch_combinations
   source              = "../../../modules/userassignedidentity"
-  name                = "id-radix-github-workflows-1-${local.external_outputs.clusters.data.enviroment}-test"
-  resource_group_name = "${local.external_outputs.common.data.resource_group}"
-  location            = "${local.external_outputs.common.data.location}"
+  name                = "id-radix-github-workflows-${each.value.name}"
+  resource_group_name = local.resource_group
+  location            = local.location
 }

terraform/subscriptions/s941/dev/userassignedidentity/outputs.tf

@@ -1,3 +1,3 @@
 output "data" {
-  value = module.userassignedidentity.data
+  value = module.userassignedidentity
 }

terraform/subscriptions/s941/globals/global.tf

@@ -1,12 +1,23 @@
 locals {
+  gh_repos = {
+    "radix-canary" : ["release", "master"]
+  }
+
   outputs = {
     tenant_id              = "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
     subscription_id        = "16ede44b-1f74-40a5-b428-46cca9a5741b"
     client_id              = "f1e6bc52-9aa4-4ca7-a9ac-b7a19d8f0f86"
     subscription_shortname = "s941"
     aad_radix_group        = "radix"
-    github_repos = {
-      "radix_canary" : ["release", "master"]
-    }
+    gh_repos               = local.gh_repos
+    gh_repo_branch_combinations = { for item in flatten([
+      for repo, branches in local.gh_repos : [
+        for branch in branches : {
+          name   = "${repo}-${branch}"
+          repo   = repo
+          branch = branch
+        }
+      ]
+    ]) : item.name => item }
   }
 }