Rework azure provider (#8)

1. Remove Application creation;
2. Re-use given application account;
3. Re-design to work with docker.

examples/azure/README.md

@@ -6,7 +6,7 @@ A very simple and basic example with fake data.
 
 1. Put the `KUBECONFIG` file in the same folder of the example with the name `config`.
 
-2. Ensure your environment has defined the following variable 
+2. Create a `terraform.tfvars` with the following variables: 
 
 ```bash
 ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000"
@@ -17,7 +17,9 @@ ARM_TENANT_ID="00000000-0000-0000-0000-000000000000"
 
 as [here explained](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret)
 
-3. Execute:
+> Your Service Principal must have permissions to both `Read and write all applications` and `Sign in and read user profile` within the Windows Azure Active Directory API.
+
+1. Execute:
 
 ```bash
 terraform init

examples/azure/main.tf

@@ -10,12 +10,18 @@ provider "helm" {
 }
 
 provider "azurerm" {
-  # Configuration options
   features {}
+
+  subscription_id = var.ARM_SUBSCRIPTION_ID
+  client_id       = var.ARM_CLIENT_ID
+  client_secret   = var.ARM_CLIENT_SECRET
+  tenant_id       = var.ARM_TENANT_ID
 }
 
 provider "azuread" {
-  # Configuration options
+  client_id     = var.ARM_CLIENT_ID
+  client_secret = var.ARM_CLIENT_SECRET
+  tenant_id     = var.ARM_TENANT_ID
 }
 
 module "azure_crossplane" {

examples/azure/variables.tf

@@ -10,3 +10,22 @@ variable "INSECURE_KUBECONFIG" {
   default     = false
 }
 
+variable "ARM_SUBSCRIPTION_ID" {
+  description = ""
+  type        = string
+}
+
+variable "ARM_CLIENT_ID" {
+  description = ""
+  type        = string
+}
+
+variable "ARM_CLIENT_SECRET" {
+  description = ""
+  type        = string
+}
+
+variable "ARM_TENANT_ID" {
+  description = ""
+  type        = string
+}

modules/azure-crossplane/files/azure-secret.json

@@ -0,0 +1,12 @@
+{
+    "clientId": "${client_id}",
+    "clientSecret": "${client_secret}",
+    "subscriptionId": "${subscription_id}",
+    "tenantId": "${tenant_id}",
+    "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
+    "resourceManagerEndpointUrl": "https://management.azure.com/",
+    "activeDirectoryGraphResourceId": "https://graph.windows.net/",
+    "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
+    "galleryEndpointUrl": "https://gallery.azure.com/",
+    "managementEndpointUrl": "https://management.core.windows.net/"
+}

modules/azure-crossplane/main.tf

@@ -1,60 +1,10 @@
-# Import subscription data
-data "azurerm_subscription" "main" {
-}
-data "azurerm_client_config" "current" {
-}
-
-# Create Azure AD App random name
-
-resource "random_id" "main" {
-  byte_length = 8
-  prefix      = "kerberus-"
-}
-
-# Create Azure AD App
-resource "azuread_application" "main" {
-  display_name = random_id.main.hex
-  required_resource_access {
-    resource_app_id = var.azure_app_id
-
-    resource_access {
-      id   = "1cda74f2-2616-4834-b122-5cb1b07f8a59"
-      type = "Role"
-    }
-    resource_access {
-      id   = "78c8a3c8-a07e-4b9e-af1b-b5ccab50a175"
-      type = "Role"
-    }
+data "azurerm_client_config" "current" {}
 
-  }
-
-}
-
-# Create Service Principal associated with the Azure AD App
-resource "azuread_service_principal" "main" {
-  application_id = azuread_application.main.application_id
+data "azuread_application" "current" {
+  application_id = data.azurerm_client_config.current.client_id
 }
 
-# Create Service Principal password
-resource "azuread_service_principal_password" "main" {
-  service_principal_id = azuread_service_principal.main.id
-  # value                = "${random_string.password.result}"
-  end_date_relative = "17520h"
-}
-
-# Create App password
 resource "azuread_application_password" "main" {
-  application_object_id = azuread_application.main.object_id
-  # value              = "${random_string.password.result}"
-  end_date_relative = "8760h"
-}
-
-# Create role assignment for service principal
-resource "azurerm_role_assignment" "main" {
-  scope                = data.azurerm_subscription.main.id
-  role_definition_name = "Owner"
-  principal_id         = azuread_service_principal.main.id
-  provisioner "local-exec" {
-    command = "az ad app permission admin-consent --id ${azuread_application.main.application_id}"
-  }
+  application_object_id = data.azuread_application.current.object_id
+  end_date_relative     = "8760h"
 }

modules/azure-crossplane/output.tf

@@ -6,8 +6,13 @@ output "provider" {
 }
 
 output "secret" {
-  description = "Azure secrets"
-  value       = join("\n", ["{ ", " \"clientId\": \"${azuread_application.main.application_id}\",", " \"clientSecret\": \"${azuread_application_password.main.value}\",", " \"subscriptionId\": \"${data.azurerm_subscription.main.subscription_id}\",", " \"tenantId\": \"${data.azurerm_client_config.current.tenant_id}\",", " \"activeDirectoryEndpointUrl\": \"https://login.microsoftonline.com\",", " \"resourceManagerEndpointUrl\": \"https://management.azure.com/\",", " \"activeDirectoryGraphResourceId\": \"https://graph.windows.net/\",", " \"sqlManagementEndpointUrl\": \"https://management.core.windows.net:8443/\",", " \"galleryEndpointUrl\": \"https://gallery.azure.com/\",", " \"managementEndpointUrl\": \"https://management.core.windows.net/\"", "}"])
-  sensitive   = true
+  description = "Azure secret"
+  value = templatefile(join("/", [path.module, "./files/azure-secret.json"]), {
+    client_id : data.azurerm_client_config.current.client_id
+    client_secret : azuread_application_password.main.value
+    subscription_id : data.azurerm_client_config.current.subscription_id
+    tenant_id : data.azurerm_client_config.current.tenant_id
+  })
+  sensitive = true
 }
 

modules/azure-crossplane/variables.tf

@@ -1,7 +1,3 @@
-variable "azure_app_id" {
-  description = "Azure Resource to require access"
-  default     = "00000002-0000-0000-c000-000000000000"
-}
 variable "crossplane_registry" {
   description = "registry for the azure Crossplane package"
   type        = string