Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: split service principal for plan and apply #27

Merged
merged 10 commits into from
Nov 2, 2023
Merged

feature: split service principal for plan and apply #27

merged 10 commits into from
Nov 2, 2023

Conversation

jaredfholgate
Copy link
Member

@jaredfholgate jaredfholgate commented Oct 28, 2023
edited
Loading

Overview/Summary

As per issue #24. This PR is to add an additional user assigned managed identity and isolate permissions for plan and apply. This PR is being done before some of the others as it is a significant refactor and makes sense to do it prior to layering other changes on top.

This change is driven by community asks for 'best practice' around security. This will be combined with a second issue for required templates to demonstrate how to secure a pipeline. We want this accelerator to be consumed by all customers, including those with tight security needs, so adding these features to enable that.

In the future it could also serve as a generic model for secure pipelines with Terraform if we extract it into module(s).

In summary, the initial implementation had:

  • 1 User Assigned Managed Identity
    • 2 Federated Credentials (plan and apply) on the same Managed Identity, mapped to to the Environment (GitHub) or Service Connection (Azure DevOps)
  • 2 Service Connections for Azure DevOps (plan and apply)
  • 2 Environments (plan and apply)

This PR moves the model to:

  • 2 User Assigned Managed Identities (plan and apply)
    • Each has it's own federated credential mapped to the Environment (GitHub) or Service Connection (Azure DevOps)
  • ⁠2 Service Connections for Azure DevOps (plan and apply)
  • 2 Environments (plan and apply)

The .test template has been updated to include creating a management group and a resource group to prove the read and write permissions work as expected.

This PR fixes/adds/changes/removes

  1. Feature Request: Support Read Only Service Connection / Service Principal for Plan #24

Breaking Changes

There are no changes to the interface for users of the PowerShell module, all inputs remain the same. Just the deployed resources change.

Testing Evidence

E2E tests will be run as part of this PR.

Manual testing of:

  • CI / CD for Apply and Destroy with Management Groups and Resource Groups for:
    • GitHub
    • Azure DevOps WIF
    • Azure DevOps MSI

As part of this Pull Request I have

  • Checked for duplicate Pull Requests
  • Associated it with relevant issues, for tracking and closure.
  • Ensured my code/branch is up-to-date with the latest changes in the main branch
  • Performed testing and provided evidence.
  • Updated relevant and associated documentation.

@jaredfholgate jaredfholgate added the PR: Safe to test 🧪 Enables running of End to End Tests label Oct 28, 2023
@jaredfholgate jaredfholgate removed the PR: Safe to test 🧪 Enables running of End to End Tests label Oct 28, 2023
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate temporarily deployed to CSUTF October 28, 2023 11:16 — with GitHub Actions Inactive
@jaredfholgate jaredfholgate marked this pull request as ready for review October 28, 2023 11:18
@jaredfholgate
Copy link
Member Author

I am merging this as has been tested and required as the basis for the next features

@jaredfholgate jaredfholgate merged commit 42dbe0e into main Nov 2, 2023
21 checks passed
@jaredfholgate jaredfholgate deleted the feature-split-service-principal branch November 2, 2023 17:37
@jaredfholgate jaredfholgate mentioned this pull request Nov 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luke-taylor luke-taylor Awaiting requested review from luke-taylor

Assignees
No one assigned
Labels
PR: Safe to test 🧪 Enables running of End to End Tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jaredfholgate