implement resources for azure

src/azure.tf

@@ -0,0 +1,52 @@
+data "azurerm_subscription" "this" {}
+
+data "azuread_client_config" "this" {}
+
+# Resource group to contain resources for Actions on GHES with OIDC
+resource "azurerm_resource_group" "this" {
+  name     = local.ghes_instance_name
+  location = "West Europe"
+}
+
+resource "random_string" "az_storage_account_name" {
+  length  = 24
+  lower   = true
+  numeric = true
+  special = false
+  upper   = false
+}
+
+# Storage Account for Actions data
+resource "azurerm_storage_account" "this" {
+  name                = random_string.az_storage_account_name.result
+  resource_group_name = azurerm_resource_group.this.name
+  location            = azurerm_resource_group.this.location
+  account_tier        = "Standard"
+  # Locally redundant storage (cheapest)
+  account_replication_type = "LRS"
+}
+
+# Azure Active Directory (AAD) application for OIDC
+resource "azuread_application" "this" {
+  display_name = local.ghes_instance_name
+}
+
+resource "azuread_application_federated_identity_credential" "this" {
+  application_id = azuread_application.this.id
+  display_name   = local.ghes_instance_name
+  description    = "OIDC for Actions on GHES"
+  audiences      = ["api://AzureADTokenExchange"]
+  issuer         = local.issuer_uri
+  subject        = local.ghes_url
+}
+
+# Grant the AAD Application access to the Storage Account
+resource "azuread_service_principal" "this" {
+  client_id = azuread_application.this.client_id
+}
+
+resource "azurerm_role_assignment" "this" {
+  scope                = data.azurerm_subscription.this.id
+  role_definition_name = "Storage Blob Data Owner"
+  principal_id         = azuread_service_principal.this.id
+}

src/gcp.tf

@@ -1,9 +1,3 @@
-locals {
-  gcp_project_id = var.GCP_PROJECT_ID
-  ghes_hostname  = var.GHES_HOSTNAME
-  ghes_url       = var.GHES_URL
-}
-
 data "google_project" "this" {
   project_id = local.gcp_project_id
 }
@@ -22,31 +16,31 @@ resource "google_project_service" "iam_credentials" {
 resource "google_iam_workload_identity_pool" "this" {
   project                   = data.google_project.this.project_id
   workload_identity_pool_id = "wip-ghes"
-  description               = "Identity Pool for GHES instance ${local.ghes_hostname}."
+  description               = "Identity Pool for GHES instance ${local.ghes_instance_name}."
 }
 
 resource "google_iam_workload_identity_pool_provider" "this" {
   project                            = data.google_project.this.project_id
   workload_identity_pool_id          = google_iam_workload_identity_pool.this.workload_identity_pool_id
   workload_identity_pool_provider_id = "wipp-ghes-oidc"
-  description                        = "Identity Pool Provider for OIDC on GHES instance ${local.ghes_hostname}."
+  description                        = "Identity Pool Provider for OIDC on GHES instance ${local.ghes_instance_name}."
 
   attribute_condition = "google.subject == \"${local.ghes_url}\""
   attribute_mapping = {
     "google.subject" = "assertion.sub"
   }
 
   oidc {
-    issuer_uri = "https://${local.ghes_url}/_services/token"
+    issuer_uri = local.issuer_uri
   }
 }
 
 # Create service account and assign required permissions
 resource "google_service_account" "this" {
   project      = data.google_project.this.project_id
-  account_id   = "sa-${substr(local.ghes_hostname, 0, 20)}-oidc"
+  account_id   = "sa-${substr(local.ghes_instance_name, 0, 20)}-oidc"
   display_name = "Service Account for OIDC on GHES"
-  description  = "Service Account for OIDC on GHES instance ${local.ghes_hostname}."
+  description  = "Service Account for OIDC on GHES instance ${local.ghes_instance_name}."
 }
 
 resource "google_project_iam_binding" "sa_storage" {
@@ -71,7 +65,7 @@ resource "google_service_account_iam_binding" "sa_workload_identity" {
 # Storage bucket for Actions data
 resource "google_storage_bucket" "this" {
   project = data.google_project.this.project_id
-  name    = "sb-${local.ghes_hostname}"
+  name    = "sb-${local.ghes_instance_name}"
 
   location                    = "EUROPE-WEST4"
   storage_class               = "STANDARD"

src/main.tf

@@ -0,0 +1,10 @@
+locals {
+  ghes_instance_name = var.GHES_INSTANCE_NAME
+  ghes_url           = var.GHES_URL
+  issuer_uri         = "https://${local.ghes_url}/_services/token"
+
+  azure_blob_endpoint_suffix = "core.windows.net"
+
+  gcp_project_id  = var.GCP_PROJECT_ID
+  gcp_service_url = "storage.googleapis.com"
+}

src/outputs.tf

@@ -1,12 +1,22 @@
-locals {
-  gcp_service_url = "storage.googleapis.com"
-}
-
 # GitHub Enterprise Server URL
 output "ghes_settings_url" {
   value = "https://${local.ghes_url}:8443"
 }
 
+# Azure Configuration for OIDC
+output "azure_tenant_id" {
+  value = data.azuread_client_config.this.tenant_id
+}
+output "azure_client_id" {
+  value = azuread_application.this.client_id
+}
+output "azure_storage_account_name" {
+  value = azurerm_storage_account.this.name
+}
+output "azure_blob_endpoint_suffix" {
+  value = local.azure_blob_endpoint_suffix
+}
+
 # Google Cloud Configuration for OIDC
 output "gcp_service_url" {
   value = "https://${local.gcp_service_url}"

src/provider.tf

@@ -1,3 +1,6 @@
-provider "azurerm" {}
+provider "azurerm" {
+  features {}
+}
+provider "azuread" {}
 provider "aws" {}
 provider "google" {}

src/terraform.tfvars.example

@@ -1,3 +1,3 @@
-GHES_HOSTNAME  = ""
+GHES_INSTANCE_NAME  = ""
 GHES_URL       = ""
 GCP_PROJECT_ID = ""

src/variables.tf

@@ -1,5 +1,5 @@
 # The hostname of the GHES instance (e.g. my-ghes-instance)
-variable "GHES_HOSTNAME" {
+variable "GHES_INSTANCE_NAME" {
   type = string
 }
 

src/versions.tf

@@ -5,6 +5,10 @@ terraform {
       source  = "hashicorp/azurerm"
       version = "3.83.0"
     }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.46.0"
+    }
     aws = {
       source  = "hashicorp/aws"
       version = "5.29.0"