RELOPS-2209: replace puppet kitchen identity with ronin OIDC by jwmossmoz · Pull Request #283 · mozilla-platform-ops/relops_infra_as_code

jwmossmoz · 2026-02-19T14:45:57Z

Summary

replace legacy sp_puppet_test_kitchen.tf resources with a fresh kitchen-ronin-puppet.tf identity
create ronin-puppet-test-kitchen app registration and service principal owned by Relops group members
add GitHub Actions OIDC federated credentials for pull_request and refs/heads/*
grant subscription-level Contributor role assignment to the new service principal
migrate terraform/azure_ad provider constraint to hashicorp/azuread ~> 3
update AzureAD v3-incompatible ID usage (id -> object_id where UUIDs are required)
ignore and untrack terraform/azure_ad/.terraform.lock.hcl
related workflow PR: [RELOPS-2111] Add Windows 11 25H2 Test Kitchen integration testing ronin_puppet#1055

terraform fmt on changed files
unable to run full init/plan in this environment due expired AWS credentials (ExpiredToken from STS)

jwmossmoz added 3 commits February 19, 2026 09:45

RELOPS-2209: replace puppet kitchen identity with ronin OIDC

ffc3bdc

Ignore and untrack terraform lockfile in azure_ad

c4da16d

Migrate azure_ad module config to azuread provider v3

0aefd49

jwmossmoz requested review from aerickson, markcor and rcurranmoz February 19, 2026 15:08

rcurranmoz approved these changes Feb 19, 2026

View reviewed changes

jwmossmoz merged commit 805548b into master Feb 19, 2026
1 check passed

jwmossmoz mentioned this pull request Feb 19, 2026

RELOPS-2209: add Azure resource group for Kitchen Windows tests #285

Merged