From ffc3bdc30e072e763a45bbdc19c23e65bb0d7188 Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Thu, 19 Feb 2026 09:45:39 -0500 Subject: [PATCH 1/3] RELOPS-2209: replace puppet kitchen identity with ronin OIDC --- terraform/azure_ad/kitchen-ronin-puppet.tf | 48 ++++++++++++++++++++ terraform/azure_ad/sp_puppet_test_kitchen.tf | 43 ------------------ 2 files changed, 48 insertions(+), 43 deletions(-) create mode 100644 terraform/azure_ad/kitchen-ronin-puppet.tf delete mode 100644 terraform/azure_ad/sp_puppet_test_kitchen.tf diff --git a/terraform/azure_ad/kitchen-ronin-puppet.tf b/terraform/azure_ad/kitchen-ronin-puppet.tf new file mode 100644 index 00000000..e544d1ee --- /dev/null +++ b/terraform/azure_ad/kitchen-ronin-puppet.tf @@ -0,0 +1,48 @@ +data "azuread_group" "relops" { + display_name = "Relops" + security_enabled = true +} + +resource "azuread_application" "ronin_puppet_test_kitchen" { + display_name = "ronin-puppet-test-kitchen" + owners = data.azuread_group.relops.members + + web { + homepage_url = "https://github.com/mozilla-platform-ops/ronin_puppet" + + implicit_grant { + access_token_issuance_enabled = false + id_token_issuance_enabled = true + } + } +} + +resource "azuread_service_principal" "ronin_puppet_test_kitchen" { + client_id = azuread_application.ronin_puppet_test_kitchen.client_id + tags = concat(["name:ronin-puppet-test-kitchen"], local.sp_tags) + owners = data.azuread_group.relops.members +} + +resource "azurerm_role_assignment" "ronin_puppet_test_kitchen_contributor" { + role_definition_name = "Contributor" + principal_id = azuread_service_principal.ronin_puppet_test_kitchen.object_id + scope = data.azurerm_subscription.currentSubscription.id +} + +resource "azuread_application_federated_identity_credential" "ronin_puppet_test_kitchen_pr" { + application_id = azuread_application.ronin_puppet_test_kitchen.id + display_name = "github-actions-pr" + description = "GitHub Actions OIDC for pull_request workflows in mozilla-platform-ops/ronin_puppet" + audiences = ["api://AzureADTokenExchange"] + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:mozilla-platform-ops/ronin_puppet:pull_request" +} + +resource "azuread_application_federated_identity_credential" "ronin_puppet_test_kitchen_branches" { + application_id = azuread_application.ronin_puppet_test_kitchen.id + display_name = "github-actions-branches" + description = "GitHub Actions OIDC for branch workflows in mozilla-platform-ops/ronin_puppet" + audiences = ["api://AzureADTokenExchange"] + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:mozilla-platform-ops/ronin_puppet:ref:refs/heads/*" +} diff --git a/terraform/azure_ad/sp_puppet_test_kitchen.tf b/terraform/azure_ad/sp_puppet_test_kitchen.tf deleted file mode 100644 index 38ec20df..00000000 --- a/terraform/azure_ad/sp_puppet_test_kitchen.tf +++ /dev/null @@ -1,43 +0,0 @@ -resource "azuread_application" "puppet_test_kitchen" { - display_name = "Puppet-Test-Kitchen" - owners = [data.azuread_user.mcornmesser.id] - api { - known_client_applications = [] - mapped_claims_enabled = false - requested_access_token_version = 1 - - oauth2_permission_scope { - admin_consent_description = "Allow the application to access Puppet-Test-Kitchen on behalf of the signed-in user." - admin_consent_display_name = "Access Puppet-Test-Kitchen" - enabled = true - id = "bc09b9e2-ca7c-4109-9644-c620b6a6599b" - type = "User" - user_consent_description = "Allow the application to access Puppet-Test-Kitchen on your behalf." - user_consent_display_name = "Access Puppet-Test-Kitchen" - value = "user_impersonation" - } - } - - web { - redirect_uris = [] - - implicit_grant { - access_token_issuance_enabled = false - id_token_issuance_enabled = true - } - } -} - -resource "azuread_service_principal" "puppet_test_kitchen" { - client_id = azuread_application.puppet_test_kitchen.client_id - tags = concat(["name:Puppet-Test-Kitchen"], local.sp_tags) - owners = [ - "4e48c4fe-303d-4d1d-bd6f-76f39f7b1c08" - ] -} - -resource "azurerm_role_assignment" "puppet_test_kitchen_contributor" { - role_definition_name = "Contributor" - principal_id = azuread_service_principal.puppet_test_kitchen.object_id - scope = data.azurerm_subscription.currentSubscription.id -} \ No newline at end of file From c4da16d07c70b93423816ad33ec022d11b3c59df Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Thu, 19 Feb 2026 09:58:10 -0500 Subject: [PATCH 2/3] Ignore and untrack terraform lockfile in azure_ad --- .gitignore | 2 + terraform/azure_ad/.terraform.lock.hcl | 64 -------------------------- 2 files changed, 2 insertions(+), 64 deletions(-) delete mode 100644 terraform/azure_ad/.terraform.lock.hcl diff --git a/.gitignore b/.gitignore index 76fc613b..a319bdcc 100644 --- a/.gitignore +++ b/.gitignore @@ -27,6 +27,8 @@ override.tf.json # Ignore transient lock info files created by terraform apply .terraform.tfstate.lock.info +*.terraform.lock* + # Include override files you do wish to add to version control using negated pattern # !example_override.tf diff --git a/terraform/azure_ad/.terraform.lock.hcl b/terraform/azure_ad/.terraform.lock.hcl deleted file mode 100644 index e888833e..00000000 --- a/terraform/azure_ad/.terraform.lock.hcl +++ /dev/null @@ -1,64 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "6.30.0" - hashes = [ - "h1:FNkicntiPhllPhKf8uBJTCQVY/cqN/sXa/LwE4Q0ML8=", - "zh:08fdcbb84b63739b758fd2f657303f495859ae15f2d6c3dbd642520cadb5f063", - "zh:1e69ff49906541cd511bdabcd4b2996a731b1642ba26b834cdac5432e8d5c557", - "zh:3aa23e3af1fb1dd0c025cb8fb73abdabd3f44b6a687a2a239947e7b0201b2f1f", - "zh:4b3b81e63eee913c874e8115d6a83d12bd9d7903446f91be15ba50c583c79549", - "zh:6e93a72d8770d73a4122dc82af33a020d58feeaca4e194a2685dce30dbcdce24", - "zh:74be722c9a64b95e06554cde0bef624084cc5a5ea7f3373f1975b7a4737d7074", - "zh:7d2acf6bc93be26504fd0e2965c77699a49549f74a767d0a81430d9e12d51358", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:aef629bc537b4cc0f64ece87bc2bfdb3e032a4d03a3f7f301f4c84ffdc2ac1ac", - "zh:b41dcc4a2c8e356d82d3f92629aab0e25849db106a43e7adf06d8c6bda7af4c9", - "zh:b4d7a9cf9ad5ac5dd07f4ea1e834b63f14e752f9aca9452cd99570fed16e0c12", - "zh:bcb20f64b9b4599fa746305bcff7eeee3da85029dc467f812f950cf45b519436", - "zh:e45a520b82a1d2d42360db1b93d8e96406a7548948ed528bac5018e1d731c5c6", - "zh:f743e4a0e10dc64669469e6a22e47012f07fb94587f5a1e8cf5431da4e878ae1", - "zh:fe1895af7dcc5815896f892b2593fe71b7f4f364b71d9487d6e8b10ef244c11c", - ] -} - -provider "registry.terraform.io/hashicorp/azuread" { - version = "2.53.1" - constraints = "~> 2.0" - hashes = [ - "h1:EZNO8sEtUABuRxujQrDrW1z1QsG0dq6iLbzWtnG7Om4=", - "zh:162916b037e5133f49298b0ffa3e7dcef7d76530a8ca738e7293373980f73c68", - "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:492931cea4f30887ab5bca36a8556dfcb897288eddd44619c0217fc5da2d57e7", - "zh:4c895e450e18335ad8714cc6d3488fc1a78816ad2851a91b06cb2ef775dd7c66", - "zh:60d92fdaf7235574201f2d8f68f733ee00a822993b3fc95e6952e09e6ec76999", - "zh:67a169119efa41c1fb867ef1a8e79bf03472a2324384c36eb55370c817dcce42", - "zh:9dd4d5ed9233cf9329262200bc5a1aa60942b80dbc611e2ef4b09f47531b39b1", - "zh:a3c160e35b9e40fc1497b83c2f37a8e24565b05a1783c7733609f3695735c2a9", - "zh:a4a221da42b1f46e7c436c7145e5beaadfd9d03f3be6fd526d132c03f18a5979", - "zh:af0d3476a9702d2287e168e3baa670e64daab9c9b01c01e17025a5248f3e28e9", - "zh:e3579bff7894f3d36066b74ec324be6d28f56a42a387a2b8a0eabf33cbff86df", - "zh:f1749ee8ad972ae6424665aa9d2c0ece8c40c51d41ec2f38b863148cb437e865", - ] -} - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "4.58.0" - constraints = "~> 4.0" - hashes = [ - "h1:k0a/JkkhIEGrJ/oR7MZWbTZsUXHQ18JIPcVWBdW+V58=", - "zh:041c2a778ab4dd5a9af174b1d6f75409e5aabfc359cb386dfea3fb09e3f32709", - "zh:0a302531a61e7383acf99a6202d7984b2ea559306f45021381665c827a830d46", - "zh:0c69f132c7609683d907e87b89210a298d84c5b0121b62278949931bc54ca952", - "zh:0cadf48e9d2d9daed43212a3c9d886d7faaf68787b6e955456cbe4f43e4a17ec", - "zh:35ef4293d7731f6ff1f8bcba2c4529f987b7fac243c1ac1c154bbc02c9703c25", - "zh:3cb2679e1d56865e0ee0cf4c5d1404dbad0db42d11425e7bf0580a026cc64287", - "zh:4e56411f5119042d4962acff5c6d64224a49a69154ba80e6df63fa57b1e6d284", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:ca4626411a111720c220f9849c7d2e1fcd5d380f56459e096d835a9dbf9e6e13", - "zh:d31c4e65dcb096974479b2d548fffb86fc9a5262aff1b01fe62ef442ce536c6b", - "zh:d9631602999c1853e53ee2c5aef7476e23c7787beddc3599c10dbaa4891ba166", - "zh:f31ba7c9341037ceb7d49467946c01b2b0930404ed1d5643c1451f734a613a03", - ] -} From 0aefd49d8e0fd34282c408e7bdcda1d95a1f7bef Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Thu, 19 Feb 2026 09:58:15 -0500 Subject: [PATCH 3/3] Migrate azure_ad module config to azuread provider v3 --- terraform/azure_ad/groups.tf | 2 +- terraform/azure_ad/sp_ms_store_apitoken_app.tf | 4 ++-- terraform/azure_ad/sp_packer_through_cib.tf | 4 ++-- terraform/azure_ad/sp_packer_worker_images.tf | 8 ++++---- terraform/azure_ad/sp_splunk.tf | 2 +- terraform/azure_ad/{versions.tf => terraform.tf} | 3 +-- 6 files changed, 11 insertions(+), 12 deletions(-) rename terraform/azure_ad/{versions.tf => terraform.tf} (88%) diff --git a/terraform/azure_ad/groups.tf b/terraform/azure_ad/groups.tf index de70c15c..58c5dcfb 100644 --- a/terraform/azure_ad/groups.tf +++ b/terraform/azure_ad/groups.tf @@ -15,6 +15,6 @@ data "azuread_user" "zero_din_members" { # Add members to the 0DIN group resource "azuread_group_member" "zero_din_membership" { for_each = data.azuread_user.zero_din_members - group_object_id = azuread_group.zero_din.id + group_object_id = azuread_group.zero_din.object_id member_object_id = each.value.object_id } diff --git a/terraform/azure_ad/sp_ms_store_apitoken_app.tf b/terraform/azure_ad/sp_ms_store_apitoken_app.tf index 66c2a9ee..8c5f711e 100644 --- a/terraform/azure_ad/sp_ms_store_apitoken_app.tf +++ b/terraform/azure_ad/sp_ms_store_apitoken_app.tf @@ -1,6 +1,6 @@ resource "azuread_application" "ms_store_apitoken_app" { display_name = "MS Store API Token app" - owners = [data.azuread_user.mcornmesser.id] + owners = [data.azuread_user.mcornmesser.object_id] api { known_client_applications = [] mapped_claims_enabled = false @@ -31,4 +31,4 @@ resource "azuread_application" "ms_store_apitoken_app" { resource "azuread_service_principal" "ms_store_apitoken_app" { client_id = azuread_application.ms_store_apitoken_app.client_id tags = concat(["name:ms_store_apitoken_app"], local.sp_tags) -} \ No newline at end of file +} diff --git a/terraform/azure_ad/sp_packer_through_cib.tf b/terraform/azure_ad/sp_packer_through_cib.tf index c6c8065b..02dede27 100644 --- a/terraform/azure_ad/sp_packer_through_cib.tf +++ b/terraform/azure_ad/sp_packer_through_cib.tf @@ -6,7 +6,7 @@ data "azuread_user" "mcornmesser" { resource "azuread_application" "Packer_Through_CIB" { display_name = "Packer_Through_CIB" # Packer bits live in the CloudImageBuilder repo - owners = [data.azuread_user.mcornmesser.id] + owners = [data.azuread_user.mcornmesser.object_id] required_resource_access { # azure management service api resource_app_id = "797f4846-ba00-4fd7-ba43-dac1f8f63013" @@ -105,4 +105,4 @@ resource "azurerm_role_assignment" "Packer_Through_CIB_subscription_contributor" role_definition_name = "Contributor" principal_id = azuread_service_principal.Packer_Through_CIB.object_id scope = data.azurerm_subscription.currentSubscription.id -} \ No newline at end of file +} diff --git a/terraform/azure_ad/sp_packer_worker_images.tf b/terraform/azure_ad/sp_packer_worker_images.tf index 1f2fc48c..a9e2d877 100644 --- a/terraform/azure_ad/sp_packer_worker_images.tf +++ b/terraform/azure_ad/sp_packer_worker_images.tf @@ -5,7 +5,7 @@ data "azuread_user" "jmoss" { # application: worker_images_dev resource "azuread_application" "worker_images_dev" { display_name = "worker_images_dev" - owners = [data.azuread_user.jmoss.id] + owners = [data.azuread_user.jmoss.object_id] web { homepage_url = "https://github.com/mozilla-platform-ops/worker-images" implicit_grant { @@ -43,7 +43,7 @@ resource "azurerm_role_assignment" "worker_images_dev" { resource "azuread_application" "worker_images_fxci" { display_name = "worker_images_fxci" - owners = [data.azuread_user.jmoss.id] + owners = [data.azuread_user.jmoss.object_id] web { homepage_url = "https://github.com/mozilla-platform-ops/worker-images" implicit_grant { @@ -81,7 +81,7 @@ resource "azurerm_role_assignment" "worker_images_fxci" { resource "azuread_application" "worker_images_fxci_trusted" { display_name = "worker_images_fxci_trusted" - owners = [data.azuread_user.jmoss.id] + owners = [data.azuread_user.jmoss.object_id] web { homepage_url = "https://github.com/mozilla-platform-ops/worker-images" implicit_grant { @@ -120,7 +120,7 @@ resource "azurerm_role_assignment" "worker_images_fxci_trusted" { # application: worker_manager_tceng resource "azuread_application" "worker_images_tceng" { display_name = "worker_images_tceng" - owners = [data.azuread_user.mcornmesser.id] + owners = [data.azuread_user.mcornmesser.object_id] api { known_client_applications = [] mapped_claims_enabled = false diff --git a/terraform/azure_ad/sp_splunk.tf b/terraform/azure_ad/sp_splunk.tf index f52c37c2..cd28105d 100644 --- a/terraform/azure_ad/sp_splunk.tf +++ b/terraform/azure_ad/sp_splunk.tf @@ -1,6 +1,6 @@ resource "azuread_application" "splunkeventhub" { display_name = "sp-infosec-splunkeventhub" - owners = [data.azuread_user.jmoss.id] + owners = [data.azuread_user.jmoss.object_id] web { redirect_uris = [] diff --git a/terraform/azure_ad/versions.tf b/terraform/azure_ad/terraform.tf similarity index 88% rename from terraform/azure_ad/versions.tf rename to terraform/azure_ad/terraform.tf index 64811e2f..c298525e 100644 --- a/terraform/azure_ad/versions.tf +++ b/terraform/azure_ad/terraform.tf @@ -1,5 +1,4 @@ terraform { - required_version = ">= 0.15" required_providers { aws = { source = "hashicorp/aws" @@ -10,7 +9,7 @@ terraform { } azuread = { source = "hashicorp/azuread" - version = "~> 2" + version = "~> 3" } } }