Skip to content

RELOPS-2209: replace puppet kitchen identity with ronin OIDC #283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jwmossmoz merged 3 commits into from
Feb 19, 2026
Merged

RELOPS-2209: replace puppet kitchen identity with ronin OIDC #283

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ffc3bdc
RELOPS-2209: replace puppet kitchen identity with ronin OIDC
jwmossmoz Feb 19, 2026
c4da16d
Ignore and untrack terraform lockfile in azure_ad
jwmossmoz Feb 19, 2026
0aefd49
Migrate azure_ad module config to azuread provider v3
jwmossmoz Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ override.tf.json
# Ignore transient lock info files created by terraform apply
.terraform.tfstate.lock.info

*.terraform.lock*

# Include override files you do wish to add to version control using negated pattern
# !example_override.tf

Expand Down
64 changes: 0 additions & 64 deletions terraform/azure_ad/.terraform.lock.hcl
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion terraform/azure_ad/groups.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,6 @@ data "azuread_user" "zero_din_members" {
# Add members to the 0DIN group
resource "azuread_group_member" "zero_din_membership" {
for_each = data.azuread_user.zero_din_members
group_object_id = azuread_group.zero_din.id
group_object_id = azuread_group.zero_din.object_id
member_object_id = each.value.object_id
}
48 changes: 48 additions & 0 deletions terraform/azure_ad/kitchen-ronin-puppet.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
data "azuread_group" "relops" {
display_name = "Relops"
security_enabled = true
}

resource "azuread_application" "ronin_puppet_test_kitchen" {
display_name = "ronin-puppet-test-kitchen"
owners = data.azuread_group.relops.members

web {
homepage_url = "https://github.com/mozilla-platform-ops/ronin_puppet"

implicit_grant {
access_token_issuance_enabled = false
id_token_issuance_enabled = true
}
}
}

resource "azuread_service_principal" "ronin_puppet_test_kitchen" {
client_id = azuread_application.ronin_puppet_test_kitchen.client_id
tags = concat(["name:ronin-puppet-test-kitchen"], local.sp_tags)
owners = data.azuread_group.relops.members
}

resource "azurerm_role_assignment" "ronin_puppet_test_kitchen_contributor" {
role_definition_name = "Contributor"
principal_id = azuread_service_principal.ronin_puppet_test_kitchen.object_id
scope = data.azurerm_subscription.currentSubscription.id
}

resource "azuread_application_federated_identity_credential" "ronin_puppet_test_kitchen_pr" {
application_id = azuread_application.ronin_puppet_test_kitchen.id
display_name = "github-actions-pr"
description = "GitHub Actions OIDC for pull_request workflows in mozilla-platform-ops/ronin_puppet"
audiences = ["api://AzureADTokenExchange"]
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:mozilla-platform-ops/ronin_puppet:pull_request"
}

resource "azuread_application_federated_identity_credential" "ronin_puppet_test_kitchen_branches" {
application_id = azuread_application.ronin_puppet_test_kitchen.id
display_name = "github-actions-branches"
description = "GitHub Actions OIDC for branch workflows in mozilla-platform-ops/ronin_puppet"
audiences = ["api://AzureADTokenExchange"]
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:mozilla-platform-ops/ronin_puppet:ref:refs/heads/*"
}
4 changes: 2 additions & 2 deletions terraform/azure_ad/sp_ms_store_apitoken_app.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
resource "azuread_application" "ms_store_apitoken_app" {
display_name = "MS Store API Token app"
owners = [data.azuread_user.mcornmesser.id]
owners = [data.azuread_user.mcornmesser.object_id]
api {
known_client_applications = []
mapped_claims_enabled = false
Expand Down Expand Up @@ -31,4 +31,4 @@ resource "azuread_application" "ms_store_apitoken_app" {
resource "azuread_service_principal" "ms_store_apitoken_app" {
client_id = azuread_application.ms_store_apitoken_app.client_id
tags = concat(["name:ms_store_apitoken_app"], local.sp_tags)
}
}
4 changes: 2 additions & 2 deletions terraform/azure_ad/sp_packer_through_cib.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ data "azuread_user" "mcornmesser" {
resource "azuread_application" "Packer_Through_CIB" {
display_name = "Packer_Through_CIB"
# Packer bits live in the CloudImageBuilder repo
owners = [data.azuread_user.mcornmesser.id]
owners = [data.azuread_user.mcornmesser.object_id]
required_resource_access {
# azure management service api
resource_app_id = "797f4846-ba00-4fd7-ba43-dac1f8f63013"
Expand Down Expand Up @@ -105,4 +105,4 @@ resource "azurerm_role_assignment" "Packer_Through_CIB_subscription_contributor"
role_definition_name = "Contributor"
principal_id = azuread_service_principal.Packer_Through_CIB.object_id
scope = data.azurerm_subscription.currentSubscription.id
}
}
8 changes: 4 additions & 4 deletions terraform/azure_ad/sp_packer_worker_images.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ data "azuread_user" "jmoss" {
# application: worker_images_dev
resource "azuread_application" "worker_images_dev" {
display_name = "worker_images_dev"
owners = [data.azuread_user.jmoss.id]
owners = [data.azuread_user.jmoss.object_id]
web {
homepage_url = "https://github.com/mozilla-platform-ops/worker-images"
implicit_grant {
Expand Down Expand Up @@ -43,7 +43,7 @@ resource "azurerm_role_assignment" "worker_images_dev" {

resource "azuread_application" "worker_images_fxci" {
display_name = "worker_images_fxci"
owners = [data.azuread_user.jmoss.id]
owners = [data.azuread_user.jmoss.object_id]
web {
homepage_url = "https://github.com/mozilla-platform-ops/worker-images"
implicit_grant {
Expand Down Expand Up @@ -81,7 +81,7 @@ resource "azurerm_role_assignment" "worker_images_fxci" {

resource "azuread_application" "worker_images_fxci_trusted" {
display_name = "worker_images_fxci_trusted"
owners = [data.azuread_user.jmoss.id]
owners = [data.azuread_user.jmoss.object_id]
web {
homepage_url = "https://github.com/mozilla-platform-ops/worker-images"
implicit_grant {
Expand Down Expand Up @@ -120,7 +120,7 @@ resource "azurerm_role_assignment" "worker_images_fxci_trusted" {
# application: worker_manager_tceng
resource "azuread_application" "worker_images_tceng" {
display_name = "worker_images_tceng"
owners = [data.azuread_user.mcornmesser.id]
owners = [data.azuread_user.mcornmesser.object_id]
api {
known_client_applications = []
mapped_claims_enabled = false
Expand Down
43 changes: 0 additions & 43 deletions terraform/azure_ad/sp_puppet_test_kitchen.tf
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion terraform/azure_ad/sp_splunk.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
resource "azuread_application" "splunkeventhub" {
display_name = "sp-infosec-splunkeventhub"
owners = [data.azuread_user.jmoss.id]
owners = [data.azuread_user.jmoss.object_id]
web {
redirect_uris = []

Expand Down
3 changes: 1 addition & 2 deletions terraform/azure_ad/versions.tf → terraform/azure_ad/terraform.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
terraform {
required_version = ">= 0.15"
required_providers {
aws = {
source = "hashicorp/aws"
Expand All @@ -10,7 +9,7 @@ terraform {
}
azuread = {
source = "hashicorp/azuread"
version = "~> 2"
version = "~> 3"
}
}
}
Expand Down