feat: Fix issuer azure-mi module: (#125)

modules/azure-mi/README.md

@@ -33,7 +33,7 @@ No modules.
 | tags | A mapping of tags to assign to the resource | `map(string)` | n/a | no |
 | tags_from_rg | If true, the tags from the resource group will be inherited exclusively | `bool` | `false` | no |
 | rbac | A list of role-based access control (RBAC) policies to apply to the Managed Identity | <pre>list(object({<br> name: string (required)<br> scope: string (required)<br> roles: list(string) (required)<br>}))</pre> | n/a | yes |
-| federated_credentials | A list of federated credentials to assign to the Managed Identity, posible types are:<br><br>**kubernetes**: `issuer`, `namespace` and `service_account_name`<br>- `issuer`: The cluster issuer<br>- `namespace`: The namespace of the service account<br>- `service_account_name`: The name of the service account<br><br>**github**: `issuer`, `organization`, `repository` and `entity`<br>- `issuer`: The github issuer<br>- `organization`: The github organization<br>- `repository`: The github repository<br>- `entity`: The github entity \|Optional value, if not provided, the entity will be the repository. For other scenarios, the entity should be provided:<br>&nbsp;&nbsp;- environment: `environment:foo_enviroment`<br>&nbsp;&nbsp;- tags: `ref:refs/tags/foo_tag`<br>&nbsp;&nbsp;- branch: `ref:refs/heads/foo_branch`<br>&nbsp;&nbsp;- commit: `ref:refs/commits/foo_commit`<br><br>**other**: `issuer` and `subject`<br>- `issuer`: The issuer<br>- `subject`: The subject | <pre>list(object({<br> name: string (required)<br> type: string (required) - **kubernetes** \|\| **github** \|\| **other**<br> issuer: string (required)<br> namespace: string (required only when the type is **kubernetes**)<br> service_account_name: string (required only when the type is **kubernetes**)<br> organization: string (required only when the type is **github**)<br> repository: string (required only when the type is **github**)<br> entity: string (required only when the type is **github** and the entity is not the repository)<br> subject: string (required only when the type is **other**)<br>}))</pre> | `[]` | no |
+| federated_credentials | A list of federated credentials to assign to the Managed Identity, posible types are:<br><br>**kubernetes**: `issuer`, `namespace` and `service_account_name`<br>- `issuer`: The cluster issuer<br>- `namespace`: The namespace of the service account<br>- `service_account_name`: The name of the service account<br><br>**github**: `issuer`, `organization`, `repository` and `entity`<br>- `issuer`: The github issuer<br>- `organization`: The github organization<br>- `repository`: The github repository<br>- `entity`: The github entity \|Optional value, if not provided, the entity will be the repository. For other scenarios, the entity should be provided:<br>&nbsp;&nbsp;- environment: `environment:foo_enviroment`<br>&nbsp;&nbsp;- tags: `ref:refs/tags/foo_tag`<br>&nbsp;&nbsp;- branch: `ref:refs/heads/foo_branch`<br>&nbsp;&nbsp;- commit: `ref:refs/commits/foo_commit`<br><br>**other**: `issuer` and `subject`<br>- `issuer`: The issuer<br>- `subject`: The subject | <pre>list(object({<br> name: string (required)<br> type: string (required) - **kubernetes** \|\| **github** \|\| **other**<br> issuer: string (required only when type is **kubernetes** or **other**, when type is **github** is optional because the default is `https://token.actions.githubusercontent.com`)<br> namespace: string (required only when the type is **kubernetes**)<br> service_account_name: string (required only when the type is **kubernetes**)<br> organization: string (required only when the type is **github**)<br> repository: string (required only when the type is **github**)<br> entity: string (required only when the type is **github** and the entity is not the repository)<br> subject: string (required only when the type is **other**)<br>}))</pre> | `[]` | no |
 | audience | The audience of the federated identity credential | `list(string)` | `["api://AzureADTokenExchange"]` | no |
 
 ## Outputs
@@ -71,29 +71,30 @@ rbac = [
     ]
   }
 ]
+
 federated_credentials = [
   {
-    name = "foo-kubernetes"
-    type = "kubernetes"
-    issuer = "xxx"
-    namespace = "xxx"
-    service_account_name = "xxx"
+    name = "foo-github"
+    type = "github"
+    organization = "foo"
+    repository = "bar"
+    entity = "baz"
   },
   {
-    name = "bar-github"
-    type = "github"
-    issuer = "xxx"
-    organization = "xxx"
-    repository = "xxx"
-    entity = "xxx"
+    name = "foo-kubernetes"
+    type = "kubernetes"
+    issuer = "https://kubernetes.default.svc.cluster.local"
+    namespace = "foo"
+    service_account_name = "bar"
   },
   {
     name = "other"
     type = "other"
-    issuer = "xxx"
-    subject = "xxx"
+    issuer = "https://example.com"
+    subject = "other"
   }
 ]
+
 ```
 
 ### Yaml
@@ -116,19 +117,18 @@ rbac: # 1-n
     - yyy
     - zzz
 federated_credentials: # {} | 0-20
+  - name: foo-github
+    type: github
+    organization: foo
+    repository: bar
+    entity: baz
   - name: foo-kubernetes
-    type: kubernetes # subject like: system:serviceaccount:<namespace>:<serviceaccount>
-    issuer: xxx
-    namespace: xxx
-    service_account_name: xxx
-  - name: bar-github
-    type: github # subject like: repo:{Organization}/{Repository}:{Entity}
-    issuer: xxx
-    organization: xxx
-    repository: xxx
-    entity: xxx
+    type: kubernetes
+    issuer: https://kubernetes.default.svc.cluster.local
+    namespace: foo
+    service_account_name: bar
   - name: other
-    type: other # custom subject
-    issuer: xxx
-    subject: xxx
+    type: other
+    issuer: https://example.com
+    subject: other
 ```

modules/azure-mi/main.tf

@@ -1,7 +1,7 @@
 # RESOURCES SECTION
 ## https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group.html
 data "azurerm_resource_group" "resource_group" {
-  name = var.resource_group_name
+  name = var.resource_group
 }
 
 ## LOCALS SECTION
@@ -24,7 +24,7 @@ locals {
 resource "azurerm_user_assigned_identity" "user_assigned_identity" {
   name                = var.name
   location            = var.location
-  resource_group_name = var.resource_group_name
+  resource_group_name = var.resource_group
   tags                = local.tags
 }
 
@@ -40,9 +40,9 @@ resource "azurerm_role_assignment" "role_assignment" {
 resource "azurerm_federated_identity_credential" "federated_identity_credential" {
   for_each            = { for federated_credential in var.federated_credentials : federated_credential.name => federated_credential }
   name                = each.key
-  resource_group_name = var.resource_group_name
+  resource_group_name = var.resource_group
   audience            = var.audience
-  issuer              = each.value.issuer
+  issuer              = each.value.type == "github" ? coalesce(each.value.issuer, "https://token.actions.githubusercontent.com") : each.value.issuer
   parent_id           = azurerm_user_assigned_identity.user_assigned_identity.id
   subject             = each.value.type == "github" ? "repo:${each.value.organization}/${each.value.repository}:${each.value.entity}" : each.value.type == "kubernetes" ? "system:serviceaccount:${each.value.namespace}:${each.value.service_account_name}" : each.value.subject
 }

modules/azure-mi/variables.tf

@@ -3,7 +3,7 @@ variable "name" {
   description = "The name of the User Assigned Identity."
 }
 
-variable "resource_group_name" {
+variable "resource_group" {
   type        = string
   description = "The name of the Resource Group."
 }
@@ -40,7 +40,7 @@ variable "federated_credentials" {
   type = list(object({
     name                 = string
     type                 = string
-    issuer               = string
+    issuer               = optional(string)
     namespace            = optional(string)
     service_account_name = optional(string)
     organization         = optional(string)