From eec5da32c14b2bf250dc27e999d1bced6ec74ea8 Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Wed, 11 Oct 2023 13:22:28 +0200 Subject: [PATCH 01/16] Create __main__.py --- .../__main__.py | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 azure-py-oidc-provider-pulumi-cloud/__main__.py diff --git a/azure-py-oidc-provider-pulumi-cloud/__main__.py b/azure-py-oidc-provider-pulumi-cloud/__main__.py new file mode 100644 index 000000000..3a1dddac3 --- /dev/null +++ b/azure-py-oidc-provider-pulumi-cloud/__main__.py @@ -0,0 +1,36 @@ +import pulumi +from pulumi_azure_native import resources, aad, authorization, managedidentity + +# Create an Azure Resource Group (if necessary) +resource_group = resources.ResourceGroup('resourceGroup') + +# Create an Azure AD Application +application = aad.Application( + 'oidc-app-registration', + display_name='pulumi-environments-oidc-app', + sign_in_audience='AzureADMyOrg', +) + +# Create an IAM role assignment at the subscription level +role_assignment = authorization.RoleAssignment( + 'role-assignment', + scope=pulumi.Output.format('/subscriptions/{subscription_id}', subscription_id=resource_group.subscription_id), + role_definition_id=pulumi.Output.format('/subscriptions/{subscription_id}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}', + subscription_id=resource_group.subscription_id, + role_definition_id='094191a3-9fe2-4e88-a4e4-7131a3bb0cd4'), # ID for "Key Vault Secrets User" role + principal_id=application.object_id, +) + +# Creates Federated Credentials +federated_identity_credential = managedidentity.FederatedIdentityCredential("federatedIdentityCredential", + audiences=["zephyr"], + federated_identity_credential_resource_name="pulumi-environments-oidc-fic", + issuer="https://api.pulumi.com/oidc", + resource_group_name=resource_group.name, + resource_name_="resourceName", + subject="pulumi:environments:org:zephyr:env:azure-provider") + +# Export the desired outputs +pulumi.export('Application ID', application.application_id) +pulumi.export('Directory (Tenant) ID', resource_group.tenant_id) +pulumi.export('Subscription ID', resource_group.subscription_id) From e52716fc359d33990d285014e7d8f677f809edff Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Wed, 11 Oct 2023 14:50:16 +0200 Subject: [PATCH 02/16] Update __main__.py --- .../__main__.py | 49 ++++++++++--------- 1 file changed, 27 insertions(+), 22 deletions(-) diff --git a/azure-py-oidc-provider-pulumi-cloud/__main__.py b/azure-py-oidc-provider-pulumi-cloud/__main__.py index 3a1dddac3..80f7cab94 100644 --- a/azure-py-oidc-provider-pulumi-cloud/__main__.py +++ b/azure-py-oidc-provider-pulumi-cloud/__main__.py @@ -1,36 +1,41 @@ import pulumi from pulumi_azure_native import resources, aad, authorization, managedidentity +import pulumi_azuread as azuread +from pulumi_azure import core + +issuer = "https://api.pulumi.com/oidc" + +# Retrieve local Pulumi configuration +pulumi_config = pulumi.Config() +audience = pulumi_config.require("pulumiOrg") +env_name = pulumi_config.require("environmentName") + +# Retrieve local Azure configuration +azure_config = authorization.get_client_config() +az_subscription = azure_config.subscription_id +tenant_id = azure_config.tenant_id # Create an Azure Resource Group (if necessary) resource_group = resources.ResourceGroup('resourceGroup') # Create an Azure AD Application -application = aad.Application( +application = azuread.Application( 'oidc-app-registration', display_name='pulumi-environments-oidc-app', sign_in_audience='AzureADMyOrg', ) -# Create an IAM role assignment at the subscription level -role_assignment = authorization.RoleAssignment( - 'role-assignment', - scope=pulumi.Output.format('/subscriptions/{subscription_id}', subscription_id=resource_group.subscription_id), - role_definition_id=pulumi.Output.format('/subscriptions/{subscription_id}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}', - subscription_id=resource_group.subscription_id, - role_definition_id='094191a3-9fe2-4e88-a4e4-7131a3bb0cd4'), # ID for "Key Vault Secrets User" role - principal_id=application.object_id, -) - # Creates Federated Credentials -federated_identity_credential = managedidentity.FederatedIdentityCredential("federatedIdentityCredential", - audiences=["zephyr"], - federated_identity_credential_resource_name="pulumi-environments-oidc-fic", - issuer="https://api.pulumi.com/oidc", - resource_group_name=resource_group.name, - resource_name_="resourceName", - subject="pulumi:environments:org:zephyr:env:azure-provider") +federated_identity_credential = azuread.ApplicationFederatedIdentityCredential("federatedIdentityCredential", + application_object_id=application.object_id, + display_name="pulumi-environments-oidc-fic", + description="Federated credentials for Pulumi ESC", + audiences=[audience], + issuer=issuer, + subject=f"pulumi:environments:org:{audience}:env:{env_name}" +) -# Export the desired outputs -pulumi.export('Application ID', application.application_id) -pulumi.export('Directory (Tenant) ID', resource_group.tenant_id) -pulumi.export('Subscription ID', resource_group.subscription_id) +# Export Outputs required for Environment definition +pulumi.export('ApplicationId', application.application_id) +pulumi.export('DirectoryId', tenant_id) +pulumi.export('SubscriptionId', az_subscription) From 16403f14ec6ab3bc9e160ac352cc29001a94e505 Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Wed, 11 Oct 2023 15:10:37 +0200 Subject: [PATCH 03/16] Create README.md --- azure-py-oidc-provider-pulumi-cloud/README.md | 145 ++++++++++++++++++ 1 file changed, 145 insertions(+) create mode 100644 azure-py-oidc-provider-pulumi-cloud/README.md diff --git a/azure-py-oidc-provider-pulumi-cloud/README.md b/azure-py-oidc-provider-pulumi-cloud/README.md new file mode 100644 index 000000000..ba0af8f8d --- /dev/null +++ b/azure-py-oidc-provider-pulumi-cloud/README.md @@ -0,0 +1,145 @@ +# Provisioning an OIDC Provider in AWS for Pulumi Cloud + +This example is an automation of the process detailed in the Azure socumentation for the following activities: + +- [Create a Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) +- [Create federated credentials](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html#federated-identity-credential-for-an-azure-ad-application-1) + +This automation will create OIDC configuration between Pulumi Cloud and Azure, specifically demonstrating connectivity with [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). + +## Prerequisites + +* [Install Pulumi](https://www.pulumi.com/docs/get-started/install/) +* [Configure Pulumi to Use Azure](https://www.pulumi.com/docs/clouds/azure/get-started/begin/) + +## Running the Example + +Clone [the examples repo](https://github.com/pulumi/examples/tree/master/aws-py-oidc-provider) and navigate to the folder for this example. + +```bash +git clone https://github.com/pulumi/examples.git +cd examples/azure-py-oidc-provider-pulumi-cloud +``` + +Next, to deploy the application and its infrastructure, follow these steps: + +1. Create a new stack, which is an isolated deployment target for this example: + + ```bash + $ pulumi stack init dev + ``` + +1. Set your Pulumi organization name, Pulumi ESC environment name, and desired Azure region: + + ```bash + pulumi config set pulumiOrg # replace with your Pulumi organization name + pulumi config set environmentName # replace with your environment name + pulumi config set azure-native:location WestUS2 # any valid Azure region will work + ``` + +1. Install requirements. + + ```bash + pip3 install -r requirements.txt + ``` + +1. Run `pulumi up`. + + ```bash + $ pulumi up -y + Updating (dev) + + Type Name Status + + pulumi:pulumi:Stack azure-oidc-dev created (27s) + + ├─ azuread:index:Application oidc-app-registration created (14s) + + ├─ azure-native:resources:ResourceGroup resourceGroup created (1s) + + └─ azuread:index:ApplicationFederatedIdentityCredential federatedIdentityCredential created (16s) + + Outputs: + ApplicationId : "3e5505f6-90b9-43ce...." + DirectoryId : "706143bc-e1d4-4593...." + SubscriptionId: "0282681f-7a9e-424b...." + + Resources: + + 4 created + + Duration: 46s + ``` +## Validating the OIDC Configuration + +This next section will walk you through validating your OIDC configuration using [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). Start by [creating a new Pulumi ESC environment](https://www.pulumi.com/docs/pulumi-cloud/esc/get-started/#create-an-environment). Then, add the following environment definition, replacing the placeholder text with the values from your stack outputs. + +```yaml +values: + azure: + login: + fn::open::azure-login: + clientId: + tenantId: + subscriptionId: /subscriptions/ + oidc: true +``` + +Save your environment file and run the `pulumi env open /` command in the CLI. You should see output similar to the following: + +```bash +{ + "azure": { + "login": { + "clientId": "3e5505f6-90b9-....", + "oidc": { + "token": "eyJhbGciOi...." + }, + "subscriptionId": "/subscriptions/0282681f-7a9e....", + "tenantId": "706143bc-e1d4...." + } + } +} +``` + +## Additional Considerations + +You can configure more granular access control by adding a `RoleAssignment` resource to your program. In the following example, the application is assigned a role with permissions to read secrets from Azure Keyvault. + +```python +# Create an IAM role assignment at the subscription level +role_assignment = authorization.RoleAssignment( + 'role-assignment', + scope=pulumi.Output.format('/subscriptions/{subscription_id}', subscription_id=az_subscription), + role_definition_id=pulumi.Output.format('/subscriptions/{subscription_id}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}', + subscription_id=az_subscription, + role_definition_id='4633458b-17de-408a-b874-0445c86b69e6'), # ID for "Key Vault Secrets User" role + principal_id=application.object_id, +) +``` + +For this example, you would need to update your environment file to retrieve a KeyVault secret: + +```yaml +values: + azure: + login: + fn::open::azure-login: + clientId: + tenantId: + subscriptionId: /subscriptions/ + oidc: true + secrets: + fn::open::azure-secrets: + login: ${azure.login} + vault: + get: + api-key: + name: api-key #an example of retrieving a secret named "api-key" and storing it in a parameter + environmentVariables: + API_KEY: ${azure.secrets.api-key} # an example of how you can reference your api-key value elsewhere in the file +``` + +## Clean-Up Resources + +Once you are done, you can destroy all of the resources as well as the stack: + +```bash +$ pulumi destroy +$ pulumi stack rm +``` From 0b3f0656fb8d52685fcec956d741e6d72258f108 Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Wed, 11 Oct 2023 15:10:51 +0200 Subject: [PATCH 04/16] Create requirements.txt --- azure-py-oidc-provider-pulumi-cloud/requirements.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 azure-py-oidc-provider-pulumi-cloud/requirements.txt diff --git a/azure-py-oidc-provider-pulumi-cloud/requirements.txt b/azure-py-oidc-provider-pulumi-cloud/requirements.txt new file mode 100644 index 000000000..9d1294d07 --- /dev/null +++ b/azure-py-oidc-provider-pulumi-cloud/requirements.txt @@ -0,0 +1,4 @@ +pulumi>=3.0.0,<4.0.0 +pulumi-azure-native>=2.0.0,<3.0.0 +pulumi-azuread>=5.0.0, <6.0.0 +pulumi-azure>=5.0.0, <6.0.0 From e60f9773febeab6e319fbe32f997aa1693e7cdc4 Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Wed, 11 Oct 2023 15:11:49 +0200 Subject: [PATCH 05/16] Update README.md --- azure-py-oidc-provider-pulumi-cloud/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/azure-py-oidc-provider-pulumi-cloud/README.md b/azure-py-oidc-provider-pulumi-cloud/README.md index ba0af8f8d..df68fc77d 100644 --- a/azure-py-oidc-provider-pulumi-cloud/README.md +++ b/azure-py-oidc-provider-pulumi-cloud/README.md @@ -1,12 +1,12 @@ # Provisioning an OIDC Provider in AWS for Pulumi Cloud -This example is an automation of the process detailed in the Azure socumentation for the following activities: +This example will create OIDC configuration between Pulumi Cloud and Azure, specifically demonstrating connectivity with [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). + +This example creates an automation of the process detailed in the Azure documentation for the following activities: - [Create a Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) - [Create federated credentials](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html#federated-identity-credential-for-an-azure-ad-application-1) -This automation will create OIDC configuration between Pulumi Cloud and Azure, specifically demonstrating connectivity with [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). - ## Prerequisites * [Install Pulumi](https://www.pulumi.com/docs/get-started/install/) From a4568931fa81d0023c27cccd1df30c2ff1002b03 Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Wed, 11 Oct 2023 15:12:36 +0200 Subject: [PATCH 06/16] Update README.md --- azure-py-oidc-provider-pulumi-cloud/README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/azure-py-oidc-provider-pulumi-cloud/README.md b/azure-py-oidc-provider-pulumi-cloud/README.md index df68fc77d..c5c079031 100644 --- a/azure-py-oidc-provider-pulumi-cloud/README.md +++ b/azure-py-oidc-provider-pulumi-cloud/README.md @@ -1,8 +1,6 @@ # Provisioning an OIDC Provider in AWS for Pulumi Cloud -This example will create OIDC configuration between Pulumi Cloud and Azure, specifically demonstrating connectivity with [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). - -This example creates an automation of the process detailed in the Azure documentation for the following activities: +This example will create OIDC configuration between Pulumi Cloud and Azure, specifically demonstrating connectivity with [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). The program automates the process detailed in the Azure documentation for the following activities: - [Create a Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) - [Create federated credentials](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html#federated-identity-credential-for-an-azure-ad-application-1) From 62a127e07454c239cbb17f936329252032c1ada8 Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Wed, 11 Oct 2023 15:14:04 +0200 Subject: [PATCH 07/16] Update README.md --- azure-py-oidc-provider-pulumi-cloud/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/azure-py-oidc-provider-pulumi-cloud/README.md b/azure-py-oidc-provider-pulumi-cloud/README.md index c5c079031..048e01537 100644 --- a/azure-py-oidc-provider-pulumi-cloud/README.md +++ b/azure-py-oidc-provider-pulumi-cloud/README.md @@ -81,6 +81,7 @@ values: Save your environment file and run the `pulumi env open /` command in the CLI. You should see output similar to the following: ```bash +$ pulumi env open myOrg/myEnvironment { "azure": { "login": { From 9adb18f576fdfa35cdc410df84d6856ab51a24ce Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Wed, 11 Oct 2023 15:16:16 +0200 Subject: [PATCH 08/16] Create .gitignore --- azure-py-oidc-provider-pulumi-cloud/.gitignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 azure-py-oidc-provider-pulumi-cloud/.gitignore diff --git a/azure-py-oidc-provider-pulumi-cloud/.gitignore b/azure-py-oidc-provider-pulumi-cloud/.gitignore new file mode 100644 index 000000000..a3807e5bd --- /dev/null +++ b/azure-py-oidc-provider-pulumi-cloud/.gitignore @@ -0,0 +1,2 @@ +*.pyc +venv/ From efbf1b055eee40d2fe6e048df3e67499645cbfdf Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Wed, 11 Oct 2023 16:57:59 +0200 Subject: [PATCH 09/16] Create Pulumi.yaml --- azure-py-oidc-provider-pulumi-cloud/Pulumi.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 azure-py-oidc-provider-pulumi-cloud/Pulumi.yaml diff --git a/azure-py-oidc-provider-pulumi-cloud/Pulumi.yaml b/azure-py-oidc-provider-pulumi-cloud/Pulumi.yaml new file mode 100644 index 000000000..ad88ab068 --- /dev/null +++ b/azure-py-oidc-provider-pulumi-cloud/Pulumi.yaml @@ -0,0 +1,6 @@ +name: oidc-test +runtime: + name: python + options: + virtualenv: venv +description: A Python Pulumi program From 2065268a89ac33d22463300e175581e3c77feeb2 Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Wed, 11 Oct 2023 17:04:30 +0200 Subject: [PATCH 10/16] Update README.md --- azure-py-oidc-provider-pulumi-cloud/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/azure-py-oidc-provider-pulumi-cloud/README.md b/azure-py-oidc-provider-pulumi-cloud/README.md index 048e01537..c0cd58849 100644 --- a/azure-py-oidc-provider-pulumi-cloud/README.md +++ b/azure-py-oidc-provider-pulumi-cloud/README.md @@ -24,7 +24,7 @@ Next, to deploy the application and its infrastructure, follow these steps: 1. Create a new stack, which is an isolated deployment target for this example: ```bash - $ pulumi stack init dev + pulumi stack init dev ``` 1. Set your Pulumi organization name, Pulumi ESC environment name, and desired Azure region: @@ -38,7 +38,10 @@ Next, to deploy the application and its infrastructure, follow these steps: 1. Install requirements. ```bash + python -m venv venv + source venv/bin/activate pip3 install -r requirements.txt + deactivate ``` 1. Run `pulumi up`. From 5ee0088b9cad4d276063a6d9b36893bd2887b7b1 Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Wed, 11 Oct 2023 17:09:58 +0200 Subject: [PATCH 11/16] Update README.md --- azure-py-oidc-provider-pulumi-cloud/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-py-oidc-provider-pulumi-cloud/README.md b/azure-py-oidc-provider-pulumi-cloud/README.md index c0cd58849..8f63d37a8 100644 --- a/azure-py-oidc-provider-pulumi-cloud/README.md +++ b/azure-py-oidc-provider-pulumi-cloud/README.md @@ -1,4 +1,4 @@ -# Provisioning an OIDC Provider in AWS for Pulumi Cloud +# Provisioning an OIDC Provider in Azure for Pulumi Cloud This example will create OIDC configuration between Pulumi Cloud and Azure, specifically demonstrating connectivity with [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). The program automates the process detailed in the Azure documentation for the following activities: From c1972f6343e467b8eebf8b7f20a598001bf07e3e Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Thu, 12 Oct 2023 08:55:30 +0000 Subject: [PATCH 12/16] output environment template file --- azure-py-oidc-provider-pulumi-cloud/README.md | 1 - .../__main__.py | 34 ++++++++++++++++--- .../requirements.txt | 1 + 3 files changed, 30 insertions(+), 6 deletions(-) diff --git a/azure-py-oidc-provider-pulumi-cloud/README.md b/azure-py-oidc-provider-pulumi-cloud/README.md index 8f63d37a8..0daa3fa8a 100644 --- a/azure-py-oidc-provider-pulumi-cloud/README.md +++ b/azure-py-oidc-provider-pulumi-cloud/README.md @@ -30,7 +30,6 @@ Next, to deploy the application and its infrastructure, follow these steps: 1. Set your Pulumi organization name, Pulumi ESC environment name, and desired Azure region: ```bash - pulumi config set pulumiOrg # replace with your Pulumi organization name pulumi config set environmentName # replace with your environment name pulumi config set azure-native:location WestUS2 # any valid Azure region will work ``` diff --git a/azure-py-oidc-provider-pulumi-cloud/__main__.py b/azure-py-oidc-provider-pulumi-cloud/__main__.py index 80f7cab94..23c6e9b57 100644 --- a/azure-py-oidc-provider-pulumi-cloud/__main__.py +++ b/azure-py-oidc-provider-pulumi-cloud/__main__.py @@ -2,12 +2,13 @@ from pulumi_azure_native import resources, aad, authorization, managedidentity import pulumi_azuread as azuread from pulumi_azure import core +import yaml issuer = "https://api.pulumi.com/oidc" # Retrieve local Pulumi configuration pulumi_config = pulumi.Config() -audience = pulumi_config.require("pulumiOrg") +audience = pulumi.get_organization() env_name = pulumi_config.require("environmentName") # Retrieve local Azure configuration @@ -35,7 +36,30 @@ subject=f"pulumi:environments:org:{audience}:env:{env_name}" ) -# Export Outputs required for Environment definition -pulumi.export('ApplicationId', application.application_id) -pulumi.export('DirectoryId', tenant_id) -pulumi.export('SubscriptionId', az_subscription) +print("OIDC configuration complete!") +print("Copy and paste the following template into your Pulumi ESC environment:") +print("--------") + +def create_yaml_structure(args): + application_id, tenant_id, subscription_id = args + return { + 'values': { + 'azure': { + 'login': { + 'fn::open::azure-login': { + 'clientId': application_id, + 'tenantId': tenant_id, + 'subscriptionId': f"/subscriptions/{subscription_id}", + 'oidc': True + } + } + } + } + } + +def print_yaml(args): + yaml_structure = create_yaml_structure(args) + yaml_string = yaml.dump(yaml_structure, sort_keys=False) + print(yaml_string) + +pulumi.Output.all(application.application_id, tenant_id, az_subscription).apply(print_yaml) \ No newline at end of file diff --git a/azure-py-oidc-provider-pulumi-cloud/requirements.txt b/azure-py-oidc-provider-pulumi-cloud/requirements.txt index 9d1294d07..20d3d20c2 100644 --- a/azure-py-oidc-provider-pulumi-cloud/requirements.txt +++ b/azure-py-oidc-provider-pulumi-cloud/requirements.txt @@ -2,3 +2,4 @@ pulumi>=3.0.0,<4.0.0 pulumi-azure-native>=2.0.0,<3.0.0 pulumi-azuread>=5.0.0, <6.0.0 pulumi-azure>=5.0.0, <6.0.0 +PyYAML From 230ef6c639fd944bdb80c595d8c9f448f1d4fc66 Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Thu, 12 Oct 2023 13:13:20 +0000 Subject: [PATCH 13/16] updated readme with yaml template info --- azure-py-oidc-provider-pulumi-cloud/README.md | 41 +++---------------- 1 file changed, 5 insertions(+), 36 deletions(-) diff --git a/azure-py-oidc-provider-pulumi-cloud/README.md b/azure-py-oidc-provider-pulumi-cloud/README.md index 0daa3fa8a..59470e282 100644 --- a/azure-py-oidc-provider-pulumi-cloud/README.md +++ b/azure-py-oidc-provider-pulumi-cloud/README.md @@ -12,7 +12,7 @@ This example will create OIDC configuration between Pulumi Cloud and Azure, spec ## Running the Example -Clone [the examples repo](https://github.com/pulumi/examples/tree/master/aws-py-oidc-provider) and navigate to the folder for this example. +Clone [the examples repo](https://github.com/pulumi/examples/tree/master/azure-py-oidc-provider) and navigate to the folder for this example. ```bash git clone https://github.com/pulumi/examples.git @@ -27,7 +27,7 @@ Next, to deploy the application and its infrastructure, follow these steps: pulumi stack init dev ``` -1. Set your Pulumi organization name, Pulumi ESC environment name, and desired Azure region: +1. Set your Pulumi ESC environment name and desired Azure region: ```bash pulumi config set environmentName # replace with your environment name @@ -43,44 +43,13 @@ Next, to deploy the application and its infrastructure, follow these steps: deactivate ``` -1. Run `pulumi up`. +1. Run `pulumi up -y`. Once the program completes, it will output a YAML template for you to use in the next step. - ```bash - $ pulumi up -y - Updating (dev) - - Type Name Status - + pulumi:pulumi:Stack azure-oidc-dev created (27s) - + ├─ azuread:index:Application oidc-app-registration created (14s) - + ├─ azure-native:resources:ResourceGroup resourceGroup created (1s) - + └─ azuread:index:ApplicationFederatedIdentityCredential federatedIdentityCredential created (16s) - - Outputs: - ApplicationId : "3e5505f6-90b9-43ce...." - DirectoryId : "706143bc-e1d4-4593...." - SubscriptionId: "0282681f-7a9e-424b...." - - Resources: - + 4 created - - Duration: 46s - ``` ## Validating the OIDC Configuration -This next section will walk you through validating your OIDC configuration using [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). Start by [creating a new Pulumi ESC environment](https://www.pulumi.com/docs/pulumi-cloud/esc/get-started/#create-an-environment). Then, add the following environment definition, replacing the placeholder text with the values from your stack outputs. - -```yaml -values: - azure: - login: - fn::open::azure-login: - clientId: - tenantId: - subscriptionId: /subscriptions/ - oidc: true -``` +This next section will walk you through validating your OIDC configuration using [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). -Save your environment file and run the `pulumi env open /` command in the CLI. You should see output similar to the following: +Start by [creating a new Pulumi ESC environment](https://www.pulumi.com/docs/pulumi-cloud/esc/get-started/#create-an-environment). Then, copy the template definition from the output in the CLI and paste it into your environment. Save your environment file and run the `pulumi env open /` command in the CLI. You should see output similar to the following: ```bash $ pulumi env open myOrg/myEnvironment From 177ab93cd7e5a593f8949b2c9d016a280ed1a42d Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Tue, 17 Oct 2023 11:02:07 +0200 Subject: [PATCH 14/16] fixed to python3 --- azure-py-oidc-provider-pulumi-cloud/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-py-oidc-provider-pulumi-cloud/README.md b/azure-py-oidc-provider-pulumi-cloud/README.md index 59470e282..4338f7eea 100644 --- a/azure-py-oidc-provider-pulumi-cloud/README.md +++ b/azure-py-oidc-provider-pulumi-cloud/README.md @@ -37,7 +37,7 @@ Next, to deploy the application and its infrastructure, follow these steps: 1. Install requirements. ```bash - python -m venv venv + python3 -m venv venv source venv/bin/activate pip3 install -r requirements.txt deactivate From 6ce8c100b6792db1cc1ea9aa6c1685514c466b34 Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Tue, 17 Oct 2023 14:06:00 +0200 Subject: [PATCH 15/16] simplified venv commands --- azure-py-oidc-provider-pulumi-cloud/README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/azure-py-oidc-provider-pulumi-cloud/README.md b/azure-py-oidc-provider-pulumi-cloud/README.md index 4338f7eea..b321c8507 100644 --- a/azure-py-oidc-provider-pulumi-cloud/README.md +++ b/azure-py-oidc-provider-pulumi-cloud/README.md @@ -38,9 +38,7 @@ Next, to deploy the application and its infrastructure, follow these steps: ```bash python3 -m venv venv - source venv/bin/activate - pip3 install -r requirements.txt - deactivate + venv/bin/pip install -r requirements.txt ``` 1. Run `pulumi up -y`. Once the program completes, it will output a YAML template for you to use in the next step. From cac6a77e1c3d1810557845fe39d5c065359c84af Mon Sep 17 00:00:00 2001 From: Torian Crane Date: Wed, 18 Oct 2023 10:27:05 +0200 Subject: [PATCH 16/16] Update __main__.py --- azure-py-oidc-provider-pulumi-cloud/__main__.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/azure-py-oidc-provider-pulumi-cloud/__main__.py b/azure-py-oidc-provider-pulumi-cloud/__main__.py index 23c6e9b57..b6b4030e9 100644 --- a/azure-py-oidc-provider-pulumi-cloud/__main__.py +++ b/azure-py-oidc-provider-pulumi-cloud/__main__.py @@ -3,6 +3,9 @@ import pulumi_azuread as azuread from pulumi_azure import core import yaml +import random + +number = random.randint(1000,9999) issuer = "https://api.pulumi.com/oidc" @@ -17,11 +20,11 @@ tenant_id = azure_config.tenant_id # Create an Azure Resource Group (if necessary) -resource_group = resources.ResourceGroup('resourceGroup') +resource_group = resources.ResourceGroup(f'resourceGroup-{number}') # Create an Azure AD Application application = azuread.Application( - 'oidc-app-registration', + f'pulumi-oidc-app-reg-{number}', display_name='pulumi-environments-oidc-app', sign_in_audience='AzureADMyOrg', ) @@ -29,7 +32,7 @@ # Creates Federated Credentials federated_identity_credential = azuread.ApplicationFederatedIdentityCredential("federatedIdentityCredential", application_object_id=application.object_id, - display_name="pulumi-environments-oidc-fic", + display_name=f"pulumi-env-oidc-fic-{number}", description="Federated credentials for Pulumi ESC", audiences=[audience], issuer=issuer, @@ -62,4 +65,4 @@ def print_yaml(args): yaml_string = yaml.dump(yaml_structure, sort_keys=False) print(yaml_string) -pulumi.Output.all(application.application_id, tenant_id, az_subscription).apply(print_yaml) \ No newline at end of file +pulumi.Output.all(application.application_id, tenant_id, az_subscription).apply(print_yaml)