improved sp redirect uris configuration

Azure · Apr 10, 2024 · 8ddc512 · 8ddc512
1 parent 6d2aba5
commit 8ddc512
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 50 deletions.
diff --git a/infra/main.tf b/infra/main.tf
@@ -156,6 +156,7 @@ module "ca_chat" {
   resource_group_id              = azurerm_resource_group.rg.id
   ca_name                        = local.ca_chat_name
   cae_id                         = module.cae.cae_id
+  cae_default_domain             = module.cae.default_domain
   managed_identity_id            = module.mi.mi_id
   chat_gpt_deployment            = module.openai.gpt_deployment_name
   chat_gpt_model                 = module.openai.gpt_deployment_model_name
@@ -196,6 +197,7 @@ module "ca_aihub" {
   resource_group_id           = azurerm_resource_group.rg.id
   ca_name                     = local.ca_aihub_name
   cae_id                      = module.cae.cae_id
+  cae_default_domain          = module.cae.default_domain
   managed_identity_id         = module.mi.mi_id
   chat_gpt_deployment         = module.openai.gpt_deployment_name
   chat_gpt_model              = module.openai.gpt_deployment_model_name

diff --git a/infra/modules/ca-aihub/auth_config.tf b/infra/modules/ca-aihub/auth_config.tf
@@ -1,11 +1,10 @@
-locals {
-  redirect_fqdn = jsondecode(azapi_resource.ca_back.output).properties.configuration.ingress.fqdn
-}
-
 module "sp" {
   count   = var.enable_entra_id_authentication ? 1 : 0
   source  = "../sp"
   sp_name = var.ca_name
+  redirect_uris = [
+    "https://${var.ca_name}.${var.cae_default_domain}/.auth/login/aad/callback"
+  ]
 }
 
 resource "azapi_resource" "current" {
@@ -45,23 +44,3 @@ resource "azapi_resource" "current" {
     }
   })
 }
-
-locals {
-  fqdn                         = jsondecode(azapi_resource.ca_back.output).properties.configuration.ingress.fqdn
-  update_redirect_uris_command = var.enable_entra_id_authentication ? "az ad app update --id ${module.sp[0].client_id} --web-redirect-uris https://${local.fqdn}/.auth/login/aad/callback" : ""
-}
-
-resource "null_resource" "update_redirect_uris" {
-  count = var.enable_entra_id_authentication ? 1 : 0
-  provisioner "local-exec" {
-    command = local.update_redirect_uris_command
-  }
-  depends_on = [
-    module.sp,
-    azapi_resource.ca_back,
-    azapi_resource.current
-  ]
-  triggers = {
-    always_run = timestamp()
-  }
-}
diff --git a/infra/modules/ca-aihub/variables.tf b/infra/modules/ca-aihub/variables.tf
@@ -2,6 +2,7 @@ variable "resource_group_id" {}
 variable "location" {}
 variable "ca_name" {}
 variable "cae_id" {}
+variable "cae_default_domain" {}
 variable "managed_identity_id" {}
 variable "managed_identity_client_id" {}
 variable "tenant_id" {}

diff --git a/infra/modules/ca-chat/auth_config.tf b/infra/modules/ca-chat/auth_config.tf
@@ -1,11 +1,10 @@
-locals {
-  redirect_fqdn = jsondecode(azapi_resource.ca_back.output).properties.configuration.ingress.fqdn
-}
-
 module "sp" {
   count   = var.enable_entra_id_authentication ? 1 : 0
   source  = "../sp"
   sp_name = var.ca_name
+  redirect_uris = [
+    "https://${var.ca_name}.${var.cae_default_domain}/.auth/login/aad/callback"
+  ]
 }
 
 resource "azapi_resource" "current" {
@@ -45,23 +44,3 @@ resource "azapi_resource" "current" {
     }
   })
 }
-
-locals {
-  fqdn                         = jsondecode(azapi_resource.ca_back.output).properties.configuration.ingress.fqdn
-  update_redirect_uris_command = var.enable_entra_id_authentication ? "az ad app update --id ${module.sp[0].client_id} --web-redirect-uris https://${local.fqdn}/.auth/login/aad/callback" : ""
-}
-
-resource "null_resource" "update_redirect_uris" {
-  count = var.enable_entra_id_authentication ? 1 : 0
-  provisioner "local-exec" {
-    command = local.update_redirect_uris_command
-  }
-  depends_on = [
-    module.sp,
-    azapi_resource.ca_back,
-    azapi_resource.current
-  ]
-  triggers = {
-    always_run = timestamp()
-  }
-}
diff --git a/infra/modules/ca-chat/variables.tf b/infra/modules/ca-chat/variables.tf
@@ -2,6 +2,7 @@ variable "resource_group_id" {}
 variable "location" {}
 variable "ca_name" {}
 variable "cae_id" {}
+variable "cae_default_domain" {}
 variable "managed_identity_id" {}
 variable "managed_identity_client_id" {}
 variable "tenant_id" {}

diff --git a/infra/modules/sp/main.tf b/infra/modules/sp/main.tf
@@ -14,7 +14,7 @@ resource "azuread_application" "sp" {
     implicit_grant {
       id_token_issuance_enabled = true
     }
-    redirect_uris = []
+    redirect_uris = var.redirect_uris
   }
 
   api {

diff --git a/infra/modules/sp/variables.tf b/infra/modules/sp/variables.tf
@@ -1 +1,5 @@
-variable "sp_name" {}
+variable "sp_name" {}
+variable "redirect_uris" {
+  type = list(string)
+  default = []
+}