Use AzureAD auth for terraform backend

Move away from using shared key credentials for the backend auth in both CI and local dev.
microsoft · Jun 24, 2024 · bbfbf8e · bbfbf8e
1 parent 9beb59b
commit bbfbf8e
Show file tree

Hide file tree

Showing 7 changed files with 65 additions and 33 deletions.
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
@@ -2,7 +2,7 @@ name: Planetary Computer APIs CI/CD
 
 on:
   push:
-    branches: [main]
+    branches: [main, user/mjm/storage-access-fixes]
     tags: ["*"]
 
 permissions:
@@ -86,4 +86,4 @@ jobs:
           ARM_CLIENT_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }}
           ARM_SUBSCRIPTION_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }}
           ARM_TENANT_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }}
-          ARM_USE_OIDC: true
+          ARM_USE_OIDC: true
diff --git a/deployment/bin/deploy b/deployment/bin/deploy
@@ -49,30 +49,20 @@ while [[ "$#" -gt 0 ]]; do case $1 in
         ;;
     esac done
 
-disable_shared_access_keys() {
-    echo "Disabling shared access key on storage account..."
-    az storage account update \
-        --name ${SAK_STORAGE_ACCOUNT} \
-        --resource-group ${SAK_RESOURCE_GROUP} \
-        --allow-shared-key-access false \
-        --output none
-
-    if [ $? -ne 0 ]; then
-        echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
-        echo "WARNING: Failed to turn off shared key access on the storage account."
-        echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
-        exit 2
-    fi
-}
-
 # Always disable shared access keys on script exit
 trap disable_shared_access_keys EXIT
 
 ###################################
 # Check and configure environment #
 ###################################
-SAK_STORAGE_ACCOUNT=pctapisstagingsa
-SAK_RESOURCE_GROUP=pct-apis-westeurope-staging_rg
+
+# Enable shared access keys on storage accounts that must have properties read
+# [storage_account]=resource_group
+declare -A SAK_STORAGE_ACCOUNTS
+SAK_STORAGE_ACCOUNTS=(
+  ["pctapisstagingsa"]="pct-apis-westeurope-staging_rg"
+  ["pcfilestest"]="pc-test-manual-resources"
+)
 
 if [[ -z ${TERRAFORM_DIR} ]]; then
     echo "Must pass in TERRAFORM_DIR with -t"
@@ -113,16 +103,7 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
     if [[ "${SKIP_TF}" != 1 ]]; then
         echo "Deploying infrastructure with Terraform..."
 
-        echo "Enabling shared key access for storage account..."
-        # Terraform isn't able to read all resources from a storage account if shared key access is disabled
-        # so while we're deploying, we need to enable it. Since we haven't run TF yet, we don't have the name of the account
-        # so they are hardcoded here. This is a temporary workaround until this is resolved
-        # https://github.com/hashicorp/terraform-provider-azurerm/issues/25218
-        az storage account update \
-            --name ${SAK_STORAGE_ACCOUNT} \
-            --resource-group ${SAK_RESOURCE_GROUP} \
-            --allow-shared-key-access true \
-            --output none
+        enable_shared_access_keys
 
         terraform init --upgrade
 

diff --git a/deployment/bin/lib b/deployment/bin/lib
@@ -131,3 +131,43 @@ function get_cidr_range() {
     IFS='.' read -r -a ip_parts <<< "$runnerIpAddress"
     echo "${ip_parts[0]}.${ip_parts[1]}.0.0/16"
 }
+
+function disable_shared_access_keys() {
+    echo "Disabling shared access key on storage account..."
+
+    for SAK_STORAGE_ACCOUNT in "${!SAK_STORAGE_ACCOUNTS[@]}"; do
+        SAK_RESOURCE_GROUP=${SAK_STORAGE_ACCOUNTS[$SAK_STORAGE_ACCOUNT]}
+
+        az storage account update \
+            --name ${SAK_STORAGE_ACCOUNT} \
+            --resource-group ${SAK_RESOURCE_GROUP} \
+            --allow-shared-key-access false \
+            --output none
+
+        if [ $? -ne 0 ]; then
+            echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+            echo "WARNING: Failed to turn off shared key access on the storage account."
+            echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+            exit 2
+        fi
+    done
+}
+
+function enable_shared_access_keys() {
+    echo "Enabling shared key access for storage account..."
+    # Terraform isn't able to read all resources from a storage account if shared key access is disabled
+    # so while we're deploying, we need to enable it. Since we haven't run TF yet, we don't have the name of the account
+    # so they are hardcoded here. This is a temporary workaround until this is resolved
+    # https://github.com/hashicorp/terraform-provider-azurerm/issues/25218
+
+    for SAK_STORAGE_ACCOUNT in "${!SAK_STORAGE_ACCOUNTS[@]}"; do
+        SAK_RESOURCE_GROUP=${SAK_STORAGE_ACCOUNTS[$SAK_STORAGE_ACCOUNT]}
+
+        echo "   - enabling ${SAK_STORAGE_ACCOUNT} / ${SAK_RESOURCE_GROUP}"
+        az storage account update \
+            --name ${SAK_STORAGE_ACCOUNT} \
+            --resource-group ${SAK_RESOURCE_GROUP} \
+            --allow-shared-key-access true \
+            --output none
+    done
+}
diff --git a/deployment/docker-compose.yml b/deployment/docker-compose.yml
@@ -8,12 +8,12 @@ services:
     environment:
       - ACR_STAC_REPO=${ACR_STAC_REPO:-pccomponentstest.azurecr.io/planetary-computer-apis/stac}
       - ACR_TILER_REPO=${ACR_TILER_REPO:-pccomponentstest.azurecr.io/planetary-computer-apis/tiler}
-      - IMAGE_TAG
+      - IMAGE_TAG=${IMAGE_TAG:-latest}
       - GIT_COMMIT
 
       - ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID:-a84a690d-585b-4c7c-80d9-851a48af5a50}
-      - ARM_TENANT_ID
-      - ARM_CLIENT_ID
+      - ARM_TENANT_ID=${ARM_TENANT_ID:-72f988bf-86f1-41af-91ab-2d7cd011db47}
+      - ARM_CLIENT_ID[email protected]
       - ARM_USE_OIDC
       - ARM_OIDC_TOKEN
       - ACTIONS_ID_TOKEN_REQUEST_URL

diff --git a/deployment/terraform/resources/providers.tf b/deployment/terraform/resources/providers.tf
@@ -1,6 +1,11 @@
 provider "azurerm" {
   features {}
   use_oidc = true
+
+  # This could be used instead of temporarily enabling shared key access once
+  # this issue is resolved.
+  # https://github.com/hashicorp/terraform-provider-azurerm/issues/23142
+  # storage_use_azuread = true
 }
 
 terraform {

diff --git a/deployment/terraform/resources/storage_account.tf b/deployment/terraform/resources/storage_account.tf
@@ -37,3 +37,8 @@ resource "azurerm_storage_table" "ipexceptionlist" {
   name                 = "ipexceptionlist"
   storage_account_name = azurerm_storage_account.pc.name
 }
+
+resource "azurerm_storage_table" "blobstoragebannedip" {
+  name                 = "blobstoragebannedip"
+  storage_account_name = azurerm_storage_account.pc.name
+}
diff --git a/deployment/terraform/staging/main.tf b/deployment/terraform/staging/main.tf
@@ -31,6 +31,7 @@ terraform {
     container_name       = "pc-test-api"
     key                  = "pqe-apis.tfstate"
     use_oidc             = true
+    use_azuread_auth     = true
   }
 }