Getting --impersonate working correctly, for logged_in_user in configuration

[pmatthews05]

When first deploy LandingZones with level0 it is deployed with a user account. During the deployment of Level0 the following Service Principal is created - [prefix]-caf_launchpad_level0.

rover -lz /tf/caf/landingzones/caf_launchpad \
  -var-folder /tf/caf/configuration/${ENVIRONMENT}/level0/launchpad \
  -parallelism 30 \
  -level level0 \
  -launchpad \
  -env ${ENVIRONMENT} \
  -a apply

The clientID, Secret is stored within Level0 keyvault [prefix]-kv-level0 as the following 3 values:
aadapp-caf-launchpad-level0-client-id
aadapp-caf-launchpad-level0-client-secret
aadapp-caf-launchpad-level0-tenant-id

launchpad-secret-prefix <- Currently missing from the scenerio 200.

With those 4 values above in the keyvault, it then allows the user to use the service principal going forward instead of a user account.

rover -lz /tf/caf/landingzones/caf_launchpad \
  -var-folder /tf/caf/configuration/${ENVIRONMENT}/level0/launchpad \
  -parallelism 30 \
  -level level0 \
  -env ${ENVIRONMENT} \
  -a apply \
 --impersonate

The code get's the ClientID and Secret, logs in as the service principal and apply terraform as that service principal.

The changes made in this pull request:

• Ensures that the subscription is set correctly for running under Service Principal.
• Ensures that either TF_VAR_logged_user_objectId or TF_VAR_logged_aad_app_objectId is correctly set instead of both as they are currently. This change is to help in fixing the issue logged_in_user for keyvault still gets applied when using MSI / Service Principal  terraform-azurerm-caf#541. This pull request on it's own will not fix the issue. As I need to submit pull requests for:
  • https://github.com/aztfmod/terraform-azurerm-caf - To only apply logged_in_user when using user account.
  • https://github.com/Azure/caf-terraform-landingzones - To update scenerio200 configuration/readme so this will work from start to finish.

[pmatthews05]

I see this has failed checks. Could someone advise what I need to do?

[LaurentLesle]

@pmatthews05 This is related to the security credentials the CI is using to test your PR (https://github.community/t/allow-secrets-to-be-shared-with-forks-from-trusted-actions/16525). I will merge it to an integration branch to fix this issue.

[arnaudlh]

Hi @pmatthews05 as discussed in in #218, we are replacing with --impersonate-from-keyvault in order to simplify operations.

[pmatthews05]

@arnaudlh thank you. Is there documentation on how to setup and use the --impersonate-from-keyvault?

[brk3]

@pmatthews05 I can document this if I remember :) In general its basically:

• Create a keyvault and service principal
• Add the sp-client-id, sp-client-secret and sp-tenant-id to the vault
• Then run:

rover --impersonate-sp-from-keyvault-url https://myvault.vault.azure.net