onboarding with workload identity authentication (#126)

* onboarding with workload identity authentication

* tests

* run tests in PR

* fix mock data in tests

---------

Co-authored-by: Furkhat Kasymov Genii Uulu <furkhat@cast.ai>
Co-authored-by: Valentyna Bukhalova <valentyna@cast.ai>

Author: 3 people

.github/workflows/test.yaml

@@ -0,0 +1,34 @@
+name: Run Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+jobs:
+  tofu_test:
+    strategy:
+      matrix:
+        version: ["1.10", latest]
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up OpenTofu
+        uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version: ${{ matrix.version }}
+
+      - name: Print tofu version
+        run: tofu version
+
+      - name: OpenTofu init
+        run: tofu init || tofu init -upgrade
+
+      - name: Run OpenTofu tests
+        run: tofu test -verbose

iam.tf

@@ -1,6 +1,13 @@
 locals {
-  role_name = "CastAKSRole-${var.aks_cluster_name}-tf"
-  app_name  = substr("CAST AI ${var.aks_cluster_name}-${var.resource_group}", 0, 64)
+  role_name               = "CastAKSRole-${var.aks_cluster_name}-tf"
+  app_name                = substr("CAST AI ${var.aks_cluster_name}-${var.resource_group}", 0, 64)
+  federated_identity_name = substr("castai-${var.aks_cluster_name}-${var.resource_group}", 0, 64)
+}
+
+data "azurerm_kubernetes_cluster" "castai" {
+  count               = var.authentication_method == "workload_identity" ? 1 : 0
+  name                = var.aks_cluster_name
+  resource_group_name = var.resource_group
 }
 
 // Azure RM
@@ -60,22 +67,22 @@ resource "azurerm_role_definition" "castai" {
 }
 
 resource "azurerm_role_assignment" "castai_resource_group" {
-  principal_id       = azuread_service_principal.castai.object_id
+  principal_id       = var.authentication_method == "client_secret" ? azuread_service_principal.castai[0].object_id : azurerm_user_assigned_identity.this[0].principal_id
   role_definition_id = azurerm_role_definition.castai.role_definition_resource_id
   description        = "castai role assignment for resource group ${var.resource_group}"
   scope              = "/subscriptions/${var.subscription_id}/resourceGroups/${var.resource_group}"
 }
 
 resource "azurerm_role_assignment" "castai_node_resource_group" {
-  principal_id       = azuread_service_principal.castai.object_id
+  principal_id       = var.authentication_method == "client_secret" ? azuread_service_principal.castai[0].object_id : azurerm_user_assigned_identity.this[0].principal_id
   role_definition_id = azurerm_role_definition.castai.role_definition_resource_id
   description        = "castai role assignment for resource group ${var.aks_cluster_name}"
   scope              = "/subscriptions/${var.subscription_id}/resourceGroups/${var.node_resource_group}"
 }
 
 resource "azurerm_role_assignment" "castai_additional_resource_groups" {
   for_each           = toset(var.additional_resource_groups)
-  principal_id       = azuread_service_principal.castai.object_id
+  principal_id       = var.authentication_method == "client_secret" ? azuread_service_principal.castai[0].object_id : azurerm_user_assigned_identity.this[0].principal_id
   description        = "castai role assignment for resource group ${each.key}"
   role_definition_id = azurerm_role_definition.castai.role_definition_resource_id
   scope              = each.key
@@ -86,16 +93,58 @@ resource "azurerm_role_assignment" "castai_additional_resource_groups" {
 data "azuread_client_config" "current" {}
 
 resource "azuread_application" "castai" {
+  count        = var.authentication_method == "client_secret" ? 1 : 0
   display_name = local.app_name
   owners       = (var.azuread_owners == null ? [data.azuread_client_config.current.object_id] : var.azuread_owners)
 }
 
 resource "azuread_application_password" "castai" {
-  application_id = azuread_application.castai.id
+  count          = var.authentication_method == "client_secret" ? 1 : 0
+  application_id = azuread_application.castai[0].id
 }
 
 resource "azuread_service_principal" "castai" {
-  client_id                    = azuread_application.castai.client_id
+  count                        = var.authentication_method == "client_secret" ? 1 : 0
+  client_id                    = azuread_application.castai[0].client_id
   app_role_assignment_required = false
   owners                       = (var.azuread_owners == null ? [data.azuread_client_config.current.object_id] : var.azuread_owners)
 }
+
+# State migration for existing users upgrading to authentication_method variable
+moved {
+  from = azuread_application.castai
+  to   = azuread_application.castai[0]
+}
+
+moved {
+  from = azuread_application_password.castai
+  to   = azuread_application_password.castai[0]
+}
+
+moved {
+  from = azuread_service_principal.castai
+  to   = azuread_service_principal.castai[0]
+}
+
+// Workload Identity
+
+data "castai_impersonation_service_account" "this" {
+  count = var.authentication_method == "workload_identity" ? 1 : 0
+}
+
+resource "azurerm_user_assigned_identity" "this" {
+  count               = var.authentication_method == "workload_identity" ? 1 : 0
+  name                = "${var.aks_cluster_name}-castai-identity"
+  resource_group_name = var.resource_group
+  location            = data.azurerm_kubernetes_cluster.castai[0].location
+}
+
+resource "azurerm_federated_identity_credential" "this" {
+  count               = var.authentication_method == "workload_identity" ? 1 : 0
+  name                = local.federated_identity_name
+  resource_group_name = var.resource_group
+  audience            = ["api://AzureADTokenExchange"]
+  issuer              = "https://accounts.google.com"
+  parent_id           = azurerm_user_assigned_identity.this[0].id
+  subject             = data.castai_impersonation_service_account.this[0].id
+}

main.tf

@@ -9,8 +9,9 @@ resource "castai_aks_cluster" "castai_cluster" {
   region          = var.aks_cluster_region
   subscription_id = var.subscription_id
   tenant_id       = var.tenant_id
-  client_id       = azuread_application.castai.client_id
-  client_secret   = azuread_application_password.castai.value
+  client_id       = var.authentication_method == "client_secret" ? azuread_application.castai[0].client_id : azurerm_user_assigned_identity.this[0].client_id
+  client_secret   = var.authentication_method == "client_secret" ? azuread_application_password.castai[0].value : null
+  federation_id   = var.authentication_method == "workload_identity" ? azurerm_user_assigned_identity.this[0].principal_id : null
 
   node_resource_group        = var.node_resource_group
   delete_nodes_on_disconnect = var.delete_nodes_on_disconnect
@@ -35,7 +36,9 @@ resource "castai_aks_cluster" "castai_cluster" {
     azurerm_role_assignment.castai_additional_resource_groups,
     azuread_application.castai,
     azuread_application_password.castai,
-    azuread_service_principal.castai
+    azuread_service_principal.castai,
+    azurerm_user_assigned_identity.this,
+    azurerm_federated_identity_credential.this
   ]
 }
 

tests/authentication_client_secret.tftest.hcl

@@ -0,0 +1,148 @@
+mock_provider "azurerm" {
+  mock_data "azurerm_kubernetes_cluster" {
+    defaults = {
+      location = "eastus"
+      fqdn     = "test-cluster.eastus.azmk8s.io"
+      network_profile = [{
+        pod_cidr           = "10.244.0.0/16"
+        service_cidr       = "10.0.0.0/16"
+        dns_service_ip     = "10.0.0.10"
+        docker_bridge_cidr = "172.17.0.1/16"
+        load_balancer_sku  = "standard"
+        network_plugin     = "azure"
+        network_policy     = "azure"
+      }]
+    }
+  }
+}
+
+mock_provider "azuread" {
+  mock_data "azuread_client_config" {
+    defaults = {
+      object_id = "00000000-0000-0000-0000-000000000000"
+    }
+  }
+
+  mock_resource "azuread_application" {
+    defaults = {
+      client_id = "22222222-2222-2222-2222-222222222222"
+      id        = "/applications/22222222-2222-2222-2222-222222222222"
+      object_id = "33333333-3333-3333-3333-333333333333"
+    }
+  }
+
+  mock_resource "azuread_application_password" {
+    defaults = {
+      id    = "/applications/22222222-2222-2222-2222-222222222222/passwords/44444444-4444-4444-4444-444444444444"
+      value = "mock-password-value"
+    }
+  }
+
+  mock_resource "azuread_service_principal" {
+    defaults = {
+      id        = "/servicePrincipals/55555555-5555-5555-5555-555555555555"
+      object_id = "55555555-5555-5555-5555-555555555555"
+    }
+  }
+}
+
+mock_provider "castai" {
+  mock_resource "castai_aks_cluster" {
+    defaults = {
+      id = "88888888-8888-8888-8888-888888888888"
+    }
+  }
+
+  mock_resource "castai_node_configuration" {
+    defaults = {
+      id = "99999999-9999-9999-9999-999999999999"
+    }
+  }
+
+  mock_data "castai_impersonation_service_account" {
+    defaults = {
+      id = "system:serviceaccount:castai-agent:castai-agent"
+    }
+  }
+}
+
+mock_provider "helm" {}
+mock_provider "null" {}
+
+variables {
+  aks_cluster_name    = "test-cluster"
+  aks_cluster_region  = "eastus"
+  subscription_id     = "00000000-0000-0000-0000-000000000000"
+  tenant_id           = "11111111-1111-1111-1111-111111111111"
+  resource_group      = "test-rg"
+  node_resource_group = "test-node-rg"
+  castai_api_token    = "test-token-12345"
+  default_node_configuration = "default"
+  node_configurations = {
+    default = {
+      name    = "default"
+      subnets = ["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/test-subnet"]
+    }
+  }
+}
+
+run "verify_default_authentication_method" {
+  command = plan
+
+  assert {
+    condition     = var.authentication_method == "client_secret"
+    error_message = "Default authentication_method should be 'client_secret'"
+  }
+}
+
+run "verify_client_secret_resources_created" {
+  command = plan
+
+  assert {
+    condition     = length([for r in azuread_application.castai : r]) == 1
+    error_message = "Azure AD application should be created for client_secret auth"
+  }
+
+  assert {
+    condition     = length([for r in azuread_application_password.castai : r]) == 1
+    error_message = "Azure AD application password should be created for client_secret auth"
+  }
+
+  assert {
+    condition     = length([for r in azuread_service_principal.castai : r]) == 1
+    error_message = "Azure AD service principal should be created for client_secret auth"
+  }
+}
+
+run "verify_workload_identity_resources_not_created" {
+  command = plan
+
+  assert {
+    condition     = length([for r in azurerm_user_assigned_identity.this : r]) == 0
+    error_message = "Managed identity should NOT be created for client_secret auth"
+  }
+
+  assert {
+    condition     = length([for r in azurerm_federated_identity_credential.this : r]) == 0
+    error_message = "Federated identity credential should NOT be created for client_secret auth"
+  }
+
+  assert {
+    condition     = length([for r in data.azurerm_kubernetes_cluster.castai : r]) == 0
+    error_message = "AKS cluster data source should NOT be queried for client_secret auth"
+  }
+
+  assert {
+    condition     = length([for r in data.castai_impersonation_service_account.this : r]) == 0
+    error_message = "CAST AI impersonation service account should NOT be queried for client_secret auth"
+  }
+}
+
+run "verify_cluster_configuration_client_secret" {
+  command = plan
+
+  assert {
+    condition     = castai_aks_cluster.castai_cluster.federation_id == null
+    error_message = "federation_id should be null for client_secret auth"
+  }
+}