A naukri.com initiative
Dev
1M
290
Image Credit: Dev
GitLab, Azure, OpenTofu, and NO secrets!
- Terraform can be used to deploy any resource from GitLab pipeline to Azure cloud without using any secrets.
- OpenID Connect (OIDC) authentication is demonstrated through GitLab project gitlab-azure-oidc-opentofu, which creates a resource group in one of the Azure subscriptions.
- OIDC technology works perfectly well with Terraform. OpenTofu is integrated into the component that is supported by GitLab.
- Every job that requires authentication sets up environment variable TF_VAR_oidc_token and fills it with the token value to create OIDC token required by Terraform code.
- Global variables of the pipeline are used to set up tenant_id, subscription_id, and client_id.
- $AZURE_CLIENT_ID, $AZURE_TENANT_ID, and $AZURE_SUBSCRIPTION_ID are GitLab CI/CD variables required for authentication.
- An identifier of the Service Principal created to authenticate pipeline is called $AZURE_CLIENT_ID.
- Federated Credentials must be created to allow pipeline to access Service Principal credentials without a shared secret.
- Issuer: https://gitlab.com, Subject identifier: project_path:
/ :ref_type:branch:ref: , Audience: https://gitlab.com are provided in Federated Identity Credentials. - GitLab official Azure AD Federated Identity Credentials documentation and GitLab OpenTofu Component are useful resources for this implementation.
Read Full Article
17 Likes
For uninterrupted reading, download the app