Merge pull request #1295 from robgil-dds/testing-k8s-iam

k8s IAM changes for keyvault access

terraform/README.md

@@ -24,6 +24,7 @@ Requirements:
 - Python pip
 - Python virtualenv # FIXME: Switch to `pipenv`
 - [azure cli](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)
+- [powershell](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell?view=powershell-6) See below
 
 # tfenv
 `tfenv` will allow you to install TF versions. For example.
@@ -39,6 +40,17 @@ To select a version to use
 tfenv use 0.12.18
 ```
 
+# Powershell
+Some things you need to use powershell. Specifically getting client profiles for the VPN.
+
+## Install powershell on Linux
+Powershell on recent versions of Ubuntu is available through snap.
+
+For Ubuntu 19.10
+```
+snap install powershell --classic
+```
+
 # Running Terraform
 First, you'll need to log in to Azure. With the Azure CLI installed, you can run the following.
 
@@ -82,3 +94,23 @@ terraform plan -target=module.vpc
 ```
 
 In the above example, this will only run a plan (plan/apply/destroy) on the specific module. This can be a module, or resource. You can get a list of module and resources by running `terraform show`.
+
+# VPN Setup
+[Configure OpenVPN clients for Azure VPN Gateway](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-openvpn-clients#before-you-begin)
+[About P2S VPN client profiles](https://docs.microsoft.com/en-us/azure/vpn-gateway/about-vpn-profile-download)
+[Configure a VPN client for P2S OpenVPN protocol connections: Azure AD authentication (Preview)](https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client)
+[Create an Azure Active Directory tenant for P2S OpenVPN protocol connections](https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant)
+
+The docs above should help with client configuration. The last doc (Create an Azure Active Directory..) is necessary to run the command to add the VPN app for AD.
+
+Copied here for convenience. Just enter this in your browser.
+```
+# For Public Azure - Government has a different URL, see doc above
+https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
+```
+
+## Adding a client
+TODO
+
+## Downloading a client profile
+TODO

terraform/modules/keyvault/main.tf

@@ -23,7 +23,7 @@ resource "azurerm_key_vault_access_policy" "keyvault" {
   key_vault_id = azurerm_key_vault.keyvault.id
 
   tenant_id = "b5ab0e1e-09f8-4258-afb7-fb17654bc5b3"
-  object_id = "2ca63d41-d058-4e06-aef6-eb517a53b631"
+  object_id = "ca8cfc48-9995-4973-a8cc-6c7f755e84de"
 
   key_permissions = [
     "get",

terraform/modules/managed_identity/main.tf

@@ -9,3 +9,12 @@ resource "azurerm_user_assigned_identity" "identity" {
 
   name = "${var.name}-${var.environment}-${var.identity}"
 }
+
+data "azurerm_subscription" "primary" {}
+
+resource "azurerm_role_assignment" "roles" {
+  count                = length(var.roles)
+  scope                = data.azurerm_subscription.primary.id
+  role_definition_name = var.roles[count.index]
+  principal_id         = azurerm_user_assigned_identity.identity.principal_id
+}

terraform/modules/managed_identity/outputs.tf

@@ -0,0 +1,11 @@
+output "id" {
+  value = azurerm_user_assigned_identity.identity.id
+}
+
+output "principal_id" {
+  value = azurerm_user_assigned_identity.identity.principal_id
+}
+
+output "client_id" {
+  value = azurerm_user_assigned_identity.identity.client_id
+}

terraform/modules/managed_identity/variables.tf

@@ -22,3 +22,8 @@ variable "identity" {
   type        = string
   description = "Name of the managed identity to create"
 }
+
+variable "roles" {
+  type        = list
+  description = "List of roles by name"
+}

terraform/providers/dev/identities.tf

@@ -5,4 +5,6 @@ module "keyvault_reader_identity" {
   environment = var.environment
   region      = var.region
   identity    = "${var.name}-${var.environment}-vault-reader"
+  roles       = ["Reader", "Managed Identity Operator"]
+
 }