Refactor RabbitMQ app registration to be reusable (generic App Regist…

…raion) Signed-off-by: Jakub Adamus <jakub.adamus@vivantis.cz>
kedacore · Jun 15, 2023 · 4fee06d · 4fee06d
1 parent e8da2f7
commit 4fee06d
Show file tree

Hide file tree

Showing 7 changed files with 120 additions and 110 deletions.
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -203,10 +203,19 @@ module "azure_storage_account" {
 }
 
 module "azure_rabbitmq_app_registration" {
-  source              = "./modules/azure/rabbitmq-app-registration"
+  source              = "./modules/azure/app-registration"
   unique_project_name = var.unique_project_name
+  application_purpose = "rabbitmq-oauth"
+  # list of roles to create in application - see https://www.rabbitmq.com/oauth2.html#scope-and-tags
+  app_roles = {
+    management = "rabbitmq.tag:management"
+    administrator = "rabbitmq.tag:administrator"
+    read_all = "rabbitmq.read:*/*/*"
+    write_all = "rabbitmq.write:*/*/*"
+    configure_all = "rabbitmq.configure:*/*/*"
+  }
 
-  rabbitmq_access_identities = [
+  access_identities = [
     module.azuread_applications.identity_1,
     module.azuread_applications.identity_2
   ]
@@ -325,10 +334,6 @@ module "github_secrets" {
     {
       name = "TF_AZURE_RABBIT_API_APPLICATION_ID"
       value = module.azure_rabbitmq_app_registration.application_id
-    },
-    {
-      name = "TF_AZURE_RABBIT_API_APPLICATION_SCOPE_NAME"
-      value = module.azure_rabbitmq_app_registration.application_scope_name
-    },
+    }
   ]
 }
diff --git a/terraform/modules/azure/app-registration/main.tf b/terraform/modules/azure/app-registration/main.tf
@@ -0,0 +1,78 @@
+terraform {
+  required_providers {
+    azuread = {
+      source = "hashicorp/azuread"
+    }
+  }
+}
+
+locals {
+  application_name        = "${var.unique_project_name}-${var.application_purpose}"
+  application_identifier = "api://${local.application_name}"
+}
+
+resource "random_uuid" "app_roles" {
+  for_each = var.app_roles
+}
+
+resource "random_uuid" "app_scope" {}
+
+resource "azuread_application" "oauth2_api" {
+
+  display_name = "${local.application_name} OAuth2 API tokens app ${var.application_purpose}"
+
+  api {
+    mapped_claims_enabled          = true
+    requested_access_token_version = 2
+
+    oauth2_permission_scope {
+      id                         = random_uuid.app_scope.id
+      admin_consent_description  = "Dummy text for dummy application"
+      admin_consent_display_name = "Dummy text for dummy application"
+      enabled                    = true
+      type                       = "User"
+      user_consent_description   = "Dummy text for dummy application"
+      user_consent_display_name  = "Dummy text for dummy application"
+      value                      = "access"
+    }
+  }
+
+  identifier_uris = [local.application_identifier]
+
+  dynamic "app_role" {
+    for_each = var.app_roles
+    content {
+      id                   = random_uuid.app_roles[app_role.key].id
+      allowed_member_types = ["User", "Application"]
+      value                = app_role.value
+      display_name         = app_role.key
+      description          = app_role.key
+      enabled              = true
+    }
+  }
+}
+
+resource "azuread_service_principal" "oauth2_api" {
+  application_id = azuread_application.oauth2_api.application_id
+  use_existing = true
+}
+
+locals {
+  # assign each role to each identity requested
+  roles_to_principals = flatten([
+    for role,_ in var.app_roles : [
+      for identity in var.access_identities : {
+        role_uuid_key = random_uuid.app_roles[role].id
+        principal_id = identity.principal_id
+      }
+    ]
+  ])
+}
+
+resource "azuread_app_role_assignment" "oauth2_api_access" {
+  count = length(local.roles_to_principals)
+
+  app_role_id         = local.roles_to_principals[count.index].role_uuid_key
+  principal_object_id = local.roles_to_principals[count.index].principal_id
+  resource_object_id  = azuread_service_principal.oauth2_api.object_id
+}
diff --git a/terraform/modules/azure/app-registration/outputs.tf b/terraform/modules/azure/app-registration/outputs.tf
@@ -0,0 +1,11 @@
+output "application_id" {
+  value = azuread_application.oauth2_api.application_id
+}
+
+output "application_scope_id" {
+  value = random_uuid.app_scope.id
+}
+
+output "application_identifier_uri" {
+  value = local.application_identifier
+}
diff --git a/terraform/modules/azure/app-registration/vars.tf b/terraform/modules/azure/app-registration/vars.tf
@@ -0,0 +1,19 @@
+variable "unique_project_name" {
+  type        = string
+  description = "Value to make unique every resource name generated"
+}
+
+variable "application_purpose" {
+  type        = string
+  description = "Value to create app name / app identifier from"
+}
+
+variable "app_roles" {
+  type        = map(string)
+  description = "Role names of application"
+}
+
+variable "access_identities" {
+  type        = list(any)
+  description = "Identities with access to this application (all roles)"
+}
diff --git a/terraform/modules/azure/rabbitmq-app-registration/main.tf b/terraform/modules/azure/rabbitmq-app-registration/main.tf
diff --git a/terraform/modules/azure/rabbitmq-app-registration/outputs.tf b/terraform/modules/azure/rabbitmq-app-registration/outputs.tf
diff --git a/terraform/modules/azure/rabbitmq-app-registration/vars.tf b/terraform/modules/azure/rabbitmq-app-registration/vars.tf