Removing ACR credentials from variables #45

allantargino · 2020-09-04T14:58:27Z

PR #33 introduced Azure Key Vault and Service Connections as a way to remove secrets from group variables in AzDO. This heavily increases security - but the setup also becomes more complicated, given the additional infrastructure requirements that Key Vault introduces. The service connection already all the information we needed to store the service principal credentials, while we were mainly using Key Vault to store ACR credentials.

Main changes:

This PR removes the dependency of keeping ACR credentials by leveraging data.azurerm_container_registry provider to get credentials at runtime - allowing us to remove Key Vault.
It has a new step to setup Terraform credentials, extracting all necessary values from the service connection.

Breaking/variables changes:

Renaming TF_VAR_JMETER_IMAGE_REGISTRY_NAME to TF_VAR_JMETER_ACR_NAME
Renaming TF_VAR_SERVICE_CONNECTION_NAME to AZURE_SERVICE_CONNECTION_NAME
Introducing AZURE_SUBSCRIPTION_ID
Introducing TF_VAR_JMETER_ACR_RESOURCE_GROUP_NAME
Removing TF_VAR_JMETER_IMAGE_REGISTRY_USERNAME
Removing TF_VAR_JMETER_IMAGE_REGISTRY_PASSWORD

TF_VAR_* variables are directly used by the terraform template, while AZURE_* are used only by the pipelines.

Other changes:

Downloading and installing terraform binary during the pipeline. The current version (v.0.13.1) on AzDO managed agents has a bug that affects us (panic: not a collection type (regression between 13.1 and 13.0) hashicorp/terraform#26011)
Upgrading azurerm provider (fix Upgrade azurerm provider version to 2.26.0 #44)
Documentation setup improvements. Everything is automated and doesn't require any copy and paste steps.

allantargino · 2020-09-04T14:59:53Z

cc/ @hepsi204
Please let me know if you have comments or suggestions 👍

fedeoliv · 2020-09-04T16:04:24Z

@allantargino this approach is great! Getting the credentials at runtime reduces a lot the complexity of managing and configuring Key Vault. LGTM 👍

hepsi204 · 2020-09-04T16:36:30Z

I have to say, this approach is really great and much cleaner than maintaining a key vault. Nice work. 🙂

allantargino · 2020-09-04T16:51:59Z

Thanks @fernandoBRS!
Also thanks @hepsi204, this is just building on top of your great work :)

allantargino added 7 commits September 3, 2020 14:14

updating README.md

50ce7bb

removing keyvault references

d9434fe

updating docs

81e70b5

authorizing service connection

ff352d5

updates on wording

5f2e65b

installing custom terraform version

9fd6d08

installing custom terraform version

d3d707a

allantargino requested a review from fedeoliv September 4, 2020 14:58

allantargino mentioned this pull request Sep 4, 2020

Updated Azure CLI commands #36

Closed

updating docs

02122bb

fedeoliv mentioned this pull request Sep 4, 2020

Updating Docker pipeline to trigger from main branch #41

Merged

fedeoliv previously approved these changes Sep 4, 2020

View reviewed changes

merging with main

a8ab938

allantargino dismissed fedeoliv’s stale review via a8ab938 September 4, 2020 16:54

allantargino requested a review from fedeoliv September 4, 2020 16:55

fedeoliv approved these changes Sep 4, 2020

View reviewed changes

allantargino merged commit 27ccfde into main Sep 4, 2020

allantargino deleted the allantargino/acr-data branch January 6, 2021 15:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Removing ACR credentials from variables #45

Removing ACR credentials from variables #45

allantargino commented Sep 4, 2020

allantargino commented Sep 4, 2020

fedeoliv commented Sep 4, 2020

hepsi204 commented Sep 4, 2020

allantargino commented Sep 4, 2020

Removing ACR credentials from variables #45

Removing ACR credentials from variables #45

Conversation

allantargino commented Sep 4, 2020

allantargino commented Sep 4, 2020

fedeoliv commented Sep 4, 2020

hepsi204 commented Sep 4, 2020

allantargino commented Sep 4, 2020