diff --git a/cli/src/providers/azure/APIProxy.py b/cli/src/providers/azure/APIProxy.py index f8fc3f0768..7d71c98e8b 100644 --- a/cli/src/providers/azure/APIProxy.py +++ b/cli/src/providers/azure/APIProxy.py @@ -71,8 +71,8 @@ def get_ips_for_feature(self, component_key): return result def login(self, env=None): - # From the 4 methods terraform provides to login to - # Azure we support (https://www.terraform.io/docs/providers/azurerm/auth/azure_cli.html): + # https://learn.microsoft.com/en-us/azure/developer/terraform/authenticate-to-azure + # We support: # - Authenticating to Azure using the Azure CLI # - Authenticating to Azure using a Service Principal and a Client Secret if not self.cluster_model.specification.cloud.use_service_principal: @@ -83,10 +83,13 @@ def login(self, env=None): # Service principal sp_file = os.path.join(get_terraform_path(self.cluster_model.specification.name), SP_FILE_NAME) if os.path.exists(sp_file): - self.logger.info('Using service principal from file') + self.logger.info('Using service principal from sp.yml file') sp = load_yaml_file(sp_file) + elif hasattr(self.cluster_model.specification.cloud, 'service_principal'): + self.logger.info('Using service principal from cloud section in the cluster configuration file') + sp = self.cluster_model.specification.cloud.service_principal else: - raise Exception(f'No service principal defined: "{sp_file}"') + raise Exception(f'No service principal defined in the cloud section of the cluster configuration file or in an sp.yml file.') # Login as SP and get the default subscription. subscription = self.login_sp(sp) diff --git a/docs/home/howto/CLUSTER.md b/docs/home/howto/CLUSTER.md index 7623606256..150420b8d4 100644 --- a/docs/home/howto/CLUSTER.md +++ b/docs/home/howto/CLUSTER.md @@ -410,13 +410,22 @@ To set up the cluster do the following steps from the provisioning machine: region: West Europe subscription_name: Subscribtion_name use_service_principal: false + service_principal: + appId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" + displayName: "app-name" + name: "http://app-name" + password: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" + tenant: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" + subscriptionId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" use_public_ips: false default_os_image: default ``` The [region](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html) lets you chose the most optimal place to deploy your cluster. The `subscription_name` is the Azure subscription under which you want to deploy the cluster. - Terraform will ask you to sign in to your Microsoft Azure subscription when it prepares to build/modify/destroy the infrastructure on `azure`. In case you need to share cluster management with other people you can set the `use_service_principal` tag to true. Then before you run `epicli apply -f yourcluster.yml` create the following folder structure from the path you are running Epicli: + Terraform will ask you to sign in to your Microsoft Azure subscription when it prepares to build/modify/destroy the infrastructure on `azure`. In case you need to share cluster management with other people you can use a service principal with he proper premissions created before hand. To use a service principal set the `use_service_principal` tag to true and fill the service principal details in the `service_principal` section of the `cloud` configuration. + + Alternatively you can specicify a `sp.yml` file before you run `epicli apply -f yourcluster.yml`. To use this method create the following folder structure from the path you are running Epicli: ```shell /path/to/build_dir/clustername/terraform diff --git a/schema/azure/defaults/epiphany-cluster.yml b/schema/azure/defaults/epiphany-cluster.yml index c066f29f0a..a5740930c1 100644 --- a/schema/azure/defaults/epiphany-cluster.yml +++ b/schema/azure/defaults/epiphany-cluster.yml @@ -15,6 +15,13 @@ specification: vnet_address_pool: 10.1.0.0/20 use_public_ips: False # When not using public IPs you have to provide connectivity via private IPs (VPN) use_service_principal: False + service_principal: # todo change it to get service principal credentials from vault + appId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" + displayName: "app-name" + name: "http://app-name" + password: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" + tenant: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" + subscriptionId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" region: West Europe network: use_network_security_groups: True diff --git a/schema/common/validation/epiphany-cluster.yml b/schema/common/validation/epiphany-cluster.yml index 793bf8c76e..1a5467e90c 100644 --- a/schema/common/validation/epiphany-cluster.yml +++ b/schema/common/validation/epiphany-cluster.yml @@ -63,10 +63,49 @@ properties: use_service_principal: "$id": "#/properties/specification/properties/cloud/properties/use_service_principal" type: boolean - title: The Use_service_principal Schema + title: The use_service_principal Schema default: false examples: - false + service_principal: + "$id": "#/properties/specification/properties/cloud/properties/service_principal" + type: object + title: The Azure service principal Schema + required: + - tenant + - appId + - password + properties: + appId: + "$id": "#/properties/specification/properties/cloud/properties/credentials/properties/appId" + type: string + title: The Azure service principal application ID + pattern: "^[^\\s]*$" + displayName: + "$id": "#/properties/specification/properties/cloud/properties/credentials/properties/displayName" + type: string + title: The Azure service principal display name + pattern: "^[^\\s]*$" + name: + "$id": "#/properties/specification/properties/cloud/properties/credentials/properties/name" + type: string + title: The Azure service principal name + pattern: "^[^\\s]*$" + password: + "$id": "#/properties/specification/properties/cloud/properties/credentials/properties/password" + type: string + title: The Azure service principal password + pattern: "^[^\\s]*$" + tenant: + "$id": "#/properties/specification/properties/cloud/properties/credentials/properties/tenant" + type: string + title: The Azure service principal tenant + pattern: "^[^\\s]*$" + subscriptionId: + "$id": "#/properties/specification/properties/cloud/properties/credentials/properties/subscriptionId" + type: string + title: The Azure service principal subscription Id + pattern: "^[^\\s]*$" region: "$id": "#/properties/specification/properties/cloud/properties/region" type: string @@ -78,7 +117,7 @@ properties: credentials: "$id": "#/properties/specification/properties/cloud/properties/credentials" type: object - title: The Credentials Schema + title: The AWS Credentials Schema required: - access_key_id - secret_access_key @@ -86,17 +125,17 @@ properties: access_key_id: "$id": "#/properties/specification/properties/cloud/properties/credentials/properties/access_key_id" type: string - title: The Key Id Schema + title: The AWS Key Id Schema pattern: "^(.*)$" secret_access_key: "$id": "#/properties/specification/properties/cloud/properties/credentials/properties/secret_access_key" type: string - title: The Secret Schema + title: The AWS Secret Schema pattern: "^(.*)$" session_token: "$id": "#/properties/specification/properties/cloud/properties/credentials/properties/session_token" type: string - title: The session token + title: The AWS session token description: "Session token cannot contain whitespaces" pattern: "^[^\\s]*$" network: