camptocamp · lentidas · Apr 17, 2024 · Apr 12, 2024 · Apr 17, 2024
@@ -42,12 +42,12 @@ The following providers are used by this module:
 
 - [[provider_null]] <<provider_null,null>> (>= 3)
 
+- [[provider_argocd]] <<provider_argocd,argocd>> (>= 5)
+
 - [[provider_kubernetes]] <<provider_kubernetes,kubernetes>> (>= 2)
 
 - [[provider_utils]] <<provider_utils,utils>> (>= 1)
 
-- [[provider_argocd]] <<provider_argocd,argocd>> (>= 5)
-
 === Resources
 
 The following resources are used by this module:
@@ -120,7 +120,7 @@ Description: Override of target revision of the application chart.
 
 Type: `string`
 
-Default: `"v10.0.0"`
+Default: `"v10.1.0"`
 
 ==== [[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>
 
@@ -425,7 +425,7 @@ Description: The admin password for Grafana.
 |[[input_target_revision]] <<input_target_revision,target_revision>>
 |Override of target revision of the application chart.
 |`string`
-|`"v10.0.0"`
+|`"v10.1.0"`
 |no
 
 |[[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>

@@ -17,6 +17,8 @@ The following requirements are needed by this module:
 
 The following providers are used by this module:
 
+- [[provider_null]] <<provider_null,null>> (>= 3)
+
 - [[provider_azurerm]] <<provider_azurerm,azurerm>>
 
 === Modules
@@ -33,9 +35,11 @@ Version:
 
 The following resources are used by this module:
 
-- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment[azurerm_role_assignment.contributor] (resource)
+- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential[azurerm_federated_identity_credential.prometheus] (resource)
+- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment[azurerm_role_assignment.storage_contributor] (resource)
 - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity[azurerm_user_assigned_identity.prometheus] (resource)
-- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group[azurerm_resource_group.node] (data source)
+- https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.dependencies] (resource)
+- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group[azurerm_resource_group.node_resource_group] (data source)
 - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_container[azurerm_storage_container.container] (data source)
 
 === Required Inputs
@@ -66,10 +70,11 @@ Type:
 [source,hcl]
 ----
 object({
-    container                     = string
-    storage_account               = string
-    managed_identity_node_rg_name = optional(string, null)
-    storage_account_key           = optional(string, null)
+    container                        = string
+    storage_account                  = string
+    managed_identity_node_rg_name    = optional(string, null)
+    managed_identity_oidc_issuer_url = optional(string, null)
+    storage_account_key              = optional(string, null)
   })
 ----
 
@@ -113,7 +118,7 @@ Description: Override of target revision of the application chart.
 
 Type: `string`
 
-Default: `"v10.0.0"`
+Default: `"v10.1.0"`
 
 ==== [[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>
 
@@ -345,6 +350,7 @@ Description: The admin password for Grafana.
 [cols="a,a",options="header,autowidth"]
 |===
 |Name |Version
+|[[provider_null]] <<provider_null,null>> |>= 3
 |[[provider_azurerm]] <<provider_azurerm,azurerm>> |n/a
 |===
 
@@ -361,9 +367,11 @@ Description: The admin password for Grafana.
 [cols="a,a",options="header,autowidth"]
 |===
 |Name |Type
-|https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment[azurerm_role_assignment.contributor] |resource
+|https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential[azurerm_federated_identity_credential.prometheus] |resource
+|https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment[azurerm_role_assignment.storage_contributor] |resource
 |https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity[azurerm_user_assigned_identity.prometheus] |resource
-|https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group[azurerm_resource_group.node] |data source
+|https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.dependencies] |resource
+|https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group[azurerm_resource_group.node_resource_group] |data source
 |https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_container[azurerm_storage_container.container] |data source
 |===
 
@@ -379,10 +387,11 @@ Description: The admin password for Grafana.
 [source]
 ----
 object({
-    container                     = string
-    storage_account               = string
-    managed_identity_node_rg_name = optional(string, null)
-    storage_account_key           = optional(string, null)
+    container                        = string
+    storage_account                  = string
+    managed_identity_node_rg_name    = optional(string, null)
+    managed_identity_oidc_issuer_url = optional(string, null)
+    storage_account_key              = optional(string, null)
   })
 ----
 
@@ -428,7 +437,7 @@ object({
 |[[input_target_revision]] <<input_target_revision,target_revision>>
 |Override of target revision of the application chart.
 |`string`
-|`"v10.0.0"`
+|`"v10.1.0"`
 |no
 
 |[[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>

@@ -1,15 +1,21 @@
 variable "metrics_storage" {
   description = "Azure Blob Storage configuration for metric archival."
   type = object({
-    container                     = string
-    storage_account               = string
-    managed_identity_node_rg_name = optional(string, null)
-    storage_account_key           = optional(string, null)
+    container                        = string
+    storage_account                  = string
+    managed_identity_node_rg_name    = optional(string, null)
+    managed_identity_oidc_issuer_url = optional(string, null)
+    storage_account_key              = optional(string, null)
   })
 
   validation {
-    condition     = try((var.metrics_storage.managed_identity_node_rg_name == null) != (var.metrics_storage.storage_account_key == null), true)
-    error_message = "You must set one (and only one) of these attributes: managed_identity_node_rg_name, storage_account_key."
+    condition     = try((var.metrics_storage.managed_identity_node_rg_name == null && var.metrics_storage.managed_identity_oidc_issuer_url == null) != (var.metrics_storage.storage_account_key == null), true)
+    error_message = "You can either set the variables for the managed identity or use storage account key, not both at the same time."
+  }
+
+  validation {
+    condition     = try((var.metrics_storage.managed_identity_node_rg_name == null) == (var.metrics_storage.managed_identity_oidc_issuer_url == null), true)
+    error_message = "When using the managed identity, both `managed_identity_node_rg_name` and `managed_identity_oidc_issuer_url` are required."
   }
 
   default = null

@@ -4,34 +4,32 @@ locals {
   metrics_storage = var.metrics_storage == null ? null : {
     storage_config = {
       type = "AZURE"
-      config = merge(
-        {
-          container       = var.metrics_storage.container
-          storage_account = var.metrics_storage.storage_account
-        },
-        local.use_managed_identity ? null : {
-          storage_account_key = var.metrics_storage.storage_account_key
+      config = merge({
+        container       = var.metrics_storage.container
+        storage_account = var.metrics_storage.storage_account
+        }, local.use_managed_identity ? null : {
+        storage_account_key = var.metrics_storage.storage_account_key
         }
       )
     }
   }
 
   helm_values = [{
     kube-prometheus-stack = {
-      prometheus = {
-        prometheusSpec = merge(local.use_managed_identity ? {
+      prometheus = local.use_managed_identity ? {
+        serviceAccount = {
+          annotations = {
+            "azure.workload.identity/client-id" = resource.azurerm_user_assigned_identity.prometheus[0].client_id
+          }
+        }
+        prometheusSpec = {
           podMetadata = {
             labels = {
-              aadpodidbinding = "prometheus"
+              "azure.workload.identity/use" = "true"
             }
           }
-        } : null, {})
-      }
-    }
-    }, local.use_managed_identity ? {
-    azureIdentity = {
-      resourceID = azurerm_user_assigned_identity.prometheus[0].id
-      clientID   = azurerm_user_assigned_identity.prometheus[0].client_id
+        }
+      } : null
     }
-  } : null]
+  }]
 }
@@ -1,32 +1,57 @@
-data "azurerm_resource_group" "node" {
+# This null_resource is required otherwise Terraform would try to read the resource group data and/or the storage 
+# account even if they were not created yet. 
+resource "null_resource" "dependencies" {
+  triggers = var.dependency_ids
+}
+
+data "azurerm_resource_group" "node_resource_group" {
   count = local.use_managed_identity ? 1 : 0
 
   name = var.metrics_storage.managed_identity_node_rg_name
+
+  depends_on = [
+    resource.null_resource.dependencies
+  ]
 }
 
 data "azurerm_storage_container" "container" {
   count = local.use_managed_identity ? 1 : 0
 
   name                 = var.metrics_storage.container
   storage_account_name = var.metrics_storage.storage_account
+
+  depends_on = [
+    resource.null_resource.dependencies
+  ]
 }
 
 resource "azurerm_user_assigned_identity" "prometheus" {
   count = local.use_managed_identity ? 1 : 0
 
-  resource_group_name = data.azurerm_resource_group.node[0].name
-  location            = data.azurerm_resource_group.node[0].location
   name                = "prometheus"
+  resource_group_name = data.azurerm_resource_group.node_resource_group[0].name
+  location            = data.azurerm_resource_group.node_resource_group[0].location
 }
 
-resource "azurerm_role_assignment" "contributor" {
+resource "azurerm_role_assignment" "storage_contributor" {
   count = local.use_managed_identity ? 1 : 0
 
   scope                = data.azurerm_storage_container.container[0].resource_manager_id
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = azurerm_user_assigned_identity.prometheus[0].principal_id
 }
 
+resource "azurerm_federated_identity_credential" "prometheus" {
+  count = local.use_managed_identity ? 1 : 0
+
+  name                = "prometheus"
+  resource_group_name = data.azurerm_resource_group.node_resource_group[0].name
+  audience            = ["api://AzureADTokenExchange"]
+  issuer              = var.metrics_storage.managed_identity_oidc_issuer_url
+  parent_id           = azurerm_user_assigned_identity.prometheus[0].id
+  subject             = "system:serviceaccount:kube-prometheus-stack:kube-prometheus-stack-prometheus"
+}
+
 module "kube-prometheus-stack" {
   source = "../"
 

@@ -97,7 +97,7 @@ Description: Override of target revision of the application chart.
 
 Type: `string`
 
-Default: `"v10.0.0"`
+Default: `"v10.1.0"`
 
 ==== [[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>
 
@@ -392,7 +392,7 @@ object({
 |[[input_target_revision]] <<input_target_revision,target_revision>>
 |Override of target revision of the application chart.
 |`string`
-|`"v10.0.0"`
+|`"v10.1.0"`
 |no
 
 |[[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>

@@ -99,7 +99,7 @@ Description: Override of target revision of the application chart.
 
 Type: `string`
 
-Default: `"v10.0.0"`
+Default: `"v10.1.0"`
 
 ==== [[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>
 
@@ -396,7 +396,7 @@ object({
 |[[input_target_revision]] <<input_target_revision,target_revision>>
 |Override of target revision of the application chart.
 |`string`
-|`"v10.0.0"`
+|`"v10.1.0"`
 |no
 
 |[[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>

@@ -240,7 +240,7 @@ Description: Override of target revision of the application chart.
 
 Type: `string`
 
-Default: `"v10.0.0"`
+Default: `"v10.1.0"`
 
 ==== [[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>
 
@@ -542,7 +542,7 @@ object({
 |[[input_target_revision]] <<input_target_revision,target_revision>>
 |Override of target revision of the application chart.
 |`string`
-|`"v10.0.0"`
+|`"v10.1.0"`
 |no
 
 |[[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>