Added azure to test CI

Author: RobinDuhan

.github/workflows/test.yml

@@ -5,7 +5,7 @@ on:
       JFROG_CREDENTIAL_PLUGIN_BINARY_URL:
         description: 'BINARY_URL (CI adds arch suffix automatically)'
         required: true
-        default: "https://releases.jfrog.io/artifactory/run/jfrog-credentials-provider/0.1.0-beta.1/jfrog-credential-provider-aws-linux"
+        default: "https://partnership.jfrog.io/artifactory/credential-provider-test/jfrog-credential-provider"
         type: string
       DISABLE_TERRAFORM_DESTROY:
         description: 'DISABLE_TERRAFORM_DESTROY'
@@ -42,6 +42,13 @@ jobs:
         run: |
           aws sts get-caller-identity
 
+      - name: Login to Azure with Federated Credentials
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_APP_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_APP_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_APP_SUBSCRIPTION_ID }}
+
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3
         with:
@@ -50,9 +57,13 @@ jobs:
 
       - name: Initialise Terraform
         id: init
+        env:
+          AZURE_APP_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SUBSCRIPTION_ID }}
         run: |
           echo "" >> build/terraform.tfvars.aws
           echo "jfrog_credential_provider_binary_url=\"$JFROG_CREDENTIAL_PLUGIN_BINARY_URL\"" >> build/terraform.tfvars.aws
+          # for azure, it is not possible to avoid azure authentication check, even when azure is disabled
+          echo "azure_subscription_id=\"$AZURE_APP_SUBSCRIPTION_ID\"" >> build/terraform.tfvars.aws
           cp build/terraform.tfvars.aws terraform-ci/terraform.tfvars
           cd terraform-ci
           terraform init
@@ -78,7 +89,7 @@ jobs:
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: terraform-context-for-manual-cleanup
+          name: terraform-context-for-manual-cleanup-aws
           path: |
             terraform-ci/**/*.tf
             terraform-ci/jfrog/* 
@@ -97,8 +108,11 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+
+      - name: Install Azure CLI
+        uses: pietrobolcato/install-azure-cli-action@main
 
-      - name: 'Login to Azure with Federated Credentials'
+      - name: Login to Azure with Federated Credentials
         uses: azure/login@v1
         with:
           client-id: ${{ secrets.AZURE_APP_CLIENT_ID }}
@@ -113,17 +127,22 @@ jobs:
 
       - name: Initialise Terraform
         id: init
+        env:
+          AZURE_APP_SUBSCRIPTION_ID: ${{ secrets.AZURE_APP_SUBSCRIPTION_ID }}
         run: |
           echo "" >> build/terraform.tfvars.azure
           echo "jfrog_credential_provider_binary_url=\"$JFROG_CREDENTIAL_PLUGIN_BINARY_URL\"" >> build/terraform.tfvars.azure
+          echo "azure_subscription_id=\"$AZURE_APP_SUBSCRIPTION_ID\"" >> build/terraform.tfvars.azure
           cp build/terraform.tfvars.azure terraform-ci/terraform.tfvars
           cd terraform-ci
           terraform init
 
       - name: Run Azure Terraform CI
         id: apply
         run: |
+          # to avoid credentials check for aws
           cd terraform-ci
+          cat terraform.tfvars
           terraform apply -input=false -auto-approve
           terraform output -json > terraform_output.json
           echo "Terraform output: $(cat terraform_output.json)"
@@ -141,7 +160,7 @@ jobs:
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: terraform-context-for-manual-cleanup
+          name: terraform-context-for-manual-cleanup-azure
           path: |
             terraform-ci/**/*.tf
             terraform-ci/jfrog/* 

build/terraform.tfvars.azure

@@ -22,23 +22,21 @@ self_managed_eks_cluster = {
 
 jfrog_namespace = "jfrog"
 
-region = "ap-northeast-3"
-
 enable_aws = false
 
 enable_azure = true
 
-azure_subscription_id = "6a2a0854-0ddb-4c9d-ac3e-5348c205002c"
-
 azure_resource_group_name = "infra-robin-test"
 
 azure_location = "eastus"
 
 create_aks_cluster = true
 
-aks_cluster_name = "infra-robin-test-aks"
+aks_cluster_name = "jfrog-test-aks"
 
 azure_node_count = 3
 azure_node_vm_size = "Standard_D2pds_v5"
 azure_admin_username = "jfrog"
-azure_cluster_public_access_cidrs = ["52.9.243.19/32", "52.215.237.185/32", "13.127.185.21/32"]
+
+# time to live is very short for testing
+azure_cluster_public_access_cidrs = ["0.0.0.0/0"]

terraform-ci/azure_identity.tf

@@ -46,7 +46,5 @@ resource "azuread_application_federated_identity_credential" "federated_identity
   issuer         = "https://login.microsoftonline.com/${data.azuread_client_config.current[0].tenant_id}/v2.0"
   subject        = data.azurerm_kubernetes_cluster.k8s[0].kubelet_identity[0].object_id
 
-  lifecycle {
-    create_before_destroy = true
-  }
+  depends_on = [ azurerm_kubernetes_cluster.k8s, local.azure_app_id, data.azurerm_kubernetes_cluster.k8s[0] ]
 }

terraform-ci/eks_nodegroup.tf

@@ -29,7 +29,7 @@ module "eks" {
     addons = {
         aws-ebs-csi-driver = {
             most_recent = true
-            service_account_role_arn = module.ebs_csi_irsa_role[0].iam_role_arn
+            service_account_role_arn = module.ebs_csi_irsa_role[0].arn
         }
         vpc-cni = {
             most_recent = true
@@ -111,9 +111,9 @@ module "daemonset_test_ng" {
 
 module "ebs_csi_irsa_role" {
     count = var.enable_aws && var.create_eks_cluster ? 1 : 0
-    source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+    source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
 
-    role_name             = "ebs-csi-role-${local.cluster_name}-${var.region}"
+    name             = "ebs-csi-role-${local.cluster_name}-${var.region}"
     attach_ebs_csi_policy = true
 
     oidc_providers = {

terraform-ci/providers.tf

@@ -29,6 +29,15 @@ terraform {
 
 provider "aws" {
   region = var.region
+  skip_credentials_validation = true
+  skip_metadata_api_check = true
+  skip_region_validation = true
+  skip_requesting_account_id = true
+
+  # create a dynamic block to set the access_key, secret_key, and token if they are not null
+  access_key = var.enable_aws ? null : "foo"
+  secret_key = var.enable_aws ? null : "bar"
+  
 }
 
 provider "azurerm" {
@@ -42,4 +51,5 @@ provider "azurerm" {
   }
   subscription_id = var.azure_subscription_id
   resource_provider_registrations = "none"
+  
 }

terraform-module/providers.tf

@@ -17,4 +17,12 @@ terraform {
 provider "aws" {
   region = var.region
   skip_credentials_validation = true
+  skip_metadata_api_check = true
+  skip_region_validation = true
+  skip_requesting_account_id = true
+
+  # create a dynamic block to set the access_key, secret_key, and token if they are not null
+  access_key = var.enable_aws ? null : "foo"
+  secret_key = var.enable_aws ? null : "bar"
+  
 }