ResourceModules
ResourceModules copied to clipboard
Azure
[Feature Request]: Add Microsoft.RedHatOpenShift module
This appears relatively straight forward (needs VNET with 2 subnets, RG, etc.) with one exception - it needs a service principal & secret. I guess for that we could use the GitHub/ADO deployment principal? This may however be tricky regarding the secret.
Alternatively, we could have a deploymentScript create a service principal - but would then not only need custom logic to delete, but also the principal (managed identity) would need the permissions to create AAD objects in the first place.
@eriqua, any thoughts on this?
Just trowing some comments around:
Option 1 could become trickier once we'll move to openID connect authentication (ref #1450) since at that point we'd remove the SP clientID from the secret list.
An additional alternative to option 2, maybe a mid-step until better solution, could also be to still require some long-living dependencies for specific modules needing them (ARO module being the first one so far). In that case a dedicated SP and a KV where to store its clientID and secret to be referenced by the module tests.
@AlexanderSehr @eriqua - Thoughts on this:
-
Bicep PG has been talking about the ability for AAD Extensibility (This should provide us with a way of generating Service Principals and Permissions natively) maybe this is something that could help us here
-
Although it is optional may customers are using with the a pull secret, this is a particular secret tied to redhat container registries, we would need a way to create, validate and then remove the registry
@AlexanderSehr @ChrisSidebotham @matebarabas what about porting this to AVM? If so, I'd avoid to just move it as is. This should rather be incorporated into the module proposal template.
In either case, I'd vouch for not losing this issue.