Updated Actions Workflow

nullchimp · nullchimp · commit 8ea55f0b4610 · 2025-05-18T20:05:06.000+02:00
diff --git a/.github/workflows/deploy-azure.yml b/.github/workflows/deploy-azure.yml
@@ -42,7 +42,9 @@ jobs:
           terraform plan -var="environment=${{ env.ENVIRONMENT }}" \
             -var="memgraph_username=${{ secrets.MEMGRAPH_USERNAME }}" \
             -var="memgraph_password=${{ secrets.MEMGRAPH_PASSWORD }}" \
-            -var="subscription_id=${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+            -var="subscription_id=${{ secrets.AZURE_SUBSCRIPTION_ID }}" \
+            -var="tenant_id=${{ secrets.AZURE_TENANT_ID }}" \
+            -var="object_id=${{ secrets.AZURE_SP_OBJECT_ID }}"
       
       - name: Terraform Apply
         run: |
@@ -51,7 +53,9 @@ jobs:
             -var="environment=${{ env.ENVIRONMENT }}" \
             -var="memgraph_username=${{ secrets.MEMGRAPH_USERNAME }}" \
             -var="memgraph_password=${{ secrets.MEMGRAPH_PASSWORD }}" \
-            -var="subscription_id=${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+            -var="subscription_id=${{ secrets.AZURE_SUBSCRIPTION_ID }}" \
+            -var="tenant_id=${{ secrets.AZURE_TENANT_ID }}" \
+            -var="object_id=${{ secrets.AZURE_SP_OBJECT_ID }}"
       
       - name: Get AKS Credentials
         run: |
diff --git a/infra/azure/main.tf b/infra/azure/main.tf
@@ -17,6 +17,17 @@ resource "azurerm_key_vault" "ai_agent" {
   sku_name            = "standard"
   
   purge_protection_enabled = true
+
+  access_policy {
+    tenant_id = var.tenant_id
+    object_id = var.object_id
+
+    secret_permissions = [
+      "get",
+      "list",
+      "set",
+    ]
+  }
 }
 
 # Add secrets to Key Vault
diff --git a/infra/azure/variables.tf b/infra/azure/variables.tf
@@ -19,4 +19,14 @@ variable "memgraph_password" {
 variable "subscription_id" {
   description = "The Azure subscription ID"
   type        = string
+}
+
+variable "tenant_id" {
+  description = "The Azure tenant ID"
+  type        = string
+}
+
+variable "object_id" {
+  description = "The object ID of the service principal"
+  type        = string
 }
diff --git a/scripts/get_service_principal_objectid.sh b/scripts/get_service_principal_objectid.sh
@@ -0,0 +1,37 @@
+#!/bin/zsh
+
+# This script gets the object ID of a service principal by its display name or app ID
+# Usage: ./get_service_principal_objectid.sh <service-principal-name-or-id>
+
+# Check if required parameter is provided
+if [ $# -lt 1 ]; then
+    echo "Error: Missing required parameter."
+    echo "Usage: $0 <service-principal-name-or-id>"
+    echo ""
+    echo "Provide either the display name or app ID of your service principal."
+    echo "You can list all service principals with: az ad sp list --all --query \"[].{name:displayName, appId:appId}\" -o table"
+    exit 1
+fi
+
+SP_IDENTIFIER="ai-agent-github"
+
+# First try finding by display name
+echo "Searching for service principal with display name '$SP_IDENTIFIER'..."
+OBJECT_ID=$(az ad sp list --display-name "$SP_IDENTIFIER" --query "[0].id" -o tsv)
+
+# If not found by display name, try as an app ID
+if [ -z "$OBJECT_ID" ]; then
+    echo "Not found by display name, trying as app ID..."
+    OBJECT_ID=$(az ad sp show --id "$SP_IDENTIFIER" --query "id" -o tsv 2>/dev/null)
+fi
+
+if [ -z "$OBJECT_ID" ]; then
+    echo "No service principal found with the provided identifier."
+    echo "List all service principals with: az ad sp list --all --query \"[].{name:displayName, appId:appId}\" -o table"
+    exit 1
+else
+    echo "Service Principal Object ID: $OBJECT_ID"
+    echo ""
+    echo "You can use this Object ID in your Terraform variables or Azure Key Vault access policies."
+    echo "For Terraform, add it to your variables file as: object_id = \"$OBJECT_ID\""
+fi
