chore: upgrade azuread, move keyvault secret names outside of module

main.tf

@@ -6,7 +6,7 @@ terraform {
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "2.47.0"
+      version = "3.0.2"
     }
     dns = {
       source  = "hashicorp/dns"
@@ -48,11 +48,42 @@ locals {
 }
 
 module "keyvault" {
-  source   = "./modules/keyvault"
-  env_name = "prod"
-
+  source                  = "./modules/keyvault"
+  env_name                = "prod"
   resource_group_name     = module.common.resource_group_name
   resource_group_location = local.resource_group_location
+  keyvault_secrets = [
+    "digitransit-subscription-key",
+    "ilmo-auth-jwt-secret",
+    "ilmo-edit-token-secret",
+    "ilmo-mailgun-api-key",
+    "ilmo-mailgun-domain",
+    "invoice-mailgun-api-key",
+    "tikjob-ghost-mail-username",
+    "tikjob-ghost-mail-password",
+    "tenttiarkisto-django-secret-key",
+    "github-app-key",
+    "google-oauth-client-id",
+    "google-oauth-client-secret",
+    "muistinnollaus-smtp-email",
+    "muistinnollaus-smtp-password",
+    "muistinnollaus-strapi-token",
+    "muistinnollaus-paytrail-merchant-id",
+    "muistinnollaus-paytrail-secret-key",
+    "mongodb-atlas-public-key",
+    "mongodb-atlas-private-key",
+    "github-challenge-value",
+    "mailgun-sender",
+    "mailgun-receiver",
+    "mailgun-api-key",
+    "mailgun-domain",
+    "mailgun-url",
+    "tikjob-tg-bot-token",
+    "tikjob-tg-ghost-hook-secret",
+    "vaultwarden-api-key",
+    "vaultwarden-smtp-username",
+    "vaultwarden-smtp-password",
+  ]
 }
 
 module "dns_prod" {
@@ -372,3 +403,10 @@ module "vaultwarden" {
 #   muistinnollaus_paytrail_merchant_id = module.keyvault.muistinnollaus_paytrail_merchant_id
 #   muistinnollaus_paytrail_secret_key  = module.keyvault.muistinnollaus_paytrail_secret_key
 # }
+module "github-ci-roles" {
+  source = "./modules/github-ci"
+  repo_app_service_map = {
+    "tietokilta/web" : [module.web.web_app_id, module.web.cms_app_id]
+    "tietokilta/laskugeneraattori" : [module.invoicing.invoicing_app_id]
+  }
+}

modules/invoicing/output.tf

@@ -1,3 +1,6 @@
 output "fqdn" {
   value = local.fqdn
 }
+output "invoicing_app_id" {
+  value = azurerm_linux_web_app.invoice_generator.id
+}

modules/keyvault/main.tf

@@ -21,7 +21,7 @@ data "azuread_service_principal" "CI_service_principal" {
 resource "azurerm_key_vault_access_policy" "CI" {
   key_vault_id = azurerm_key_vault.keyvault.id
   tenant_id    = data.azurerm_client_config.current.tenant_id
-  object_id    = data.azuread_service_principal.CI_service_principal.id
+  object_id    = data.azuread_service_principal.CI_service_principal.object_id
 
   key_permissions = [
     "Get",
@@ -48,7 +48,7 @@ resource "azuread_group" "admin" {
 resource "azurerm_key_vault_access_policy" "admin" {
   key_vault_id = azurerm_key_vault.keyvault.id
   tenant_id    = data.azurerm_client_config.current.tenant_id
-  object_id    = azuread_group.admin.id
+  object_id    = azuread_group.admin.object_id
 
   key_permissions = [
     "List",
@@ -66,43 +66,11 @@ resource "azurerm_key_vault_access_policy" "admin" {
 }
 
 locals {
-  keyvault_secrets = [
-    "digitransit-subscription-key",
-    "ilmo-auth-jwt-secret",
-    "ilmo-edit-token-secret",
-    "ilmo-mailgun-api-key",
-    "ilmo-mailgun-domain",
-    "invoice-mailgun-api-key",
-    "tikjob-ghost-mail-username",
-    "tikjob-ghost-mail-password",
-    "tenttiarkisto-django-secret-key",
-    "github-app-key",
-    "google-oauth-client-id",
-    "google-oauth-client-secret",
-    "muistinnollaus-smtp-email",
-    "muistinnollaus-smtp-password",
-    "muistinnollaus-strapi-token",
-    "muistinnollaus-paytrail-merchant-id",
-    "muistinnollaus-paytrail-secret-key",
-    "mongodb-atlas-public-key",
-    "mongodb-atlas-private-key",
-    "github-challenge-value",
-    "mailgun-sender",
-    "mailgun-receiver",
-    "mailgun-api-key",
-    "mailgun-domain",
-    "mailgun-url",
-    "tikjob-tg-bot-token",
-    "tikjob-tg-ghost-hook-secret",
-    "vaultwarden-api-key",
-    "vaultwarden-smtp-username",
-    "vaultwarden-smtp-password",
-  ]
 }
 
 
 data "azurerm_key_vault_secret" "secret" {
-  for_each     = toset(local.keyvault_secrets)
+  for_each     = toset(var.keyvault_secrets)
   name         = each.value
   key_vault_id = azurerm_key_vault.keyvault.id
 }

modules/keyvault/output.tf

@@ -4,7 +4,7 @@ output "keyvault_id" {
 
 output "secrets" {
   value = {
-    for s in local.keyvault_secrets : s => data.azurerm_key_vault_secret.secret[s].value
+    for s in var.keyvault_secrets : s => data.azurerm_key_vault_secret.secret[s].value
   }
   sensitive = true
 }

modules/keyvault/variables.tf

@@ -9,3 +9,7 @@ variable "resource_group_name" {
 variable "resource_group_location" {
   type = string
 }
+variable "keyvault_secrets" {
+  type        = list(string)
+  description = "list of secrets that are expected to be present in the keyvault."
+}

modules/web/outputs.tf

@@ -4,4 +4,10 @@ output "fqdn" {
 output "payload_password" {
   value     = random_password.payload_password.result
   sensitive = true
-}
+}
+output "web_app_id" {
+  value = azurerm_linux_web_app.web.id
+}
+output "cms_app_id" {
+  value = azurerm_linux_web_app.cms.id
+}