Setup Federation for Azure
This module provisions identity resources in Azure for Kosmos to authenticate via OIDC and create AKS clusters. It includes:
- A Service Principal and an extra application for Kosmos to use in AKS cluster creation.
- Roles and Role Assignments granting the service principal necessary permissions for AKS cluster creation.
- OIDC Provider Entry for Kosmos authentication.
Variables
Required Variables
| Variable | Description |
|---|---|
resource_group_name | Name of the Azure resource group where the AKS cluster will be created. |
fleet_name | Name of the Kosmos fleet where the AKS cluster will be registered. |
subscription_id | Azure subscription ID where the AKS cluster will be deployed. Must match the specified resource group. |
oidc_provider_uri | OIDC issuer URI from Kosmos (e.g., https://console.kosmos.spcplatform.com/kosmos-oidc). |
managed_identity_location | Location where the managed identity will be created, e.g. Korea Central |
Outputs
| Output Variable | Description |
|---|---|
client_id | Client ID of the Managed Identity created, used by Kosmos to authenticate against Azure for role assumption |
Example Usage
Create a New OIDC Provider Entry
module "kosmos-identity-oidc-azure" {
source = "../kosmos-azure-credentials-module"
resource_group_name = "<Resource-Group-Name>"
fleet_name = "<Sample-Fleet-Name>"
subscription_id = "<Subscription-ID-Containing-Above-Resource-Group>"
oidc_provider_uri = "https://console.kosmos.spcplatform.com/kosmos-oidc"
managed_identity_location = "Korea Central"
}
Use HTTPS to Load Module from S3 (for Existing OIDC Provider Entry)
- Since the bucket is publicly limited on specific Office Network, you can get the module over HTTPS ) without providing any credentials
- In case you want to use S3 directly, the bucket name is srin-s3-terraform-modules in ap-southeast-1 region, and the module is uploaded as a .tar.gz archive, please check here for more info
- It should look like this
source = "s3::https://s3.ap-southeast-1.amazonaws.com/srin-s3-terraform-modules/kosmos-azure-identity-v1.0.0.tar.gz"Please ensure that you have access to the S3 bucket contents and authenticate to AWS if using S3 as module source ( the same way you auth to AWS CLI by env vars or .aws/ directory contents )
module "kosmos-identity-oidc-azure" {
source = "https://srin-s3-terraform-modules.s3.ap-southeast-1.amazonaws.com/kosmos-azure-identity-v1.0.0.tar.gz"
resource_group_name = "<resource group name>"
fleet_name = "sample-fleet-name"
subscription_id = "<subscription id containing above resource group>"
oidc_provider_uri = "https://console.kosmos.spcplatform.com/kosmos-oidc"
managed_identity_location = "Korea Central"
}
Download Resources
For complete examples and the latest updates, refer to:
Setup federation using CLI
For Federation using CLI instructions, please refer to AKS create and Import documentation