From 1c096442f4c7c19604d9a7285d97a032668c08ac Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Tue, 12 Nov 2024 16:22:08 +0100
Subject: [PATCH] fixup! wip: basic test for peerpods

don't create app
---
 infra/azure-peerpods/main.tf | 35 +++++------------------------------
 1 file changed, 5 insertions(+), 30 deletions(-)

diff --git a/infra/azure-peerpods/main.tf b/infra/azure-peerpods/main.tf
index 2256e0711e..e9dab20242 100644
--- a/infra/azure-peerpods/main.tf
+++ b/infra/azure-peerpods/main.tf
@@ -40,45 +40,20 @@ data "azurerm_resource_group" "rg" {
   name = "${var.resource_group}"
 }
 
-resource "azuread_application" "app" {
-  display_name = local.name
-  owners       = [data.azuread_client_config.current.object_id]
-}
-
-resource "azuread_service_principal" "sp" {
-  client_id                    = azuread_application.app.client_id
-  app_role_assignment_required = false
-  owners                       = [data.azuread_client_config.current.object_id]
-}
-
-resource "azurerm_role_assignment" "ra_vm_contributor" {
-  scope                = data.azurerm_resource_group.rg.id
-  role_definition_name = "Virtual Machine Contributor"
-  principal_id         = azuread_service_principal.sp.object_id
-}
-
-resource "azurerm_role_assignment" "ra_reader" {
-  scope                = data.azurerm_resource_group.rg.id
-  role_definition_name = "Reader"
-  principal_id         = azuread_service_principal.sp.object_id
-}
-
-resource "azurerm_role_assignment" "ra_network_contributor" {
-  scope                = data.azurerm_resource_group.rg.id
-  role_definition_name = "Network Contributor"
-  principal_id         = azuread_service_principal.sp.object_id
+data "azuread_application" "app" {
+  display_name = "contrast-peerpod-ci"
 }
 
 resource "azuread_application_federated_identity_credential" "federated_credentials" {
   display_name   = local.name
-  application_id = azuread_application.app.id
+  application_id = data.azuread_application.app.id
   issuer         = azurerm_kubernetes_cluster.cluster.oidc_issuer_url
   subject        = "system:serviceaccount:confidential-containers-system:cloud-api-adaptor"
   audiences      = ["api://AzureADTokenExchange"]
 }
 
 resource "azuread_application_password" "cred" {
-  application_id = azuread_application.app.id
+  application_id = data.azuread_application.app.id
 }
 
 resource "azurerm_virtual_network" "main" {
@@ -149,7 +124,7 @@ metadata:
   name: cloud-api-adaptor
   namespace: confidential-containers-system
   annotations:
-    azure.workload.identity/client-id: ${azuread_application.app.client_id}
+    azure.workload.identity/client-id: ${data.azuread_application.app.client_id}
 EOF
 }