ci: fix env var interpolation

Signed-off-by: peterdeme <[email protected]>

.github/workflows/build_gcp_azure_manual.yml

@@ -23,8 +23,6 @@ jobs:
       PKR_VAR_client_id: "976e4a6e-c619-417e-9add-50e2d674e2db"
       PKR_VAR_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
       PKR_VAR_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      PKR_VAR_oidc_request_url: "${ACTIONS_ID_TOKEN_REQUEST_URL}"
-      PKR_VAR_oidc_request_token: "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}"
       PKR_VAR_image_resource_group: rg-worker_images-public-westeurope
       PKR_VAR_packer_work_group: rg-worker_images_packer-public-westeurope
       PKR_VAR_gallery_resource_group: rg-worker_images-public-westeurope

.github/workflows/ci.yml

@@ -30,8 +30,6 @@ jobs:
       PKR_VAR_client_id: "433d3ca3-1866-4dfa-b9bf-65d6c4391ec7"
       PKR_VAR_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
       PKR_VAR_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      PKR_VAR_oidc_request_url: "${ACTIONS_ID_TOKEN_REQUEST_URL}"
-      PKR_VAR_oidc_request_token: "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}"
       PKR_VAR_image_resource_group: rg-worker_images-public-westeurope
       PKR_VAR_packer_work_group: rg-worker_images_packer-public-westeurope
       PKR_VAR_gallery_resource_group: rg-worker_images-public-westeurope
@@ -44,6 +42,11 @@ jobs:
       - name: Check out the source code
         uses: actions/checkout@main
 
+      - name: Configure AWS credentials
+        run: |
+          echo $PKR_VAR_oidc_request_url
+          echo $PKR_VAR_oidc_request_token
+
       - name: Create account file for GCP
         if: matrix.cloud == 'gcp'
         run: |

azure.pkr.hcl

@@ -12,16 +12,6 @@ variable "client_id" {
   default = ""
 }
 
-variable "oidc_request_url" {
-  type    = string
-  default = ""
-}
-
-variable "oidc_request_token" {
-  type    = string
-  default = ""
-}
-
 variable "subscription_id" {
   type = string
 }
@@ -105,8 +95,10 @@ source "azure-arm" "spacelift" {
   client_id          = var.client_id
   subscription_id    = var.subscription_id
   tenant_id          = var.tenant_id
-  oidc_request_url   = var.oidc_request_url
-  oidc_request_token = var.oidc_request_token
+  // We use OIDC to authenticate with Azure.
+  // GitHub Actions sets the "ACTIONS_ID_TOKEN_REQUEST_URL" and "ACTIONS_ID_TOKEN_REQUEST_TOKEN" environment variables automatically
+  // for all runs. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers
+  // Packer under the hood can use those env variables without manually injecting them, so they know where to get the token from.
 
   managed_image_name                = var.image_name
   managed_image_resource_group_name = var.image_resource_group