From 7dcf6c21285a990a5169ab931640790c7c6f9d4a Mon Sep 17 00:00:00 2001
From: peterdeme <snypox@gmail.com>
Date: Fri, 13 Sep 2024 18:01:44 +0200
Subject: [PATCH] ci: fix env var interpolation

Signed-off-by: peterdeme <snypox@gmail.com>
---
 .github/workflows/build_gcp_azure_manual.yml |  2 --
 .github/workflows/ci.yml                     |  7 +++++--
 azure.pkr.hcl                                | 16 ++++------------
 3 files changed, 9 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/build_gcp_azure_manual.yml b/.github/workflows/build_gcp_azure_manual.yml
index 6d9eee0..8746b90 100644
--- a/.github/workflows/build_gcp_azure_manual.yml
+++ b/.github/workflows/build_gcp_azure_manual.yml
@@ -23,8 +23,6 @@ jobs:
       PKR_VAR_client_id: "976e4a6e-c619-417e-9add-50e2d674e2db"
       PKR_VAR_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
       PKR_VAR_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      PKR_VAR_oidc_request_url: "${ACTIONS_ID_TOKEN_REQUEST_URL}"
-      PKR_VAR_oidc_request_token: "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}"
       PKR_VAR_image_resource_group: rg-worker_images-public-westeurope
       PKR_VAR_packer_work_group: rg-worker_images_packer-public-westeurope
       PKR_VAR_gallery_resource_group: rg-worker_images-public-westeurope
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4a3f584..29ab6c9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,8 +30,6 @@ jobs:
       PKR_VAR_client_id: "433d3ca3-1866-4dfa-b9bf-65d6c4391ec7"
       PKR_VAR_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
       PKR_VAR_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      PKR_VAR_oidc_request_url: "${ACTIONS_ID_TOKEN_REQUEST_URL}"
-      PKR_VAR_oidc_request_token: "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}"
       PKR_VAR_image_resource_group: rg-worker_images-public-westeurope
       PKR_VAR_packer_work_group: rg-worker_images_packer-public-westeurope
       PKR_VAR_gallery_resource_group: rg-worker_images-public-westeurope
@@ -44,6 +42,11 @@ jobs:
       - name: Check out the source code
         uses: actions/checkout@main
 
+      - name: Configure AWS credentials
+        run: |
+          echo $PKR_VAR_oidc_request_url
+          echo $PKR_VAR_oidc_request_token
+
       - name: Create account file for GCP
         if: matrix.cloud == 'gcp'
         run: |
diff --git a/azure.pkr.hcl b/azure.pkr.hcl
index 5e6d3e5..4d5e57d 100644
--- a/azure.pkr.hcl
+++ b/azure.pkr.hcl
@@ -12,16 +12,6 @@ variable "client_id" {
   default = ""
 }
 
-variable "oidc_request_url" {
-  type    = string
-  default = ""
-}
-
-variable "oidc_request_token" {
-  type    = string
-  default = ""
-}
-
 variable "subscription_id" {
   type = string
 }
@@ -105,8 +95,10 @@ source "azure-arm" "spacelift" {
   client_id          = var.client_id
   subscription_id    = var.subscription_id
   tenant_id          = var.tenant_id
-  oidc_request_url   = var.oidc_request_url
-  oidc_request_token = var.oidc_request_token
+  // We use OIDC to authenticate with Azure.
+  // GitHub Actions sets the "ACTIONS_ID_TOKEN_REQUEST_URL" and "ACTIONS_ID_TOKEN_REQUEST_TOKEN" environment variables automatically
+  // for all runs. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers
+  // Packer under the hood can use those env variables without manually injecting them, so they know where to get the token from.
 
   managed_image_name                = var.image_name
   managed_image_resource_group_name = var.image_resource_group