tiiuae · alextserepov · Oct 23, 2024 · Sep 25, 2024 · Sep 25, 2024 · Sep 25, 2024
diff --git a/terraform/jenkins-controller.tf b/terraform/jenkins-controller.tf
@@ -161,6 +161,26 @@ resource "azurerm_key_vault_access_policy" "ssh_remote_build_jenkins_controller"
   ]
 }
 
+# Grant the Jenkins Controller VM's system-assigned managed identity access to the Key Vault
+resource "azurerm_key_vault_access_policy" "jenkins_controller_kv_access" {
+  key_vault_id = data.azurerm_key_vault.ghaf_devenv_ca.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = module.jenkins_controller_vm.virtual_machine_identity_principal_id
+
+  key_permissions = [
+    "Get",
+    "List",
+    "Sign",
+    "Verify",
+  ]
+
+  certificate_permissions = [
+    "Get",
+    "List",
+  ]
+}
+
+
 # Allow the VM to *write* to (and read from) the binary cache bucket
 resource "azurerm_role_assignment" "jenkins_controller_access_storage" {
   scope                = data.azurerm_storage_container.binary_cache_1.resource_manager_id

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -305,6 +305,12 @@ data "azurerm_key_vault_secret" "binary_cache_signing_key" {
   provider     = azurerm
 }
 
+# Reference the existing Key Vault
+data "azurerm_key_vault" "ghaf_devenv_ca" {
+  name                = "ghaf-devenv-ca"
+  resource_group_name = "ghaf-devenev-pki"
+}
+
 # Data sources to access 'workspace-specific persistent' data
 # see: ./persistent/workspace-specific