feat(odic): fix issues and disable azure for now

jshiwamV · jshiwamV · commit ae87474c6951 · 2025-11-03T22:25:59.000+05:30
diff --git a/.github/setup/azure/main.tf b/.github/setup/azure/main.tf
@@ -3,6 +3,19 @@
 #
 # Note: Token lifetime is controlled by Azure AD's default policy (60 minutes).
 # To extend token lifetime, you would need to create a TokenLifetimePolicy using accessTokenLifeTime.sh script after applying this terraform configuration
+
+# TODO: Fix Azure federated identity credential for merge queue authentication
+#       - Add environment-based credential or specific merge queue subject pattern
+#       - Subject pattern needed: repo:MaterializeInc/materialize-terraform-self-managed:environment:production
+#       - Or alternative: repo:MaterializeInc/materialize-terraform-self-managed:merge_group(verify if this works, if it does then prefer this)
+
+# TODO: After permissions issue is fixed:
+#       1. Test terraform configuration and apply federated identity credential changes
+#       2. Update Azure workflow to use environment-based authentication (add environment: production to job)
+#       3. Re-enable merge_group trigger in .github/workflows/test-azure.yml
+#       4. Validate merge queue authentication works with new federated identity credential
+
+# TODO: Investigate and resolve Azure permissions issues preventing terraform apply
 resource "azuread_application" "github_actions" {
   display_name = "mz-self-managed-github-actions"
   description  = "Application for GitHub Actions CI/CD with OIDC authentication"
diff --git a/.github/setup/gcp/backend.tf b/.github/setup/gcp/backend.tf
@@ -4,6 +4,7 @@ terraform {
     key     = "github-setup/oidc/gcp/terraform.tfstate"
     region  = "us-east-1"
     encrypt = true
+    profile = "materialize-admin"
     # profile = "" # Add your profile name here since backend block doesn't accept variables
   }
 }
diff --git a/.github/setup/gcp/main.tf b/.github/setup/gcp/main.tf
@@ -30,12 +30,13 @@ resource "google_iam_workload_identity_pool_provider" "github_actions" {
 
   # Attribute mapping from GitHub OIDC token to GCP attributes
   attribute_mapping = {
-    "google.subject"             = "assertion.sub"
+    "google.subject"             = "assertion.repository + \":\" + assertion.run_id"
     "attribute.actor"            = "assertion.actor"
     "attribute.repository"       = "assertion.repository"
     "attribute.repository_owner" = "assertion.repository_owner"
     "attribute.ref"              = "assertion.ref"
     "attribute.workflow"         = "assertion.workflow"
+    "attribute.run_id"           = "assertion.run_id"
   }
 
   # Security: Only allow tokens from MaterializeInc organization
diff --git a/.github/workflows/test-azure.yml b/.github/workflows/test-azure.yml
@@ -1,31 +1,30 @@
 name: Azure Tests
 
 on:
-  # Primary trigger: GitHub merge queue with smart path filtering
-  merge_group:
-    paths-ignore:
-      - "**" # Ignore all paths - effectively disables this workflow remove this to enabled the workflow once perms issue is fixed
-      # Exclude other cloud providers
-      - "aws/**"
-      - "gcp/**"
-      - "test/aws/**"
-      - "test/gcp/**"
-      # Exclude setup files from other cloud providers
-      - ".github/setup/aws/**"
-      - ".github/setup/gcp/**"
-      # Exclude examples
-      - "azure/examples/**"
-      # Exclude documentation and config
-      - "**.md"
-      - "**.env"
-      - ".gitignore"
-      - "LICENSE"
-      # Exclude AWS/GCP specific workflows
-      - ".github/workflows/test-aws*.yml"
-      - ".github/workflows/test-gcp*.yml"
-      - ".github/scripts/**"
+  # DISABLED: Primary trigger commented out until Azure permissions and federated identity issues are resolved
+  # merge_group:
+  #   paths-ignore:
+  #     # Exclude other cloud providers
+  #     - "aws/**"
+  #     - "gcp/**"
+  #     - "test/aws/**"
+  #     - "test/gcp/**"
+  #     # Exclude setup files from other cloud providers
+  #     - ".github/setup/aws/**"
+  #     - ".github/setup/gcp/**"
+  #     # Exclude examples
+  #     - "azure/examples/**"
+  #     # Exclude documentation and config
+  #     - "**.md"
+  #     - "**.env"
+  #     - ".gitignore"
+  #     - "LICENSE"
+  #     # Exclude AWS/GCP specific workflows
+  #     - ".github/workflows/test-aws*.yml"
+  #     - ".github/workflows/test-gcp*.yml"
+  #     - ".github/scripts/**"
 
-  # Manual trigger: For testing and debugging purposes
+  # Manual trigger: For testing and debugging purposes (ONLY trigger until issues are resolved)
   workflow_dispatch:
     inputs:
       test_stage:

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@ terraform {`
`4`	`4`	`key = "github-setup/oidc/gcp/terraform.tfstate"`
`5`	`5`	`region = "us-east-1"`
`6`	`6`	`encrypt = true`
	`7`	`+ profile = "materialize-admin"`
`7`	`8`	`# profile = "" # Add your profile name here since backend block doesn't accept variables`
`8`	`9`	`}`
`9`	`10`	`}`