Azure DevOps entra federated identity & CKV_AZURE_249: "Ensure Azure GitHub Actions OIDC trust policy is configured securely" #7021
Labels
checks
Check additions or changes
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the issue
I'm creating an entra azuread_application_federated_identity_credential via Terraform for use by Azure DevOps and showing up as an issue.
I don't thing I'm doing anything wrong so it feels like a bug, particularly as I'm setting up for ADO usage not GitHub.
Examples
resource "azuread_application_federated_identity_credential" "azuredevops" {
display_name = "deployments_via_azuredevops"
application_id = azuread_application.entra_sp_azuredevops.id
audiences = ["api://AzureADTokenExchange"]
issuer = azuredevops_serviceendpoint_azurerm.workload_identity_federation.workload_identity_federation_issuer
subject = azuredevops_serviceendpoint_azurerm.workload_identity_federation.workload_identity_federation_subject
}
Version (please complete the following information):
Additional context
Check: CKV_AZURE_249: "Ensure Azure GitHub Actions OIDC trust policy is configured securely"
FAILED for resource: azuread_application_federated_identity_credential.azuredevops
File: \entra_id.tf:32-40
32 | resource "azuread_application_federated_identity_credential" "azuredevops" {
33 | display_name = "deployments_via_azuredevops"
34 | application_id = azuread_application.entra_sp_azuredevops.id
35 | audiences = ["api://AzureADTokenExchange"]
36 | issuer = azuredevops_serviceendpoint_azurerm.workload_identity_federation.workload_identity_federation_issuer
37 | subject = azuredevops_serviceendpoint_azurerm.workload_identity_federation.workload_identity_federation_subject
48 | }
The text was updated successfully, but these errors were encountered: