Adding support to dogfood for FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY (#30709)

- Adding `FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY` to dogfood - Adding creation of secret and secret version for `FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY` value
2026-05-17 22:18:39 +00:00 · 2025-07-10 00:59:06 -04:00 · 2025-07-10 00:59:06 -04:00 · bc9c2b48ad
commit bc9c2b48ad
parent 005b90e832
3 changed files with 16 additions and 3 deletions
--- a/.github/workflows/dogfood-deploy.yml
+++ b/.github/workflows/dogfood-deploy.yml
@ -37,6 +37,7 @@ env:
  TF_VAR_android_service_credentials: ${{ secrets.FLEET_DEV_ANDROID_SERVICE_CREDENTIALS }}
  TF_VAR_cloudfront_public_key: ${{ secrets.CLOUDFRONT_SIGNING_PUBLIC_KEY }}
  TF_VAR_cloudfront_private_key: ${{ secrets.CLOUDFRONT_SIGNING_PRIVATE_KEY }}
+  TF_VAR_entra_api_key: ${{ secrets.DOGFOOD_FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY }}

 permissions:
  id-token: write
--- a/infrastructure/dogfood/terraform/aws-tf-module/entra.tf
+++ b/infrastructure/dogfood/terraform/aws-tf-module/entra.tf
@ -0,0 +1,10 @@
+variable "entra_api_key" {}
+
+resource "aws_secretsmanager_secret" "entra_conditional_access" {
+  name = "dogfood-entra-conditional-access"
+}
+
+resource "aws_secretsmanager_secret_version" "entra_api_key" {
+  secret_id     = aws_secretsmanager_secret.entra_conditional_access.id
+  secret_string = base64encode(var.entra_api_key)
+}
--- a/infrastructure/dogfood/terraform/aws-tf-module/main.tf
+++ b/infrastructure/dogfood/terraform/aws-tf-module/main.tf
@ -74,6 +74,8 @@ locals {
    FLEET_WEBHOOK_STATUS_URL        = var.webhook_url
    FLEET_WEBHOOK_RESULT_URL        = var.webhook_url
    FLEET_OSQUERY_RESULT_LOG_PLUGIN = var.webhook_url != "" ? "webhook" : ""
+    # Entra Conditional Access Proxy API Key
+    # FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY = aws_secretsmanager_secret.entra_conditional_access.arn
  }
  sentry_secrets = {
    FLEET_SENTRY_DSN = "${aws_secretsmanager_secret.sentry.arn}:FLEET_SENTRY_DSN::"
@ -165,9 +167,9 @@ module "main" {
    #   container_port   = 8080
    # }]
    software_installers = {
-      bucket_prefix  = "${local.customer}-software-installers-"
-      create_kms_key = true
-      kms_alias      = "${local.customer}-software-installers"
+      bucket_prefix                      = "${local.customer}-software-installers-"
+      create_kms_key                     = true
+      kms_alias                          = "${local.customer}-software-installers"
      enable_bucket_versioning           = true
      expire_noncurrent_versions         = true
      noncurrent_version_expiration_days = 30