Skip to content

issues Search Results · language:Edge language:Python language:JavaScript language:Java language:JavaScript

Filter by

55.5M results  (714 ms)

55.5M results

dsl2022/enterprise-onboarding-project
CI Entra identity needs Application.ReadWrite.All (OwnedBy -> 403 creating SP/FIC)

Phase 3 apply 403 d: OwnedBy can create app registrations but not service principals/federated creds. Bumped to Application.ReadWrite.All (ADR-0011). Refs: #5
area:entra
bug
phase-3
  • dsl2022
  • Opened 
    31 minutes ago
  • #31

dsl2022/enterprise-onboarding-project
Admin consent (Global Admin) for Group.Read.All; verify SP holds the role

App-only Graph permission needs tenant admin consent; verified the SP appRoleAssignment before declaring Flow 2 ready (RUNBOOK §4). Refs: #4
area:entra
chore
phase-3
  • dsl2022
  • Opened 
    31 minutes ago
  • #30

dsl2022/enterprise-onboarding-project
modules/entra: app registration + service principal + federated credential + Graph Group.Read.All

issuer/subject/audience = issuer_url / eop-dev-workload / api://AzureADTokenExchange. azuread provider via GitHub OIDC (ARM_USE_OIDC). Refs: #4
area:entra
phase-3
story
  • dsl2022
  • Opened 
    31 minutes ago
  • #29

dsl2022/enterprise-onboarding-project
Phase 3 — Entra app registration + federated identity credential

The cross-cloud trust: the Entra app + federated credential pointing at the Phase-2 issuer. Refs #4, #5. Refs: #4
area:entra
epic
phase-3
  • dsl2022
  • Opened 
    31 minutes ago
  • #28

dsl2022/enterprise-onboarding-project
App signer: IssuerKeyService (RSA in Secrets Manager) + IssuerPublisher (jwks.json)

Generate-on-first-boot RSA key stored only in Secrets Manager; kid = RFC-7638 thumbprint; publishes public JWKS. Gated by wif.enabled (ADR-0010). Refs: #3
area:app
phase-2
story
  • dsl2022
  • Opened 
    31 minutes ago
  • #27

dsl2022/enterprise-onboarding-project
modules/issuer: private S3 + CloudFront (OAC) + discovery doc + signing secret + task IAM policy

issuer field == the CloudFront domain exactly; CachingDisabled; empty CMK-encrypted Secrets Manager secret (ADR-0007). Refs: #3
area:terraform
phase-2
story
  • dsl2022
  • Opened 
    31 minutes ago
  • #26

dsl2022/enterprise-onboarding-project
Phase 2 — Workload OIDC issuer (S3 + CloudFront)

Self-hosted OIDC issuer so the AWS workload can prove identity to Entra with no stored credential. Ref #3. Refs: #3
area:terraform
epic
phase-2
  • dsl2022
  • Opened 
    31 minutes ago
  • #25

dsl2022/enterprise-onboarding-project
app-deploy OIDC sub must match the deploy role -> drop environment

Declaring environment changed the OIDC sub to environment: env , breaking AssumeRoleWithWebIdentity against the ref:refs/heads/main-scoped deploy role. Refs: #2
area:ci-cd
bug
phase-1
  • dsl2022
  • Opened 
    31 minutes ago
  • #24

dsl2022/enterprise-onboarding-project
gh token missing 'workflow' scope; no SSH key in sandbox -> push via HTTPS

Pushing .github/workflows/* required the workflow scope; no SSH key so switched origin to HTTPS via gh credential helper. Refs: #1
area:ci-cd
bug
phase-1
  • dsl2022
  • Opened 
    31 minutes ago
  • #23

dsl2022/enterprise-onboarding-project
Terraform platform module (KMS CMK, ECR, CloudWatch log group)

First real resources so the pipeline has something to plan/apply and app-deploy has an ECR target. Refs: #1
area:terraform
phase-1
story
  • dsl2022
  • Opened 
    31 minutes ago
  • #22
Issue origami icon

Learn how you can use GitHub Issues to plan and track your work.

Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub Issues
ProTip! Restrict your search to the title by using the in:title qualifier.
Issue origami icon

Learn how you can use GitHub Issues to plan and track your work.

Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub Issues
ProTip! Restrict your search to the title by using the in:title qualifier.