demo.sh

#!/bin/bash

set -e

# Prerequistes
pushd prereqs &> /dev/null

if [ "$1" != "skip-prereqs" ] ; then
   terraform init
   terraform apply
fi 

# https://github.com/mike-engel/jwt-cli/issues/56#issuecomment-2599710394
sec=private.pem
terraform output --json | jq -r .token_arguments.value.sec > "$sec"
sec="$(readlink -f $sec)"
trap '{ rm -f "$sec"; }' EXIT
alg="$(terraform output --json | jq -r .token_arguments.value.alg)"
kid="$(terraform output --json | jq -r .token_arguments.value.kid)"
iss="$(terraform output --json | jq -r .token_arguments.value.iss)"
sub="$(terraform output --json | jq -r .token_arguments.value.sub)"
aud="$(terraform output --json | jq -r .token_arguments.value.aud)"

jwks_url="$(terraform output --json | jq -r .debug.value.jwks_url)"

# set token expiry to one hour from now
exp=$(date +%s)
# shellcheck disable=SC2004
exp=$(($exp + 3600))

jwt="$(jwt encode \
   --alg "$alg" \
   --kid "$kid" \
   --exp="$exp" \
   --secret @"$sec" \
   "{\"hello\":\"world\", \"iss\": \"$iss\", \"sub\": \"$sub\", \"aud\": \"$aud\"}" \
)"

popd &> /dev/null

if [ "$2" == "token-only" ] ; then
   echo jwt="$jwt"
   echo jwks_url="$jwks_url"
   exit
fi 

# Entra work
pushd terraform-entra &> /dev/null

terraform init
ARM_OIDC_TOKEN="$jwt" terraform apply

popd &> /dev/null