docs(golden-paths): document per-repo OIDC federated credential bootstrap for IaC

paulanunes85 · paulanunes85 · commit ec162237296b · 2026-03-03T16:25:09.000-03:00
diff --git a/golden-paths/h2-enhancement/todo-app-e2e/skeleton/README.md b/golden-paths/h2-enhancement/todo-app-e2e/skeleton/README.md
@@ -45,7 +45,19 @@ Azure secrets are inherited from the `3horizons` organization:
 - `AZURE_TENANT_ID` — Microsoft Entra tenant
 - `AZURE_SUBSCRIPTION_ID` — Target Azure subscription
 
-No manual secret configuration is needed. The OIDC federated credential is configured for all repos in the org using environment `dev`.
+No manual secret configuration is needed for these three secrets.
+
+For OIDC login to Azure, each new repository needs a one-time federated credential in app `three-horizons-github-oidc` with subject:
+
+`repo:${{ values.repoOwner }}/${{ values.repoName }}:environment:dev`
+
+Example (run by tenant/app admin):
+
+```bash
+az ad app federated-credential create \
+	--id <APP_OBJECT_ID> \
+	--parameters "{\"name\":\"github-${{ values.repoName }}-dev\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${{ values.repoOwner }}/${{ values.repoName }}:environment:dev\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
+```
 
 Optional variable:
 
diff --git a/golden-paths/h2-enhancement/todo-app-e2e/template.yaml b/golden-paths/h2-enhancement/todo-app-e2e/template.yaml
@@ -169,11 +169,16 @@ spec:
           **Azure region:** ${{ parameters.azureRegion }}
 
           **Azure IaC is ready to use:**
-           - Azure OIDC pre-configured (App Registration: `three-horizons-github-oidc`)
            - Organization secrets `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID` inherited automatically
            - Environment `dev` created in the repository
            - Run workflow `iac-dev.yml` with `apply=true` to provision Azure resources
 
+          **One-time OIDC bootstrap (required per new repo):**
+          create a federated credential with subject `repo:<owner>/<repo>:environment:dev` in app `three-horizons-github-oidc`.
+
+          Example:
+          `az ad app federated-credential create --id <APP_OBJECT_ID> --parameters '{"name":"github-${{ parameters.repoUrl | parseRepoUrl | pick('repo') }}-dev","issuer":"https://token.actions.githubusercontent.com","subject":"repo:${{ parameters.repoUrl | parseRepoUrl | pick('owner') }}/${{ parameters.repoUrl | parseRepoUrl | pick('repo') }}:environment:dev","audiences":["api://AzureADTokenExchange"]}'`
+
            **Identity note:** ensure the selected owner (`User` or `Group`) exists in the Software Catalog.
 
           **Codespaces:** use the "Open in Codespaces" link above to launch the dev environment for the created repository.
