From 9af15a9dcb4e64c40f1f5710a1508940ece57327 Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Tue, 6 Aug 2024 12:59:02 +0200 Subject: [PATCH] fix le virtual machine --- .azure/infrastructure/main.bicep | 11 ++++------ .azure/infrastructure/production.bicepparam | 2 +- .azure/infrastructure/soak.bicepparam | 2 +- .azure/infrastructure/staging.bicepparam | 2 +- .azure/infrastructure/test.bicepparam | 2 +- .azure/modules/ssh-jumper/main.bicep | 20 +++---------------- .azure/modules/virtualMachine/main.bicep | 7 +++---- .github/workflows/action-deploy-infra.yml | 6 +++--- .github/workflows/ci-cd-main.yml | 2 +- .../ci-cd-pull-request-release-please.yml | 2 +- .github/workflows/ci-cd-pull-request.yml | 2 +- .github/workflows/ci-cd-staging.yml | 2 +- .github/workflows/dispatch-infrastructure.yml | 2 +- 13 files changed, 22 insertions(+), 40 deletions(-) diff --git a/.azure/infrastructure/main.bicep b/.azure/infrastructure/main.bicep index 200aee44e..bc24bfe3b 100644 --- a/.azure/infrastructure/main.bicep +++ b/.azure/infrastructure/main.bicep @@ -31,10 +31,10 @@ param sourceKeyVaultResourceGroup string @minLength(3) param sourceKeyVaultName string -@description('SSH secret key for the ssh jumper') +@description('Admin password for the ssh jumper') @secure() @minLength(3) -param sourceKeyVaultSshJumperSshSecretKey string +param sourceKeyVaultSshJumperSshPublicKey string import { Sku as KeyVaultSku } from '../modules/keyvault/create.bicep' param keyVaultSku KeyVaultSku @@ -64,7 +64,7 @@ var secrets = { sourceKeyVaultSubscriptionId: sourceKeyVaultSubscriptionId sourceKeyVaultResourceGroup: sourceKeyVaultResourceGroup sourceKeyVaultName: sourceKeyVaultName - sourceKeyVaultSshSecretKey: sourceKeyVaultSshJumperSshSecretKey + sourceKeyVaultSshJumperSshPublicKey: sourceKeyVaultSshJumperSshPublicKey } var namePrefix = 'dp-be-${environment}' @@ -164,10 +164,7 @@ module sshJumper '../modules/ssh-jumper/main.bicep' = { location: location subnetId: vnet.outputs.defaultSubnetId tags: tags - srcKeyVaultName: secrets.sourceKeyVaultName - srcKeyVaultSubId: secrets.sourceKeyVaultSubscriptionId - srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup - srcKeyVaultSshSecretKey: secrets.sourceKeyVaultSshSecretKey + sshPublicKey: secrets.sourceKeyVaultSshJumperSshPublicKey } } diff --git a/.azure/infrastructure/production.bicepparam b/.azure/infrastructure/production.bicepparam index 2203c46f1..224692f6d 100644 --- a/.azure/infrastructure/production.bicepparam +++ b/.azure/infrastructure/production.bicepparam @@ -11,7 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD') param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID') param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP') param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME') -param sourceKeyVaultSshJumperSshSecretKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY') +param sshJumperAdminPassword = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY') // SKUs param keyVaultSku = { diff --git a/.azure/infrastructure/soak.bicepparam b/.azure/infrastructure/soak.bicepparam index 86745af63..e2157568f 100644 --- a/.azure/infrastructure/soak.bicepparam +++ b/.azure/infrastructure/soak.bicepparam @@ -11,7 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD') param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID') param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP') param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME') -param sourceKeyVaultSshJumperSshSecretKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY') +param sshJumperAdminPassword = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY') // SKUs param keyVaultSku = { diff --git a/.azure/infrastructure/staging.bicepparam b/.azure/infrastructure/staging.bicepparam index 170d3d400..5620a3811 100644 --- a/.azure/infrastructure/staging.bicepparam +++ b/.azure/infrastructure/staging.bicepparam @@ -11,7 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD') param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID') param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP') param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME') -param sourceKeyVaultSshJumperSshSecretKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY') +param sshJumperAdminPassword = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY') // SKUs param keyVaultSku = { diff --git a/.azure/infrastructure/test.bicepparam b/.azure/infrastructure/test.bicepparam index a823b7823..9122ac2c9 100644 --- a/.azure/infrastructure/test.bicepparam +++ b/.azure/infrastructure/test.bicepparam @@ -11,7 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD') param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID') param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP') param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME') -param sourceKeyVaultSshJumperSshSecretKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY') +param sourceKeyVaultSshJumperSshPublicKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY') // SKUs param keyVaultSku = { diff --git a/.azure/modules/ssh-jumper/main.bicep b/.azure/modules/ssh-jumper/main.bicep index 0362a60d2..8f6ee8233 100644 --- a/.azure/modules/ssh-jumper/main.bicep +++ b/.azure/modules/ssh-jumper/main.bicep @@ -10,26 +10,12 @@ param subnetId string @description('Tags to be applied to the resource') param tags object -@description('The name of the source Key Vault') -param srcKeyVaultName string - -@description('The subscription ID of the source Key Vault') -param srcKeyVaultSubId string - -@description('The resource group name of the source Key Vault') -param srcKeyVaultRGNName string - -@description('The SSH secret key to be used to get the ssh key for the virtual machine') +@description('The SSH public key to be used for the virtual machine') @secure() -param srcKeyVaultSshSecretKey string +param sshPublicKey string var name = '${namePrefix}-ssh-jumper' -resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = { - name: srcKeyVaultName - scope: resourceGroup(srcKeyVaultSubId, srcKeyVaultRGNName) -} - resource publicIp 'Microsoft.Network/publicIPAddresses@2023-11-01' = { name: '${name}-ip' location: location @@ -90,7 +76,7 @@ module virtualMachine '../../modules/virtualMachine/main.bicep' = { name: name params: { name: name - sshKeyData: srcKeyVaultResource.getSecret(srcKeyVaultSshSecretKey) + sshPublicKey: sshPublicKey location: location tags: tags hardwareProfile: { diff --git a/.azure/modules/virtualMachine/main.bicep b/.azure/modules/virtualMachine/main.bicep index b09261c29..8e46aba9b 100644 --- a/.azure/modules/virtualMachine/main.bicep +++ b/.azure/modules/virtualMachine/main.bicep @@ -68,9 +68,9 @@ type StorageProfile = { @description('Specifies the storage profile for the virtual machine') param storageProfile StorageProfile -@description('Specifies the SSH key data for the virtual machine') +@description('Specifies the SSH public key for the virtual machine') @secure() -param sshKeyData string +param sshPublicKey string resource virtualMachine 'Microsoft.Compute/virtualMachines@2024-03-01' = { name: name @@ -91,7 +91,7 @@ resource virtualMachine 'Microsoft.Compute/virtualMachines@2024-03-01' = { publicKeys: [ { path: '/home/${name}/.ssh/authorized_keys' - keyData: sshKeyData + keyData: sshPublicKey } ] } @@ -107,7 +107,6 @@ resource virtualMachine 'Microsoft.Compute/virtualMachines@2024-03-01' = { } secrets: [] allowExtensionOperations: true - requireGuestProvisionSignal: true } securityProfile: securityProfile networkProfile: networkProfile diff --git a/.github/workflows/action-deploy-infra.yml b/.github/workflows/action-deploy-infra.yml index 0e61969f7..75253ca5d 100644 --- a/.github/workflows/action-deploy-infra.yml +++ b/.github/workflows/action-deploy-infra.yml @@ -18,7 +18,7 @@ on: required: true AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: required: true - AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: + SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: required: true inputs: @@ -100,7 +100,7 @@ jobs: SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} - SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }} + SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }} with: scope: subscription template: ./.azure/infrastructure/main.bicep @@ -124,7 +124,7 @@ jobs: SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} - SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }} + SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }} with: scope: subscription template: ./.azure/infrastructure/main.bicep diff --git a/.github/workflows/ci-cd-main.yml b/.github/workflows/ci-cd-main.yml index a5405c5d8..4dfe71827 100644 --- a/.github/workflows/ci-cd-main.yml +++ b/.github/workflows/ci-cd-main.yml @@ -74,7 +74,7 @@ jobs: AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} - AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }} + AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }} with: environment: test region: norwayeast diff --git a/.github/workflows/ci-cd-pull-request-release-please.yml b/.github/workflows/ci-cd-pull-request-release-please.yml index 569690a35..77fd3e3e7 100644 --- a/.github/workflows/ci-cd-pull-request-release-please.yml +++ b/.github/workflows/ci-cd-pull-request-release-please.yml @@ -37,7 +37,7 @@ jobs: AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} - AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }} + AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }} with: environment: staging region: norwayeast diff --git a/.github/workflows/ci-cd-pull-request.yml b/.github/workflows/ci-cd-pull-request.yml index ad0c5d3e4..8cd87374c 100644 --- a/.github/workflows/ci-cd-pull-request.yml +++ b/.github/workflows/ci-cd-pull-request.yml @@ -54,7 +54,7 @@ jobs: AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} - AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }} + AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }} with: environment: test region: norwayeast diff --git a/.github/workflows/ci-cd-staging.yml b/.github/workflows/ci-cd-staging.yml index 792e95205..990f2717e 100644 --- a/.github/workflows/ci-cd-staging.yml +++ b/.github/workflows/ci-cd-staging.yml @@ -42,7 +42,7 @@ jobs: AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} - AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }} + AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }} with: environment: staging region: norwayeast diff --git a/.github/workflows/dispatch-infrastructure.yml b/.github/workflows/dispatch-infrastructure.yml index 5043b1ee8..d428f772e 100644 --- a/.github/workflows/dispatch-infrastructure.yml +++ b/.github/workflows/dispatch-infrastructure.yml @@ -36,7 +36,7 @@ jobs: AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} - AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }} + AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }} with: environment: ${{ inputs.environment }} region: norwayeast