use le key

Altinn · Aug 5, 2024 · a184d02 · a184d02
1 parent 6bb39d0
commit a184d02
Show file tree

Hide file tree

Showing 11 changed files with 23 additions and 2 deletions.
diff --git a/.azure/infrastructure/main.bicep b/.azure/infrastructure/main.bicep
@@ -31,6 +31,11 @@ param sourceKeyVaultResourceGroup string
 @minLength(3)
 param sourceKeyVaultName string
 
+@description('SSH secret key for the ssh jumper')
+@secure()
+@minLength(3)
+param sourceKeyVaultSshJumperSshSecretKey string
+
 import { Sku as KeyVaultSku } from '../modules/keyvault/create.bicep'
 param keyVaultSku KeyVaultSku
 
@@ -59,6 +64,7 @@ var secrets = {
   sourceKeyVaultSubscriptionId: sourceKeyVaultSubscriptionId
   sourceKeyVaultResourceGroup: sourceKeyVaultResourceGroup
   sourceKeyVaultName: sourceKeyVaultName
+  sourceKeyVaultSshSecretKey: sourceKeyVaultSshJumperSshSecretKey
 }
 
 var namePrefix = 'dp-be-${environment}'
@@ -161,6 +167,7 @@ module sshJumper '../modules/ssh-jumper/main.bicep' = {
     srcKeyVaultName: secrets.sourceKeyVaultName
     srcKeyVaultSubId: secrets.sourceKeyVaultSubscriptionId
     srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup
+    srcKeyVaultSshSecretKey: secrets.sourceKeyVaultSshSecretKey
   }
 }
 

diff --git a/.azure/infrastructure/production.bicepparam b/.azure/infrastructure/production.bicepparam
@@ -11,6 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD')
 param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID')
 param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP')
 param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME')
+param sourceKeyVaultSshJumperSshSecretKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY')
 
 // SKUs
 param keyVaultSku = {

diff --git a/.azure/infrastructure/soak.bicepparam b/.azure/infrastructure/soak.bicepparam
@@ -11,6 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD')
 param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID')
 param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP')
 param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME')
+param sourceKeyVaultSshJumperSshSecretKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY')
 
 // SKUs
 param keyVaultSku = {

diff --git a/.azure/infrastructure/staging.bicepparam b/.azure/infrastructure/staging.bicepparam
@@ -11,6 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD')
 param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID')
 param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP')
 param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME')
+param sourceKeyVaultSshJumperSshSecretKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY')
 
 // SKUs
 param keyVaultSku = {

diff --git a/.azure/infrastructure/test.bicepparam b/.azure/infrastructure/test.bicepparam
@@ -11,6 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD')
 param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID')
 param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP')
 param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME')
+param sourceKeyVaultSshJumperSshSecretKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY')
 
 // SKUs
 param keyVaultSku = {

diff --git a/.azure/modules/ssh-jumper/main.bicep b/.azure/modules/ssh-jumper/main.bicep
@@ -19,6 +19,10 @@ param srcKeyVaultSubId string
 @description('The resource group name of the source Key Vault')
 param srcKeyVaultRGNName string
 
+@description('The SSH secret key to be used to get the ssh key for the virtual machine')
+@secure()
+param srcKeyVaultSshSecretKey string
+
 var name = '${namePrefix}-jumper'
 
 resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
@@ -86,8 +90,7 @@ module virtualMachine '../../modules/virtualMachine/main.bicep' = {
   name: name
   params: {
     name: name
-    // todo: remove hardcoded environment, use naming convention here. 
-    sshKeyData: srcKeyVaultResource.getSecret('dialogportenJumperTestSSH')
+    sshKeyData: srcKeyVaultResource.getSecret(srcKeyVaultSshSecretKey)
     location: location
     tags: tags
     hardwareProfile: {

diff --git a/.github/workflows/action-deploy-infra.yml b/.github/workflows/action-deploy-infra.yml
@@ -18,6 +18,8 @@ on:
         required: true
       AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP:
         required: true
+      AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY:
+        required: true
 
     inputs:
       region:
@@ -98,6 +100,7 @@ jobs:
           SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }}
           SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }}
           SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }}
+          SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }}
         with:
           scope: subscription
           template: ./.azure/infrastructure/main.bicep

diff --git a/.github/workflows/ci-cd-main.yml b/.github/workflows/ci-cd-main.yml
@@ -74,6 +74,7 @@ jobs:
       AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }}
       AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }}
       AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }}
+      AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }}
     with:
       environment: test
       region: norwayeast

diff --git a/.github/workflows/ci-cd-pull-request.yml b/.github/workflows/ci-cd-pull-request.yml
@@ -54,6 +54,7 @@ jobs:
       AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }}
       AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }}
       AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }}
+      AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }}
     with:
       environment: test
       region: norwayeast

diff --git a/.github/workflows/ci-cd-staging.yml b/.github/workflows/ci-cd-staging.yml
@@ -42,6 +42,7 @@ jobs:
       AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }}
       AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }}
       AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }}
+      AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }}
     with:
       environment: staging
       region: norwayeast

diff --git a/.github/workflows/dispatch-infrastructure.yml b/.github/workflows/dispatch-infrastructure.yml
@@ -36,6 +36,7 @@ jobs:
       AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }}
       AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }}
       AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }}
+      AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }}
     with:
       environment: ${{ inputs.environment }}
       region: norwayeast