From a184d02d3593c00870e4a65af7443fe3197bfb59 Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Mon, 5 Aug 2024 09:56:01 +0200 Subject: [PATCH] use le key --- .azure/infrastructure/main.bicep | 7 +++++++ .azure/infrastructure/production.bicepparam | 1 + .azure/infrastructure/soak.bicepparam | 1 + .azure/infrastructure/staging.bicepparam | 1 + .azure/infrastructure/test.bicepparam | 1 + .azure/modules/ssh-jumper/main.bicep | 7 +++++-- .github/workflows/action-deploy-infra.yml | 3 +++ .github/workflows/ci-cd-main.yml | 1 + .github/workflows/ci-cd-pull-request.yml | 1 + .github/workflows/ci-cd-staging.yml | 1 + .github/workflows/dispatch-infrastructure.yml | 1 + 11 files changed, 23 insertions(+), 2 deletions(-) diff --git a/.azure/infrastructure/main.bicep b/.azure/infrastructure/main.bicep index f35887561..200aee44e 100644 --- a/.azure/infrastructure/main.bicep +++ b/.azure/infrastructure/main.bicep @@ -31,6 +31,11 @@ param sourceKeyVaultResourceGroup string @minLength(3) param sourceKeyVaultName string +@description('SSH secret key for the ssh jumper') +@secure() +@minLength(3) +param sourceKeyVaultSshJumperSshSecretKey string + import { Sku as KeyVaultSku } from '../modules/keyvault/create.bicep' param keyVaultSku KeyVaultSku @@ -59,6 +64,7 @@ var secrets = { sourceKeyVaultSubscriptionId: sourceKeyVaultSubscriptionId sourceKeyVaultResourceGroup: sourceKeyVaultResourceGroup sourceKeyVaultName: sourceKeyVaultName + sourceKeyVaultSshSecretKey: sourceKeyVaultSshJumperSshSecretKey } var namePrefix = 'dp-be-${environment}' @@ -161,6 +167,7 @@ module sshJumper '../modules/ssh-jumper/main.bicep' = { srcKeyVaultName: secrets.sourceKeyVaultName srcKeyVaultSubId: secrets.sourceKeyVaultSubscriptionId srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup + srcKeyVaultSshSecretKey: secrets.sourceKeyVaultSshSecretKey } } diff --git a/.azure/infrastructure/production.bicepparam b/.azure/infrastructure/production.bicepparam index 35479f9a9..2203c46f1 100644 --- a/.azure/infrastructure/production.bicepparam +++ b/.azure/infrastructure/production.bicepparam @@ -11,6 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD') param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID') param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP') param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME') +param sourceKeyVaultSshJumperSshSecretKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY') // SKUs param keyVaultSku = { diff --git a/.azure/infrastructure/soak.bicepparam b/.azure/infrastructure/soak.bicepparam index 76a7beae2..86745af63 100644 --- a/.azure/infrastructure/soak.bicepparam +++ b/.azure/infrastructure/soak.bicepparam @@ -11,6 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD') param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID') param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP') param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME') +param sourceKeyVaultSshJumperSshSecretKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY') // SKUs param keyVaultSku = { diff --git a/.azure/infrastructure/staging.bicepparam b/.azure/infrastructure/staging.bicepparam index f00cf24a2..170d3d400 100644 --- a/.azure/infrastructure/staging.bicepparam +++ b/.azure/infrastructure/staging.bicepparam @@ -11,6 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD') param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID') param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP') param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME') +param sourceKeyVaultSshJumperSshSecretKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY') // SKUs param keyVaultSku = { diff --git a/.azure/infrastructure/test.bicepparam b/.azure/infrastructure/test.bicepparam index b1c5de6b3..a823b7823 100644 --- a/.azure/infrastructure/test.bicepparam +++ b/.azure/infrastructure/test.bicepparam @@ -11,6 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD') param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID') param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP') param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME') +param sourceKeyVaultSshJumperSshSecretKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY') // SKUs param keyVaultSku = { diff --git a/.azure/modules/ssh-jumper/main.bicep b/.azure/modules/ssh-jumper/main.bicep index b3bac269e..3e7ae805d 100644 --- a/.azure/modules/ssh-jumper/main.bicep +++ b/.azure/modules/ssh-jumper/main.bicep @@ -19,6 +19,10 @@ param srcKeyVaultSubId string @description('The resource group name of the source Key Vault') param srcKeyVaultRGNName string +@description('The SSH secret key to be used to get the ssh key for the virtual machine') +@secure() +param srcKeyVaultSshSecretKey string + var name = '${namePrefix}-jumper' resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = { @@ -86,8 +90,7 @@ module virtualMachine '../../modules/virtualMachine/main.bicep' = { name: name params: { name: name - // todo: remove hardcoded environment, use naming convention here. - sshKeyData: srcKeyVaultResource.getSecret('dialogportenJumperTestSSH') + sshKeyData: srcKeyVaultResource.getSecret(srcKeyVaultSshSecretKey) location: location tags: tags hardwareProfile: { diff --git a/.github/workflows/action-deploy-infra.yml b/.github/workflows/action-deploy-infra.yml index a0e42e4ed..5a609c2dd 100644 --- a/.github/workflows/action-deploy-infra.yml +++ b/.github/workflows/action-deploy-infra.yml @@ -18,6 +18,8 @@ on: required: true AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: required: true + AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: + required: true inputs: region: @@ -98,6 +100,7 @@ jobs: SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} + SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }} with: scope: subscription template: ./.azure/infrastructure/main.bicep diff --git a/.github/workflows/ci-cd-main.yml b/.github/workflows/ci-cd-main.yml index e9fc9c283..a5405c5d8 100644 --- a/.github/workflows/ci-cd-main.yml +++ b/.github/workflows/ci-cd-main.yml @@ -74,6 +74,7 @@ jobs: AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} + AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }} with: environment: test region: norwayeast diff --git a/.github/workflows/ci-cd-pull-request.yml b/.github/workflows/ci-cd-pull-request.yml index 70a40973f..ad0c5d3e4 100644 --- a/.github/workflows/ci-cd-pull-request.yml +++ b/.github/workflows/ci-cd-pull-request.yml @@ -54,6 +54,7 @@ jobs: AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} + AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }} with: environment: test region: norwayeast diff --git a/.github/workflows/ci-cd-staging.yml b/.github/workflows/ci-cd-staging.yml index e5dc106e2..792e95205 100644 --- a/.github/workflows/ci-cd-staging.yml +++ b/.github/workflows/ci-cd-staging.yml @@ -42,6 +42,7 @@ jobs: AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} + AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }} with: environment: staging region: norwayeast diff --git a/.github/workflows/dispatch-infrastructure.yml b/.github/workflows/dispatch-infrastructure.yml index b8d558c09..5043b1ee8 100644 --- a/.github/workflows/dispatch-infrastructure.yml +++ b/.github/workflows/dispatch-infrastructure.yml @@ -36,6 +36,7 @@ jobs: AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} + AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_SECRET_KEY }} with: environment: ${{ inputs.environment }} region: norwayeast