Skip to content

Commit

Permalink
Go back to using authentication token (#31)
Browse files Browse the repository at this point in the history
Going back to auth token
  • Loading branch information
fmeheust authored Mar 14, 2024
1 parent c56b451 commit c5377fb
Show file tree
Hide file tree
Showing 6 changed files with 59 additions and 86 deletions.
67 changes: 4 additions & 63 deletions config-repo.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@

# creates the git repo called "config-repo"
resource "oci_devops_repository" "config_repo" {
depends_on = [ oci_identity_api_key.user_api_key ]
name = local.config_repo_name
project_id = local.project_id
repository_type = "HOSTED"
Expand All @@ -17,32 +16,6 @@ resource "oci_devops_repository" "config_repo" {
count = (local.use-image ? 0 : 1)
}

resource "tls_private_key" "rsa_api_key" {
algorithm = "RSA"
rsa_bits = 4096
count = (local.use-image && !var.use_existing_api_key ? 0 : 1)
}

resource "oci_identity_api_key" "user_api_key" {
#Required
key_value = tls_private_key.rsa_api_key[0].public_key_pem
user_id = var.current_user_ocid
count = (local.use-image || var.use_existing_api_key ? 0 : 1)
}

resource "local_file" "api_private_key" {
depends_on = [ tls_private_key.rsa_api_key ]
filename = "${path.module}/api-private-key.pem"
content = (var.use_existing_api_key ? base64decode(var.api_key) : tls_private_key.rsa_api_key[0].private_key_pem)
count = (local.use-image ? 0 : 1)
}

resource "local_file" "ssh_config" {
filename = "${path.module}/ssh_config"
content = data.template_file.ssh_config.rendered
}


# creates necessary files to configure Docker image
# creates the Dockerfile
resource "local_file" "dockerfile" {
Expand Down Expand Up @@ -98,45 +71,13 @@ resource "null_resource" "create_config_repo" {
local_file.wallet,
local_file.self_signed_certificate,
local_file.oci_build_config,
local_file.ssh_config,
local_file.api_private_key,
oci_identity_auth_token.auth_token,
random_password.wallet_password
]

# create .ssh directory
provisioner "local-exec" {
command = "mkdir ~/.ssh"
on_failure = fail
working_dir = "${path.module}"
}

# copy ssh-config
provisioner "local-exec" {
command = "cp ssh_config ~/.ssh/config"
on_failure = fail
working_dir = "${path.module}"
}
provisioner "local-exec" {
command = "chmod 600 ~/.ssh/config"
on_failure = fail
working_dir = "${path.module}"
}

# copy private key
provisioner "local-exec" {
command = "cp api-private-key.pem ~/.ssh/api-private-key.pem"
on_failure = fail
working_dir = "${path.module}"
}
provisioner "local-exec" {
command = "chmod 400 ~/.ssh/api-private-key.pem"
on_failure = fail
working_dir = "${path.module}"
}

# clone new repository
provisioner "local-exec" {
command = "git -c core.sshCommand='ssh -o StrictHostKeyChecking=no' clone ${oci_devops_repository.config_repo[0].ssh_url}"
command = "git clone ${local.config_repo_url}"
on_failure = fail
working_dir = "${path.module}"
}
Expand All @@ -148,13 +89,13 @@ resource "null_resource" "create_config_repo" {
working_dir = "${path.module}"
}

# clone new repository
# clone new repository
provisioner "local-exec" {
command = "git config --global user.name \"${local.service-username}\""
on_failure = fail
working_dir = "${path.module}"
}

# copy config to app directory
provisioner "local-exec" {
command = "cp build_spec.yaml ./${local.config_repo_name}/build_spec.yaml"
Expand Down
7 changes: 0 additions & 7 deletions datasources.tf
Original file line number Diff line number Diff line change
Expand Up @@ -84,13 +84,6 @@ data "template_file" "deploy_script" {
count = var.nb_copies
}

data "template_file" "ssh_config" {
template = "${file("${path.module}/ssh_config.template")}"
vars = {
"user" = local.ssh_login
}
}

data "oci_identity_api_keys" "dbconnection_api_key" {
user_id = var.current_user_ocid
}
Expand Down
15 changes: 13 additions & 2 deletions interface.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@ variableGroups:
###APPLICATION_GROUP###
- title: "Stack authentication"
variables:
- use_existing_api_key
- api_key
- use_existing_token
- current_user_token
- use_existing_vault
- new_vault_display_name
- vault_compartment_id
Expand Down Expand Up @@ -260,6 +260,17 @@ variables:
visible:
and:
- use_existing_vault
use_existing_token:
type: boolean
required: true
title: Use existing authentication token
description: This token will be used by the stack to authenticate the user when connecting to the code repository or container registry.
default: true
current_user_token:
type: password
required: true
title: User's authentication token
visible: use_existing_token
###APP_CONFIG###
# FQDN
create_fqdn:
Expand Down
3 changes: 0 additions & 3 deletions ssh_config.template

This file was deleted.

25 changes: 14 additions & 11 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -410,14 +410,16 @@ variable "reserved_ip_address" {
default = ""
}

variable "use_existing_api_key" {
variable "use_existing_token" {
type = bool
description = "Create authentication token for current user"
default = false
}

variable "api_key" {
variable "current_user_token" {
type = string
default = "none"
default = ""
sensitive = true
}

locals {
Expand All @@ -431,8 +433,10 @@ locals {
service-username = data.oci_identity_user.current_user.name
# login, tenancy + username (DevOps)
login = "${data.oci_identity_tenancy.tenancy.name}/${local.service-username}"
# ssh login
ssh_login = "${local.service-username}@${data.oci_identity_tenancy.tenancy.name}"
# authentication token
app_auth_token = var.use_existing_token ? var.current_user_token : oci_identity_auth_token.auth_token[0].token
# Authentication token secret
auth_token_secret = oci_vault_secret.auth_token_secret.id
# login, namespace + username (Container Registry)
login_container = "${local.namespace}/${local.service-username}"
# Container registry url
Expand Down Expand Up @@ -467,13 +471,12 @@ locals {
: var.image_path)
# bucket name
bucket_name = "${local.application_name}-bucket"

# dbconnection_api_key_pem = (
# length(data.oci_identity_api_keys.dbconnection_api_key.api_keys) == 0
# ? oci_identity_api_key.dbconnection_api_key[0].key_value
# : data.oci_identity_api_keys.dbconnection_api_key.api_keys[0].key_value
# )
# name of the config repository
config_repo_name = "${local.application_name}-config"
# url of the config repository
config_repo_url = (local.use-image
? ""
: replace(oci_devops_repository.config_repo[0].http_url, "https://", "https://${urlencode(local.login)}:${urlencode(local.app_auth_token)}@"))
# database OCID
database_ocid = (var.use_existing_database ? var.autonomous_database : oci_database_autonomous_database.database[0].id)
# database username
Expand Down
28 changes: 28 additions & 0 deletions vault.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,34 @@ resource "oci_kms_key" "app_key" {
count = var.use_existing_vault ? 0 : 1
}

# Create an authentication token for user to connect to repositories
resource "oci_identity_auth_token" "auth_token" {
# provider = oci.home-provider
description = "Authentication token for ${local.application_name}"
user_id = var.current_user_ocid
count = (var.use_existing_token ? 0 : 1)
}

# Secret containing the authentication token
resource "oci_vault_secret" "auth_token_secret" {
depends_on = [
oci_kms_vault.app_vault,
oci_kms_key.app_key
]
#Required
compartment_id = var.use_existing_vault ? var.vault_compartment_id : var.compartment_id
secret_content {
#Required
content_type = "BASE64"

#Optional
content = base64encode(local.app_auth_token)
name = "auth_token_content_${formatdate("MMDDhhmm", timestamp())}"
}
secret_name ="auth_token_secret_${formatdate("MMDDhhmm", timestamp())}"
vault_id = var.use_existing_vault ? var.vault_id : oci_kms_vault.app_vault[0].id
key_id = var.use_existing_vault ? var.key_id : oci_kms_key.app_key[0].id
}

# Secret containing the db user's password
resource "oci_vault_secret" "db_user_password" {
Expand Down

0 comments on commit c5377fb

Please sign in to comment.