Refactor Nexus bundle to use KeyVault VM Extension (#3453)

* update firewall

* use keyvault vm extension to get nexus ssl

* changelog

* version

CHANGELOG.md

@@ -10,6 +10,7 @@ ENHANCEMENTS:
 
 BUG FIXES:
 * AML workspace service fails to install and puts firewall into failed state ([#3448](https://github.com/microsoft/AzureTRE/issues/3448))
+* Nexus fails to install due to `az login` and firewall rules ([#3453](https://github.com/microsoft/AzureTRE/issues/3453))
 
 COMPONENTS:
 

templates/shared_services/firewall/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-firewall
-version: 1.1.0
+version: 1.1.1
 description: "An Azure TRE Firewall shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -57,7 +57,7 @@ parameters:
 
 mixins:
   - terraform:
-      clientVersion: 1.3.6
+      clientVersion: 1.4.5
 
 install:
   - terraform:

templates/shared_services/firewall/template_schema.json

@@ -17,7 +17,6 @@
 				"type": "object",
 				"required": [
 					"name",
-					"action",
 					"rules"
 				],
 				"properties": {

templates/shared_services/firewall/terraform/providers.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "=3.40.0"
+      version = "=3.53.0"
     }
   }
 

templates/shared_services/sonatype-nexus-vm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-sonatype-nexus
-version: 2.4.0
+version: 2.5.0
 description: "A Sonatype Nexus shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -58,17 +58,15 @@ outputs:
     applyTo:
       - install
       - upgrade
-  - name: shared_address_prefixes
+  - name: private_ip_addresses
     applyTo:
       - install
       - upgrade
 
 mixins:
   - exec
   - terraform:
-      clientVersion: 1.3.6
-  - az:
-      clientVersion: 2.37.0
+      clientVersion: 1.4.5
 
 install:
   - terraform:
@@ -85,7 +83,7 @@ install:
       outputs:
         - name: workspace_vm_allowed_fqdns_list
         - name: nexus_allowed_fqdns_list
-        - name: shared_address_prefixes
+        - name: private_ip_addresses
 
 upgrade:
   - terraform:
@@ -102,7 +100,7 @@ upgrade:
       outputs:
         - name: workspace_vm_allowed_fqdns_list
         - name: nexus_allowed_fqdns_list
-        - name: shared_address_prefixes
+        - name: private_ip_addresses
 uninstall:
   - terraform:
       description: "Tear down shared service"

templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_ssl.sh

@@ -7,33 +7,41 @@ set -o pipefail
 set -o nounset
 # set -o xtrace
 
-# Prepare ssl certificate
-az login --identity -u "${MSI_ID}" --allow-no-subscriptions
-# -- get cert from kv as secret so it contains private key
-echo 'Getting cert and cert password from Keyvault...'
-az keyvault secret download --vault-name "${VAULT_NAME}" --name "${SSL_CERT_NAME}" --file temp.pfx --encoding base64
-cert_password=$(az keyvault secret show --vault-name "${VAULT_NAME}" \
-  --name "${SSL_CERT_PASSWORD_NAME}" -o tsv --query value)
-# -- az cli strips out password from cert so we re-add by converting to PEM then PFX with pwd
-openssl pkcs12 -in temp.pfx -out temp.pem -nodes -password pass:
-openssl pkcs12 -export -out nexus-ssl.pfx -in temp.pem -password "pass:$cert_password"
+echo "Setting up Nexus SSL..."
 
 # Import ssl cert to keystore within Nexus volume
-keystore_timeout=300
+keystore_timeout=60
 echo 'Checking for nexus-data/keystores directory...'
 while [ ! -d /etc/nexus-data/keystores ]; do
   # Wait for /keystore dir to be created by container first
   if [ $keystore_timeout == 0 ]; then
     echo 'ERROR - Timeout while waiting for Nexus to create nexus-data/keystores'
     exit 1
   fi
-  sleep 1
+  sleep 5
   ((keystore_timeout--))
 done
-echo 'Directory found. Importing ssl cert into nexus-data/keystores/keystore.jks...'
-keytool -v -importkeystore -noprompt -srckeystore nexus-ssl.pfx -srcstoretype PKCS12 \
-  -destkeystore /etc/nexus-data/keystores/keystore.jks \
-  -deststoretype JKS -srcstorepass "$cert_password" -deststorepass "$cert_password"
+
+downloaded_cert_path="/var/lib/waagent/Microsoft.Azure.KeyVault.Store/${VAULT_NAME}.${SSL_CERT_NAME}"
+cert_timeout=60
+echo 'Waiting for cert to be downloaded from KV...'
+while [ ! -f "$downloaded_cert_path" ]; do
+  if [ $cert_timeout == 0 ]; then
+    echo 'ERROR - Timeout while waiting!'
+    exit 1
+  fi
+  sleep 5
+  ((cert_timeout--))
+done
+
+keystore_file_name=ssl.keystore
+cert_password=$(openssl rand -base64 32)
+rm -f temp.p12
+openssl pkcs12 -export -inkey "$downloaded_cert_path" -in "$downloaded_cert_path" -out temp.p12 -password "pass:$cert_password"
+rm -f /etc/nexus-data/keystores/"$keystore_file_name"
+keytool -v -importkeystore -noprompt -srckeystore temp.p12 -srcstoretype PKCS12 -srcstorepass "$cert_password" \
+  -destkeystore /etc/nexus-data/keystores/"$keystore_file_name" -deststoretype PKCS12 -deststorepass "$cert_password"
+rm -f temp.p12
 
 # Configure Jetty instance within Nexus to consume ssl cert
 echo 'Modifying Nexus Jetty configuration to enable ssl...'
@@ -53,10 +61,10 @@ xmlstarlet ed -P --inplace \
 # -- then update the location of our keystore
 xmlstarlet ed -P --inplace \
   -u "/Configure[@id='Server']/New[@id='sslContextFactory']/Set[@name='KeyStorePath']" \
-  -v /nexus-data/keystores/keystore.jks /etc/nexus-data/etc/jetty/jetty-https.xml
+  -v /nexus-data/keystores/"$keystore_file_name" /etc/nexus-data/etc/jetty/jetty-https.xml
 xmlstarlet ed -P --inplace \
   -u "/Configure[@id='Server']/New[@id='sslContextFactory']/Set[@name='TrustStorePath']" \
-  -v /nexus-data/keystores/keystore.jks /etc/nexus-data/etc/jetty/jetty-https.xml
+  -v /nexus-data/keystores/"$keystore_file_name" /etc/nexus-data/etc/jetty/jetty-https.xml
 
 # Add jetty configuration and ssl port to Nexus properties
 cat >> /etc/nexus-data/etc/nexus.properties <<'EOF'

templates/shared_services/sonatype-nexus-vm/template_schema.json

@@ -33,8 +33,7 @@
             "arraySubstitutionAction": "replace",
             "arrayMatchField": "name",
             "value": {
-              "name": "shared_subnet_sonatype_nexus",
-              "action": "Allow",
+              "name": "arc_nexus",
               "rules": [
                 {
                   "name": "vm-crl",
@@ -50,7 +49,9 @@
                     }
                   ],
                   "target_fqdns": "{{ resource.properties.workspace_vm_allowed_fqdns_list }}",
-                  "source_addresses": ["*"]
+                  "source_addresses": [
+                    "*"
+                  ]
                 },
                 {
                   "name": "nexus-package-sources",
@@ -66,7 +67,7 @@
                     }
                   ],
                   "target_fqdns": "{{ resource.properties.nexus_allowed_fqdns_list }}",
-                  "source_addresses": "{{ resource.properties.shared_address_prefixes }}"
+                  "source_addresses": "{{ resource.properties.private_ip_addresses }}"
                 }
               ]
             }
@@ -91,7 +92,7 @@
             "arraySubstitutionAction": "replace",
             "arrayMatchField": "name",
             "value": {
-              "name": "shared_subnet_sonatype_nexus",
+              "name": "arc_nexus",
               "action": "Allow",
               "rules": [
                 {
@@ -108,7 +109,9 @@
                     }
                   ],
                   "target_fqdns": "{{ resource.properties.workspace_vm_allowed_fqdns_list }}",
-                  "source_addresses": ["*"]
+                  "source_addresses": [
+                    "*"
+                  ]
                 },
                 {
                   "name": "nexus-package-sources",
@@ -124,7 +127,7 @@
                     }
                   ],
                   "target_fqdns": "{{ resource.properties.nexus_allowed_fqdns_list }}",
-                  "source_addresses": "{{ resource.properties.shared_address_prefixes }}"
+                  "source_addresses": "{{ resource.properties.private_ip_addresses }}"
                 }
               ]
             }
@@ -146,7 +149,7 @@
             "arraySubstitutionAction": "remove",
             "arrayMatchField": "name",
             "value": {
-              "name": "shared_subnet_sonatype_nexus"
+              "name": "arc_nexus"
             }
           }
         ]

templates/shared_services/sonatype-nexus-vm/terraform/data.tf

@@ -19,11 +19,6 @@ data "azurerm_key_vault_certificate" "nexus_cert" {
   key_vault_id = data.azurerm_key_vault.kv.id
 }
 
-data "azurerm_key_vault_secret" "nexus_cert_password" {
-  name         = "${data.azurerm_key_vault_certificate.nexus_cert.name}-password"
-  key_vault_id = data.azurerm_key_vault.kv.id
-}
-
 data "azurerm_storage_account" "nexus" {
   name                = local.storage_account_name
   resource_group_name = local.core_resource_group_name

templates/shared_services/sonatype-nexus-vm/terraform/main.tf

@@ -3,11 +3,11 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "=3.4.0"
+      version = "=3.53.0"
     }
     random = {
       source  = "hashicorp/random"
-      version = "=3.4.2"
+      version = "=3.5.1"
     }
     template = {
       source  = "hashicorp/template"

templates/shared_services/sonatype-nexus-vm/terraform/outputs.tf

@@ -1,16 +1,11 @@
-output "nexus_fqdn" {
-  value = azurerm_private_dns_a_record.nexus_vm.fqdn
-}
-
 output "nexus_allowed_fqdns_list" {
   value = jsonencode(local.nexus_allowed_fqdns_list)
 }
 
-output "shared_address_prefixes" {
-  value = jsonencode(data.azurerm_subnet.shared.address_prefixes)
-}
-
 output "workspace_vm_allowed_fqdns_list" {
   value = jsonencode(local.workspace_vm_allowed_fqdns_list)
 }
 
+output "private_ip_addresses" {
+  value = jsonencode(azurerm_network_interface.nexus.private_ip_addresses)
+}