From 9141d4eecd2e58a103e177df33c54d98adaae497 Mon Sep 17 00:00:00 2001 From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com> Date: Sun, 23 Apr 2023 07:33:49 +0000 Subject: [PATCH 1/5] update firewall --- .../shared_services/firewall/porter.yaml | 4 +-- .../firewall/template_schema.json | 1 - .../firewall/terraform/.terraform.lock.hcl | 28 +++++++++---------- .../firewall/terraform/providers.tf | 2 +- 4 files changed, 17 insertions(+), 18 deletions(-) diff --git a/templates/shared_services/firewall/porter.yaml b/templates/shared_services/firewall/porter.yaml index 5b7a1e986d..c39c5b1297 100644 --- a/templates/shared_services/firewall/porter.yaml +++ b/templates/shared_services/firewall/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-firewall -version: 1.1.0 +version: 1.1.1 description: "An Azure TRE Firewall shared service" dockerfile: Dockerfile.tmpl registry: azuretre @@ -57,7 +57,7 @@ parameters: mixins: - terraform: - clientVersion: 1.3.6 + clientVersion: 1.4.5 install: - terraform: diff --git a/templates/shared_services/firewall/template_schema.json b/templates/shared_services/firewall/template_schema.json index 5bd8660a8e..cd3aab13b3 100644 --- a/templates/shared_services/firewall/template_schema.json +++ b/templates/shared_services/firewall/template_schema.json @@ -17,7 +17,6 @@ "type": "object", "required": [ "name", - "action", "rules" ], "properties": { diff --git a/templates/shared_services/firewall/terraform/.terraform.lock.hcl b/templates/shared_services/firewall/terraform/.terraform.lock.hcl index cd2351d9ff..617d685d57 100644 --- a/templates/shared_services/firewall/terraform/.terraform.lock.hcl +++ b/templates/shared_services/firewall/terraform/.terraform.lock.hcl @@ -2,21 +2,21 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.40.0" - constraints = "3.40.0" + version = "3.53.0" + constraints = "3.53.0" hashes = [ - "h1:/Jbhw/zNAsDYDoASaG6w+0KZyay9BkUVOpR8b7m0CsA=", - "zh:00fa6dc05bf2643c6a3c741edb7d88263698086835a8a613f1d7bd76d1b918fd", - "zh:0da9b788e773272a7aa9d59bd9e3d5842edd4acc8c3895bea469e66dc14205a0", - "zh:25a8c39d1f042fc7c83ba9dd745c3569ea9e577fadb57563a575fb115ac2b9f1", - "zh:4423666dbeae8bc22c6e8898ffbb88745681dc27668ca9104b665dd7f3d7292c", - "zh:78c07308e7407b558d15737a98fb5eaf15529d297fc3798de6a7d61e0466e2e3", - "zh:894aca7e6f4f331ee8eb51957a180dc03d399d2b1727e0d7842e9b3f022a8c6a", - "zh:bb0e620c2161b4c4892a6f50b1c4c69ed70f66bb5e92543a03d79d0e4b1d9441", - "zh:c7d8e6a791159ca63b30908c9efe72ab65f60d64b30f0c1eb5a64972f4994844", - "zh:d04c11bfd346c1ac34d16bbdca70b23b006e822f6beb236b85375e8343888eb4", - "zh:f4edea9660327c7c70a823d786fd1b1c1b186c8759770447f63da72f23e1a73c", + "h1:bK70LV1NldhodSm58cUpawKwdUL1A5AKKglAV2wZ/QY=", + "zh:078ece8318ad7d6c1cd2e5f2044188e74af63921b93223c7f8d477539fa91888", + "zh:1bdc98ff8c2d3f3e81a746762e03d39794b2f5c90dc478cdb23dcc3d3f9947b6", + "zh:20b51cfc0ffc4ff368e6eb2eaece0b6bb99ade09e4b91b3444b50e94fc54c119", + "zh:233eed91279a9473825ba02d66487388d66dfc719b7249112d085dece0c2b594", + "zh:397ac8194ecc2f8d34d42600d6bf9e20399b222170dc1443b5800db3135ebc99", + "zh:3af3a2d8485d6c1ffcd26848af9ab087dfcb6cb045cc624e51f4db5144b53a9c", + "zh:5d0b9a346b57cccc369e2076556274225ec7f1c9044a2503dcfd8c117cdc2f79", + "zh:6e762dcef4ba14985f93af5f3fd195c9ee7d27de8de3bebdeefe761e53e79bb9", + "zh:73f9be719aa867985b1744c1f4fab834d01eb2069ec7a78b3a1bfa87c8256a40", + "zh:756deed30c20ffc9b4756c239e1675d3693f7175851e5ef946948a8bfb0b7935", + "zh:c279f99902a45a5b88d25d609a73709d101af3ce71222efbab9d4706c8a538b4", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f986e268949cf445ff53a66af48a87c6f6dba5964e8a5b1dc0ea02afabdd71f7", ] } diff --git a/templates/shared_services/firewall/terraform/providers.tf b/templates/shared_services/firewall/terraform/providers.tf index 9d4d7d7060..a9a55fbbf7 100644 --- a/templates/shared_services/firewall/terraform/providers.tf +++ b/templates/shared_services/firewall/terraform/providers.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "=3.40.0" + version = "=3.53.0" } } From 4cbece568d3b55e69f11b6bb9a1a389abc4c017c Mon Sep 17 00:00:00 2001 From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com> Date: Sun, 23 Apr 2023 07:34:43 +0000 Subject: [PATCH 2/5] use keyvault vm extension to get nexus ssl --- .../sonatype-nexus-vm/porter.yaml | 12 ++-- .../scripts/configure_nexus_ssl.sh | 40 ++++++++----- .../sonatype-nexus-vm/template_schema.json | 19 +++--- .../terraform/.terraform.lock.hcl | 59 ++++++++++--------- .../sonatype-nexus-vm/terraform/data.tf | 5 -- .../sonatype-nexus-vm/terraform/main.tf | 4 +- .../sonatype-nexus-vm/terraform/outputs.tf | 11 +--- .../sonatype-nexus-vm/terraform/vm.tf | 21 ++++++- 8 files changed, 95 insertions(+), 76 deletions(-) diff --git a/templates/shared_services/sonatype-nexus-vm/porter.yaml b/templates/shared_services/sonatype-nexus-vm/porter.yaml index 68a5ae8c48..82cc8e071a 100644 --- a/templates/shared_services/sonatype-nexus-vm/porter.yaml +++ b/templates/shared_services/sonatype-nexus-vm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-sonatype-nexus -version: 2.4.0 +version: 2.4.30 description: "A Sonatype Nexus shared service" dockerfile: Dockerfile.tmpl registry: azuretre @@ -58,7 +58,7 @@ outputs: applyTo: - install - upgrade - - name: shared_address_prefixes + - name: private_ip_addresses applyTo: - install - upgrade @@ -66,9 +66,7 @@ outputs: mixins: - exec - terraform: - clientVersion: 1.3.6 - - az: - clientVersion: 2.37.0 + clientVersion: 1.4.5 install: - terraform: @@ -85,7 +83,7 @@ install: outputs: - name: workspace_vm_allowed_fqdns_list - name: nexus_allowed_fqdns_list - - name: shared_address_prefixes + - name: private_ip_addresses upgrade: - terraform: @@ -102,7 +100,7 @@ upgrade: outputs: - name: workspace_vm_allowed_fqdns_list - name: nexus_allowed_fqdns_list - - name: shared_address_prefixes + - name: private_ip_addresses uninstall: - terraform: description: "Tear down shared service" diff --git a/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_ssl.sh b/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_ssl.sh index 9c57e86323..eb0e80fed4 100644 --- a/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_ssl.sh +++ b/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_ssl.sh @@ -7,16 +7,7 @@ set -o pipefail set -o nounset # set -o xtrace -# Prepare ssl certificate -az login --identity -u "${MSI_ID}" --allow-no-subscriptions -# -- get cert from kv as secret so it contains private key -echo 'Getting cert and cert password from Keyvault...' -az keyvault secret download --vault-name "${VAULT_NAME}" --name "${SSL_CERT_NAME}" --file temp.pfx --encoding base64 -cert_password=$(az keyvault secret show --vault-name "${VAULT_NAME}" \ - --name "${SSL_CERT_PASSWORD_NAME}" -o tsv --query value) -# -- az cli strips out password from cert so we re-add by converting to PEM then PFX with pwd -openssl pkcs12 -in temp.pfx -out temp.pem -nodes -password pass: -openssl pkcs12 -export -out nexus-ssl.pfx -in temp.pem -password "pass:$cert_password" +echo "Setting up Nexus SSL..." # Import ssl cert to keystore within Nexus volume keystore_timeout=300 @@ -30,10 +21,27 @@ while [ ! -d /etc/nexus-data/keystores ]; do sleep 1 ((keystore_timeout--)) done -echo 'Directory found. Importing ssl cert into nexus-data/keystores/keystore.jks...' -keytool -v -importkeystore -noprompt -srckeystore nexus-ssl.pfx -srcstoretype PKCS12 \ - -destkeystore /etc/nexus-data/keystores/keystore.jks \ - -deststoretype JKS -srcstorepass "$cert_password" -deststorepass "$cert_password" + +downloaded_cert_path="/var/lib/waagent/Microsoft.Azure.KeyVault.Store/${VAULT_NAME}.${SSL_CERT_NAME}" +cert_timeout=300 +echo 'Waiting for cert to be downloaded from KV...' +while [ ! -f "$downloaded_cert_path" ]; do + if [ $cert_timeout == 0 ]; then + echo 'ERROR - Timeout while waiting!' + exit 1 + fi + sleep 5 + ((cert_timeout--)) +done + +keystore_file_name=ssl.keystore +cert_password=$(openssl rand -base64 32) +rm -f temp.p12 +openssl pkcs12 -export -inkey "$downloaded_cert_path" -in "$downloaded_cert_path" -out temp.p12 -password "pass:$cert_password" +rm -f /etc/nexus-data/keystores/"$keystore_file_name" +keytool -v -importkeystore -noprompt -srckeystore temp.p12 -srcstoretype PKCS12 -srcstorepass "$cert_password" \ + -destkeystore /etc/nexus-data/keystores/"$keystore_file_name" -deststoretype PKCS12 -deststorepass "$cert_password" +rm -f temp.p12 # Configure Jetty instance within Nexus to consume ssl cert echo 'Modifying Nexus Jetty configuration to enable ssl...' @@ -53,10 +61,10 @@ xmlstarlet ed -P --inplace \ # -- then update the location of our keystore xmlstarlet ed -P --inplace \ -u "/Configure[@id='Server']/New[@id='sslContextFactory']/Set[@name='KeyStorePath']" \ - -v /nexus-data/keystores/keystore.jks /etc/nexus-data/etc/jetty/jetty-https.xml + -v /nexus-data/keystores/"$keystore_file_name" /etc/nexus-data/etc/jetty/jetty-https.xml xmlstarlet ed -P --inplace \ -u "/Configure[@id='Server']/New[@id='sslContextFactory']/Set[@name='TrustStorePath']" \ - -v /nexus-data/keystores/keystore.jks /etc/nexus-data/etc/jetty/jetty-https.xml + -v /nexus-data/keystores/"$keystore_file_name" /etc/nexus-data/etc/jetty/jetty-https.xml # Add jetty configuration and ssl port to Nexus properties cat >> /etc/nexus-data/etc/nexus.properties <<'EOF' diff --git a/templates/shared_services/sonatype-nexus-vm/template_schema.json b/templates/shared_services/sonatype-nexus-vm/template_schema.json index 2ff717660c..f05dc0a39a 100644 --- a/templates/shared_services/sonatype-nexus-vm/template_schema.json +++ b/templates/shared_services/sonatype-nexus-vm/template_schema.json @@ -33,8 +33,7 @@ "arraySubstitutionAction": "replace", "arrayMatchField": "name", "value": { - "name": "shared_subnet_sonatype_nexus", - "action": "Allow", + "name": "arc_nexus", "rules": [ { "name": "vm-crl", @@ -50,7 +49,9 @@ } ], "target_fqdns": "{{ resource.properties.workspace_vm_allowed_fqdns_list }}", - "source_addresses": ["*"] + "source_addresses": [ + "*" + ] }, { "name": "nexus-package-sources", @@ -66,7 +67,7 @@ } ], "target_fqdns": "{{ resource.properties.nexus_allowed_fqdns_list }}", - "source_addresses": "{{ resource.properties.shared_address_prefixes }}" + "source_addresses": "{{ resource.properties.private_ip_addresses }}" } ] } @@ -91,7 +92,7 @@ "arraySubstitutionAction": "replace", "arrayMatchField": "name", "value": { - "name": "shared_subnet_sonatype_nexus", + "name": "arc_nexus", "action": "Allow", "rules": [ { @@ -108,7 +109,9 @@ } ], "target_fqdns": "{{ resource.properties.workspace_vm_allowed_fqdns_list }}", - "source_addresses": ["*"] + "source_addresses": [ + "*" + ] }, { "name": "nexus-package-sources", @@ -124,7 +127,7 @@ } ], "target_fqdns": "{{ resource.properties.nexus_allowed_fqdns_list }}", - "source_addresses": "{{ resource.properties.shared_address_prefixes }}" + "source_addresses": "{{ resource.properties.private_ip_addresses }}" } ] } @@ -146,7 +149,7 @@ "arraySubstitutionAction": "remove", "arrayMatchField": "name", "value": { - "name": "shared_subnet_sonatype_nexus" + "name": "arc_nexus" } } ] diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/.terraform.lock.hcl b/templates/shared_services/sonatype-nexus-vm/terraform/.terraform.lock.hcl index e5aace684d..721b3646a3 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/.terraform.lock.hcl +++ b/templates/shared_services/sonatype-nexus-vm/terraform/.terraform.lock.hcl @@ -2,47 +2,48 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.4.0" - constraints = "3.4.0" + version = "3.53.0" + constraints = "3.53.0" hashes = [ - "h1:h78yKGgOFrU/N5ntockxN7XF/ufv47j77+oauO2GKqk=", - "zh:4e9913fc3378436d19150c334e5906eafb83a4af3a270423cb7cdda94b27371f", - "zh:5b3d0cec2a600dc1f6633baa8fc36368c5c330fd7654861edcfa76f760a8f6a9", - "zh:5e0e1f899027bc182f31d996c9611e5ba27a034c848d7b0519b39e559fc4f38d", - "zh:66e3a1383ed6a0370989f6fd6abcfa63ccf6918ae535108595af57b9c20a9257", - "zh:688493baf6a116a399b737d74c11080051aca1ab087e5cddd14cc683b7e45c76", - "zh:9e471d85d52343e3ba778f3a94626d820fbec97bb589a3ac7a6a0939b9387770", - "zh:be1e85635daca1768f26962a4cbbadbf7fd13d9da8f9f188e938beca542c2ad5", - "zh:c00e14b6aa566eb9995cb0e1611a18fb8650d9f35c7636a7643a1b6e22660226", - "zh:c40711e5021838fd879da4c9e6b8f7e72104ada2adf0f3ba22e1cc32c3c54086", - "zh:cc62f8541de8d79577e57664e4f03c1fca893d455e5fb238d20668389c0f09ee", - "zh:cd9cbb5c6e5ceb5fcc7c4d0cab516ff209667d1b539b8c7436bd5e452c6aba8f", + "h1:bK70LV1NldhodSm58cUpawKwdUL1A5AKKglAV2wZ/QY=", + "zh:078ece8318ad7d6c1cd2e5f2044188e74af63921b93223c7f8d477539fa91888", + "zh:1bdc98ff8c2d3f3e81a746762e03d39794b2f5c90dc478cdb23dcc3d3f9947b6", + "zh:20b51cfc0ffc4ff368e6eb2eaece0b6bb99ade09e4b91b3444b50e94fc54c119", + "zh:233eed91279a9473825ba02d66487388d66dfc719b7249112d085dece0c2b594", + "zh:397ac8194ecc2f8d34d42600d6bf9e20399b222170dc1443b5800db3135ebc99", + "zh:3af3a2d8485d6c1ffcd26848af9ab087dfcb6cb045cc624e51f4db5144b53a9c", + "zh:5d0b9a346b57cccc369e2076556274225ec7f1c9044a2503dcfd8c117cdc2f79", + "zh:6e762dcef4ba14985f93af5f3fd195c9ee7d27de8de3bebdeefe761e53e79bb9", + "zh:73f9be719aa867985b1744c1f4fab834d01eb2069ec7a78b3a1bfa87c8256a40", + "zh:756deed30c20ffc9b4756c239e1675d3693f7175851e5ef946948a8bfb0b7935", + "zh:c279f99902a45a5b88d25d609a73709d101af3ce71222efbab9d4706c8a538b4", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.4.2" - constraints = "3.4.2" + version = "3.5.1" + constraints = "3.5.1" hashes = [ - "h1:PIIfeOjmPoQRHfMM7MDr7qY3mQqD4F+38Dmq8pjvUUs=", - "zh:1e61d226778aefd01c0e139c0ad709b61e9ae4b33d72301b922bd3d000b76eee", - "zh:3c3295c3d2e9c3f9d60d557ee8faf2a30bd15f59f2c38ed13f50a3220dd027d0", - "zh:6661b4953b875857c3ac99fb1006daf314acebf2d1748045d208ebc8cbc647cd", - "zh:6e1823a349ceea5e4e0c684561473f57c46f73d7c197c39904d031ce6654bfb8", + "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=", + "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", + "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", + "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", + "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", + "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8f8e6fd15e5228f1935c63d79bf3074f645ddba1350756acfc968b2a05bf85ee", - "zh:939a78da13a7932bd5429f0c77debe907bf9d6c6a26af50fd4d9f32ee16ea5a6", - "zh:995a592acbcde12f0d34ff5c3b74ec7054743315684b72b927bdc0d33e0e7c4d", - "zh:a9f8b88fe365ed9996d3386b415cabb445cf9d6e4b0e0b73f58af3aa31f1fa3d", - "zh:dda7c698cf92170665ca3ac1ccdc2177c0bec4807e69075422ae9d5c5308adbd", - "zh:eff42af6313499db0b3177a82851e0f2d2706e81cab11372d7d3673c41b15b9c", - "zh:fcd6826d4398147314620401a5908dd35c6f2ebac7e7d3a7d77078dbc7c5a0e6", + "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", + "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", + "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", + "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", + "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", + "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", ] } provider "registry.terraform.io/hashicorp/template" { - version = "2.2.0" + version = "2.2.0" + constraints = "2.2.0" hashes = [ "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/data.tf b/templates/shared_services/sonatype-nexus-vm/terraform/data.tf index 9931fbd982..ad0ed71585 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/data.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/data.tf @@ -19,11 +19,6 @@ data "azurerm_key_vault_certificate" "nexus_cert" { key_vault_id = data.azurerm_key_vault.kv.id } -data "azurerm_key_vault_secret" "nexus_cert_password" { - name = "${data.azurerm_key_vault_certificate.nexus_cert.name}-password" - key_vault_id = data.azurerm_key_vault.kv.id -} - data "azurerm_storage_account" "nexus" { name = local.storage_account_name resource_group_name = local.core_resource_group_name diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/main.tf b/templates/shared_services/sonatype-nexus-vm/terraform/main.tf index 50af810fe5..a7de42460d 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/main.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/main.tf @@ -3,11 +3,11 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "=3.4.0" + version = "=3.53.0" } random = { source = "hashicorp/random" - version = "=3.4.2" + version = "=3.5.1" } template = { source = "hashicorp/template" diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/outputs.tf b/templates/shared_services/sonatype-nexus-vm/terraform/outputs.tf index 0f766c75af..788e1d2e76 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/outputs.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/outputs.tf @@ -1,16 +1,11 @@ -output "nexus_fqdn" { - value = azurerm_private_dns_a_record.nexus_vm.fqdn -} - output "nexus_allowed_fqdns_list" { value = jsonencode(local.nexus_allowed_fqdns_list) } -output "shared_address_prefixes" { - value = jsonencode(data.azurerm_subnet.shared.address_prefixes) -} - output "workspace_vm_allowed_fqdns_list" { value = jsonencode(local.workspace_vm_allowed_fqdns_list) } +output "private_ip_addresses" { + value = jsonencode(azurerm_network_interface.nexus.private_ip_addresses) +} diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf index 0495c9199c..d35ecf7015 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf @@ -197,6 +197,25 @@ data "template_file" "configure_nexus_ssl" { MSI_ID = azurerm_user_assigned_identity.nexus_msi.id VAULT_NAME = data.azurerm_key_vault.kv.name SSL_CERT_NAME = data.azurerm_key_vault_certificate.nexus_cert.name - SSL_CERT_PASSWORD_NAME = data.azurerm_key_vault_secret.nexus_cert_password.name } } + +resource "azurerm_virtual_machine_extension" "keyvault" { + virtual_machine_id = azurerm_linux_virtual_machine.nexus.id + name = "${azurerm_linux_virtual_machine.nexus.name}-KeyVault" + publisher = "Microsoft.Azure.KeyVault" + type = "KeyVaultForLinux" + type_handler_version = "2.0" + auto_upgrade_minor_version = true + tags = local.tre_shared_service_tags + + settings = jsonencode({ + "secretsManagementSettings" : { + "pollingIntervalInS" : "3600", + "requireInitialSync": true, + "observedCertificates" : [ + data.azurerm_key_vault_certificate.nexus_cert.versionless_secret_id + ] + } + }) +} From 19bf177d0fd3fe02d4561493030541d97dff837d Mon Sep 17 00:00:00 2001 From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com> Date: Sun, 23 Apr 2023 07:43:43 +0000 Subject: [PATCH 3/5] changelog --- CHANGELOG.md | 1 + .../shared_services/sonatype-nexus-vm/terraform/vm.tf | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b124adac3e..8248b3e935 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ ENHANCEMENTS: BUG FIXES: * AML workspace service fails to install and puts firewall into failed state ([#3448](https://github.com/microsoft/AzureTRE/issues/3448)) +* Nexus fails to install due to `az login` and firewall rules ([#3453](https://github.com/microsoft/AzureTRE/issues/3453)) COMPONENTS: diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf index d35ecf7015..139bab06cd 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf @@ -194,9 +194,9 @@ data "template_file" "nexus_bootstrapping" { data "template_file" "configure_nexus_ssl" { template = file("${path.module}/../scripts/configure_nexus_ssl.sh") vars = { - MSI_ID = azurerm_user_assigned_identity.nexus_msi.id - VAULT_NAME = data.azurerm_key_vault.kv.name - SSL_CERT_NAME = data.azurerm_key_vault_certificate.nexus_cert.name + MSI_ID = azurerm_user_assigned_identity.nexus_msi.id + VAULT_NAME = data.azurerm_key_vault.kv.name + SSL_CERT_NAME = data.azurerm_key_vault_certificate.nexus_cert.name } } @@ -212,7 +212,7 @@ resource "azurerm_virtual_machine_extension" "keyvault" { settings = jsonencode({ "secretsManagementSettings" : { "pollingIntervalInS" : "3600", - "requireInitialSync": true, + "requireInitialSync" : true, "observedCertificates" : [ data.azurerm_key_vault_certificate.nexus_cert.versionless_secret_id ] From cae37028c0f96c15313f6a631d7c3d85f8bf7a7b Mon Sep 17 00:00:00 2001 From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com> Date: Sun, 23 Apr 2023 07:52:33 +0000 Subject: [PATCH 4/5] version --- templates/shared_services/sonatype-nexus-vm/porter.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/shared_services/sonatype-nexus-vm/porter.yaml b/templates/shared_services/sonatype-nexus-vm/porter.yaml index 82cc8e071a..7649abf2a1 100644 --- a/templates/shared_services/sonatype-nexus-vm/porter.yaml +++ b/templates/shared_services/sonatype-nexus-vm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-sonatype-nexus -version: 2.4.30 +version: 2.5.0 description: "A Sonatype Nexus shared service" dockerfile: Dockerfile.tmpl registry: azuretre From ff1f26ec131c71fde74505433308d153d177d582 Mon Sep 17 00:00:00 2001 From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com> Date: Sun, 23 Apr 2023 11:08:33 +0000 Subject: [PATCH 5/5] change timeouts --- .../sonatype-nexus-vm/scripts/configure_nexus_ssl.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_ssl.sh b/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_ssl.sh index eb0e80fed4..6dd4ddba14 100644 --- a/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_ssl.sh +++ b/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_ssl.sh @@ -10,7 +10,7 @@ set -o nounset echo "Setting up Nexus SSL..." # Import ssl cert to keystore within Nexus volume -keystore_timeout=300 +keystore_timeout=60 echo 'Checking for nexus-data/keystores directory...' while [ ! -d /etc/nexus-data/keystores ]; do # Wait for /keystore dir to be created by container first @@ -18,12 +18,12 @@ while [ ! -d /etc/nexus-data/keystores ]; do echo 'ERROR - Timeout while waiting for Nexus to create nexus-data/keystores' exit 1 fi - sleep 1 + sleep 5 ((keystore_timeout--)) done downloaded_cert_path="/var/lib/waagent/Microsoft.Azure.KeyVault.Store/${VAULT_NAME}.${SSL_CERT_NAME}" -cert_timeout=300 +cert_timeout=60 echo 'Waiting for cert to be downloaded from KV...' while [ ! -f "$downloaded_cert_path" ]; do if [ $cert_timeout == 0 ]; then