From e0753da5cd70322ed83d36d7b1f647dfb1a0e97d Mon Sep 17 00:00:00 2001 From: jonnyry Date: Tue, 7 Jan 2025 14:10:12 +0000 Subject: [PATCH 01/17] Core key vault firewall should not be set to "Allow public access from all networks" #4250 --- CHANGELOG.md | 1 + core/terraform/.terraform.lock.hcl | 19 ++++ core/terraform/deploy.sh | 6 ++ core/terraform/destroy.sh | 6 ++ core/terraform/keyvault.tf | 40 ++++++- core/terraform/locals.tf | 10 ++ core/terraform/scripts/letsencrypt.sh | 7 ++ .../add_deployment_network_exceptions.sh | 100 ++++++++++++++++++ devops/scripts/destroy_env_no_terraform.sh | 8 ++ devops/scripts/key_vault_list.sh | 8 ++ .../remove_deployment_network_exceptions.sh | 75 +++++++++++++ devops/scripts/set_contributor_sp_secrets.sh | 10 ++ 12 files changed, 287 insertions(+), 3 deletions(-) create mode 100644 devops/scripts/add_deployment_network_exceptions.sh create mode 100644 devops/scripts/remove_deployment_network_exceptions.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d19e990a0..04a0801b20 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,6 +32,7 @@ ENHANCEMENTS: * Upgrade Python version from 3.8 to 3.12 ([#3949](https://github.com/microsoft/AzureTRE/issues/3949))Upgrade Python version from 3.8 to 3.12 (#3949) * Disable storage account key usage ([[#4227](https://github.com/microsoft/AzureTRE/issues/4227)]) * Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)]) +* Core key vault firewall should not be set to "Allow public access from all networks" ([#4250](https://github.com/microsoft/AzureTRE/issues/4250)) BUG FIXES: * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112)) diff --git a/core/terraform/.terraform.lock.hcl b/core/terraform/.terraform.lock.hcl index 1c20359910..7c6b650d30 100644 --- a/core/terraform/.terraform.lock.hcl +++ b/core/terraform/.terraform.lock.hcl @@ -82,6 +82,25 @@ provider "registry.terraform.io/hashicorp/local" { ] } +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + hashes = [ + "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} + provider "registry.terraform.io/hashicorp/random" { version = "3.6.3" constraints = ">= 3.0.0, ~> 3.6" diff --git a/core/terraform/deploy.sh b/core/terraform/deploy.sh index e71fb14ae1..e60128e2cb 100755 --- a/core/terraform/deploy.sh +++ b/core/terraform/deploy.sh @@ -5,6 +5,12 @@ set -o pipefail set -o nounset # set -o xtrace +# add trap to remove deployment network exceptions +trap 'source "../../devops/scripts/remove_deployment_network_exceptions.sh"' EXIT + +# now add deployment network exceptions +source "../../devops/scripts/add_deployment_network_exceptions.sh" + # This is where we can migrate any Terraform before we plan and apply # For instance deprecated Terraform resources # shellcheck disable=SC1091 diff --git a/core/terraform/destroy.sh b/core/terraform/destroy.sh index 92b6b75c4c..804a2088d1 100755 --- a/core/terraform/destroy.sh +++ b/core/terraform/destroy.sh @@ -5,6 +5,12 @@ set -o pipefail set -o nounset # set -o xtrace +# add trap to remove deployment network exceptions on script exit +trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT + +# now add deployment network exceptions +source "$script_dir/add_deployment_network_exceptions.sh" + # These variables are loaded in for us # shellcheck disable=SC2154 ../../devops/scripts/terraform_wrapper.sh -g "${TF_VAR_mgmt_resource_group_name}" \ diff --git a/core/terraform/keyvault.tf b/core/terraform/keyvault.tf index 5d75ae9176..5df7ddd057 100644 --- a/core/terraform/keyvault.tf +++ b/core/terraform/keyvault.tf @@ -1,14 +1,48 @@ resource "azurerm_key_vault" "kv" { - name = "kv-${var.tre_id}" + name = local.kv_name tenant_id = data.azurerm_client_config.current.tenant_id location = azurerm_resource_group.core.location resource_group_name = azurerm_resource_group.core.name sku_name = "standard" enable_rbac_authorization = true purge_protection_enabled = var.kv_purge_protection_enabled - tags = local.tre_core_tags + tags = merge(local.tre_core_tags, { "${local.tre_deployment_network_exception_tag}" = "true" }) - lifecycle { ignore_changes = [access_policy, tags] } + public_network_access_enabled = local.kv_public_network_access_enabled + + network_acls { + default_action = local.kv_network_default_action + bypass = local.kv_network_bypass + ip_rules = [ local.myip ] # exception for deployment IP, this is removed in remove_deployment_network_exceptions.sh + } + + lifecycle { + ignore_changes = [access_policy, tags] + } + + # create provisioner required due to https://github.com/hashicorp/terraform-provider-azurerm/issues/18970 + # + provisioner "local-exec" { + when = create + command = <&1); then + echo " Keyvault $KV_NAME is now accessible" + break + fi + + if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then + echo -e "Could not add deployment network exception for $KV_NAME" + echo -e "Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS.\n" + echo -e "$KV_OUTPUT\n" + + exit 1 + fi + + echo " Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS. Waiting for network rules to take effect." + sleep 5 + ((ATTEMPT++)) + + done + +} + +main "$@" diff --git a/devops/scripts/destroy_env_no_terraform.sh b/devops/scripts/destroy_env_no_terraform.sh index e327f313c6..a8a975aacf 100755 --- a/devops/scripts/destroy_env_no_terraform.sh +++ b/devops/scripts/destroy_env_no_terraform.sh @@ -66,6 +66,14 @@ then no_wait_option="--no-wait" fi +script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") + +# add trap to remove deployment network exceptions on script exit +trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT + +# now add deployment network exceptions +source "$script_dir/add_deployment_network_exceptions.sh" + group_show_result=$(az group show --name "${core_tre_rg}" > /dev/null 2>&1; echo $?) if [[ "$group_show_result" != "0" ]]; then echo "Resource group ${core_tre_rg} not found - skipping destroy" diff --git a/devops/scripts/key_vault_list.sh b/devops/scripts/key_vault_list.sh index faa1aa9384..4d21867561 100755 --- a/devops/scripts/key_vault_list.sh +++ b/devops/scripts/key_vault_list.sh @@ -7,6 +7,14 @@ fi echo "DEBUG: Check keyvault and secrets exist" +script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") + +# add trap to remove deployment network exceptions on script exit +trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT + +# now add deployment network exceptions +source "$script_dir/add_deployment_network_exceptions.sh" + echo "az keyvault show" az keyvault show --name kv-${TRE_ID} diff --git a/devops/scripts/remove_deployment_network_exceptions.sh b/devops/scripts/remove_deployment_network_exceptions.sh new file mode 100644 index 0000000000..5cffb79f81 --- /dev/null +++ b/devops/scripts/remove_deployment_network_exceptions.sh @@ -0,0 +1,75 @@ +#!/bin/bash + +TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG="tre_deployment_network_exception" + +function main() { + + set -o errexit + set -o pipefail + + + # parse params/set up inputs + # + if [[ -z "$TRE_ID" ]]; then + echo -e "Could not close deployment network exceptions: TRE_ID is not set\nExiting...\n" + exit 1 + fi + + local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}" + + if [[ -z "$MY_IP" ]]; then + MY_IP=$(curl -s "ipecho.net/plain"; echo) + fi + + local TRE_CORE_RG="rg-${TRE_ID}" + + + # find resources that require network exceptions + # + echo -e "\nQuerying resources that require network exceptions removing for deployment..." + + if [[ -z "$(az group list --query "[?name=='$TRE_CORE_RG']" --output tsv)" ]]; then + echo -e " Core resource group $TRE_CORE_RG not found\n" + return 0 + fi + + local AZ_IDS + AZ_IDS=$(az resource list --resource-group "$TRE_CORE_RG" --query "[?tags.${TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG}=='true'].id" --output tsv) + + if [ -z "$AZ_IDS" ]; then + echo -e " No resources found\n" + return 0 + fi + + + # remove network exceptions + # + local AZ_ID + for AZ_ID in $AZ_IDS; do + + local RESOURCE_TYPE + RESOURCE_TYPE=$(az resource show --ids "${AZ_ID}" --query 'type' --output tsv) + + if [ "$RESOURCE_TYPE" == "Microsoft.KeyVault/vaults" ]; then + remove_keyvault_network_exception "$AZ_ID" "$MY_IP" + fi + + done + + echo "" + +} + +function remove_keyvault_network_exception() { + local AZ_ID="$1" + local MY_IP="$2" + + local KV_NAME + KV_NAME=$(basename "$AZ_ID") + + echo " Removing keyvault deployment network exception for $KV_NAME" + + az keyvault network-rule remove --name "$KV_NAME" --ip-address "$MY_IP" --output none +} + +main "$@" diff --git a/devops/scripts/set_contributor_sp_secrets.sh b/devops/scripts/set_contributor_sp_secrets.sh index 95a07da877..ecc09d2a38 100755 --- a/devops/scripts/set_contributor_sp_secrets.sh +++ b/devops/scripts/set_contributor_sp_secrets.sh @@ -16,6 +16,16 @@ set -e # echo -e "\n\e[34m»»» 🤖 \e[96mCreating (or updating) service principal ID and secret to Key Vault\e[0m..." + +script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") + +# add trap to remove deployment network exceptions on script exit +trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT + +# now add deployment network exceptions +source "$script_dir/add_deployment_network_exceptions.sh" + + key_vault_name="kv-$TRE_ID" az account set --subscription $ARM_SUBSCRIPTION_ID az keyvault secret set --name deployment-processor-azure-client-id --vault-name $key_vault_name --value $RESOURCE_PROCESSOR_CLIENT_ID From e33f235feb2864edaae4b4819b888f947316a23d Mon Sep 17 00:00:00 2001 From: jonnyry Date: Tue, 7 Jan 2025 21:51:53 +0000 Subject: [PATCH 02/17] Linting --- core/terraform/keyvault.tf | 4 ++-- core/terraform/locals.tf | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/core/terraform/keyvault.tf b/core/terraform/keyvault.tf index 5df7ddd057..a76c225bc9 100644 --- a/core/terraform/keyvault.tf +++ b/core/terraform/keyvault.tf @@ -13,7 +13,7 @@ resource "azurerm_key_vault" "kv" { network_acls { default_action = local.kv_network_default_action bypass = local.kv_network_bypass - ip_rules = [ local.myip ] # exception for deployment IP, this is removed in remove_deployment_network_exceptions.sh + ip_rules = [local.myip] # exception for deployment IP, this is removed in remove_deployment_network_exceptions.sh } lifecycle { @@ -23,7 +23,7 @@ resource "azurerm_key_vault" "kv" { # create provisioner required due to https://github.com/hashicorp/terraform-provider-azurerm/issues/18970 # provisioner "local-exec" { - when = create + when = create command = < Date: Tue, 7 Jan 2025 21:56:07 +0000 Subject: [PATCH 03/17] Update core version --- core/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/version.txt b/core/version.txt index 1e6e806534..d0f18418d1 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.16" +__version__ = "0.11.17" From 9f1ef68db743a3aac24cdb2b69cd294536da6460 Mon Sep 17 00:00:00 2001 From: jonnyry Date: Tue, 7 Jan 2025 22:16:17 +0000 Subject: [PATCH 04/17] Linting --- core/terraform/deploy.sh | 2 ++ core/terraform/destroy.sh | 8 +++++--- core/terraform/keyvault.tf | 2 +- core/terraform/main.tf | 4 ++++ core/terraform/scripts/letsencrypt.sh | 2 ++ devops/scripts/destroy_env_no_terraform.sh | 2 ++ devops/scripts/key_vault_list.sh | 8 +++++--- devops/scripts/set_contributor_sp_secrets.sh | 8 +++++--- 8 files changed, 26 insertions(+), 10 deletions(-) diff --git a/core/terraform/deploy.sh b/core/terraform/deploy.sh index e60128e2cb..b6ea570796 100755 --- a/core/terraform/deploy.sh +++ b/core/terraform/deploy.sh @@ -6,9 +6,11 @@ set -o nounset # set -o xtrace # add trap to remove deployment network exceptions +# shellcheck disable=SC1091 trap 'source "../../devops/scripts/remove_deployment_network_exceptions.sh"' EXIT # now add deployment network exceptions +# shellcheck disable=SC1091 source "../../devops/scripts/add_deployment_network_exceptions.sh" # This is where we can migrate any Terraform before we plan and apply diff --git a/core/terraform/destroy.sh b/core/terraform/destroy.sh index 804a2088d1..08dae443cf 100755 --- a/core/terraform/destroy.sh +++ b/core/terraform/destroy.sh @@ -5,11 +5,13 @@ set -o pipefail set -o nounset # set -o xtrace -# add trap to remove deployment network exceptions on script exit -trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT +# add trap to remove deployment network exceptions +# shellcheck disable=SC1091 +trap 'source "../../devops/scripts/remove_deployment_network_exceptions.sh"' EXIT # now add deployment network exceptions -source "$script_dir/add_deployment_network_exceptions.sh" +# shellcheck disable=SC1091 +source "../../devops/scripts/add_deployment_network_exceptions.sh" # These variables are loaded in for us # shellcheck disable=SC2154 diff --git a/core/terraform/keyvault.tf b/core/terraform/keyvault.tf index a76c225bc9..34128e119e 100644 --- a/core/terraform/keyvault.tf +++ b/core/terraform/keyvault.tf @@ -6,7 +6,7 @@ resource "azurerm_key_vault" "kv" { sku_name = "standard" enable_rbac_authorization = true purge_protection_enabled = var.kv_purge_protection_enabled - tags = merge(local.tre_core_tags, { "${local.tre_deployment_network_exception_tag}" = "true" }) + tags = merge(local.tre_core_tags, { (local.tre_deployment_network_exception_tag) = "true" }) public_network_access_enabled = local.kv_public_network_access_enabled diff --git a/core/terraform/main.tf b/core/terraform/main.tf index 49693884c1..f9e74e5cf0 100644 --- a/core/terraform/main.tf +++ b/core/terraform/main.tf @@ -21,6 +21,10 @@ terraform { source = "Azure/azapi" version = "~> 1.15.0" } + null = { + source = "hashicorp/null" + version = "3.2.3" + } } backend "azurerm" {} diff --git a/core/terraform/scripts/letsencrypt.sh b/core/terraform/scripts/letsencrypt.sh index a45a48f00b..fed8f1b8f1 100755 --- a/core/terraform/scripts/letsencrypt.sh +++ b/core/terraform/scripts/letsencrypt.sh @@ -4,9 +4,11 @@ set -e script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") # add trap to remove deployment network exceptions on script exit +# shellcheck disable=SC1091 trap 'source "$script_dir/../../../devops/scripts/remove_deployment_network_exceptions.sh"' EXIT # now add deployment network exceptions +# shellcheck disable=SC1091 source "$script_dir/../../../devops/scripts/add_deployment_network_exceptions.sh" diff --git a/devops/scripts/destroy_env_no_terraform.sh b/devops/scripts/destroy_env_no_terraform.sh index a8a975aacf..6763381e15 100755 --- a/devops/scripts/destroy_env_no_terraform.sh +++ b/devops/scripts/destroy_env_no_terraform.sh @@ -69,9 +69,11 @@ fi script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") # add trap to remove deployment network exceptions on script exit +# shellcheck disable=SC1091 trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT # now add deployment network exceptions +# shellcheck disable=SC1091 source "$script_dir/add_deployment_network_exceptions.sh" group_show_result=$(az group show --name "${core_tre_rg}" > /dev/null 2>&1; echo $?) diff --git a/devops/scripts/key_vault_list.sh b/devops/scripts/key_vault_list.sh index 4d21867561..963a42118e 100755 --- a/devops/scripts/key_vault_list.sh +++ b/devops/scripts/key_vault_list.sh @@ -10,16 +10,18 @@ echo "DEBUG: Check keyvault and secrets exist" script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") # add trap to remove deployment network exceptions on script exit +# shellcheck disable=SC1091 trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT # now add deployment network exceptions +# shellcheck disable=SC1091 source "$script_dir/add_deployment_network_exceptions.sh" echo "az keyvault show" -az keyvault show --name kv-${TRE_ID} +az keyvault show --name "kv-${TRE_ID}" echo "az keyvault secret list" -az keyvault secret list --vault-name kv-${TRE_ID} +az keyvault secret list --vault-name "kv-${TRE_ID}" echo "az keyvault secret list-deleted" -az keyvault secret list-deleted --vault-name kv-${TRE_ID} +az keyvault secret list-deleted --vault-name "kv-${TRE_ID}" diff --git a/devops/scripts/set_contributor_sp_secrets.sh b/devops/scripts/set_contributor_sp_secrets.sh index ecc09d2a38..9b11edc010 100755 --- a/devops/scripts/set_contributor_sp_secrets.sh +++ b/devops/scripts/set_contributor_sp_secrets.sh @@ -20,13 +20,15 @@ echo -e "\n\e[34m»»» 🤖 \e[96mCreating (or updating) service principal ID a script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") # add trap to remove deployment network exceptions on script exit +# shellcheck disable=SC1091 trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT # now add deployment network exceptions +# shellcheck disable=SC1091 source "$script_dir/add_deployment_network_exceptions.sh" key_vault_name="kv-$TRE_ID" -az account set --subscription $ARM_SUBSCRIPTION_ID -az keyvault secret set --name deployment-processor-azure-client-id --vault-name $key_vault_name --value $RESOURCE_PROCESSOR_CLIENT_ID -az keyvault secret set --name deployment-processor-azure-client-secret --vault-name $key_vault_name --value $RESOURCE_PROCESSOR_CLIENT_SECRET > /dev/null +az account set --subscription "$ARM_SUBSCRIPTION_ID" +az keyvault secret set --name deployment-processor-azure-client-id --vault-name "$key_vault_name" --value "$RESOURCE_PROCESSOR_CLIENT_ID" +az keyvault secret set --name deployment-processor-azure-client-secret --vault-name "$key_vault_name" --value "$RESOURCE_PROCESSOR_CLIENT_SECRET" > /dev/null From 1fefc9fdd110b7e803791d695203a8e91d858c09 Mon Sep 17 00:00:00 2001 From: jonnyry Date: Tue, 7 Jan 2025 22:17:09 +0000 Subject: [PATCH 05/17] Linting --- devops/scripts/add_deployment_network_exceptions.sh | 0 devops/scripts/remove_deployment_network_exceptions.sh | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 devops/scripts/add_deployment_network_exceptions.sh mode change 100644 => 100755 devops/scripts/remove_deployment_network_exceptions.sh diff --git a/devops/scripts/add_deployment_network_exceptions.sh b/devops/scripts/add_deployment_network_exceptions.sh old mode 100644 new mode 100755 diff --git a/devops/scripts/remove_deployment_network_exceptions.sh b/devops/scripts/remove_deployment_network_exceptions.sh old mode 100644 new mode 100755 From 8af920d852d54e29f5f9697567f41f62827b2bf2 Mon Sep 17 00:00:00 2001 From: jonnyry Date: Tue, 7 Jan 2025 22:19:51 +0000 Subject: [PATCH 06/17] Linting --- core/terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/terraform/main.tf b/core/terraform/main.tf index f9e74e5cf0..ff0d6efbca 100644 --- a/core/terraform/main.tf +++ b/core/terraform/main.tf @@ -22,7 +22,7 @@ terraform { version = "~> 1.15.0" } null = { - source = "hashicorp/null" + source = "hashicorp/null" version = "3.2.3" } } From 8c24844a3f3722341a719d7be44795235b4cf286 Mon Sep 17 00:00:00 2001 From: jonnyry Date: Wed, 8 Jan 2025 10:41:47 +0000 Subject: [PATCH 07/17] Simplified: Remove use of azure tags, make specific to key vault --- core/terraform/deploy.sh | 8 +- core/terraform/destroy.sh | 8 +- core/terraform/keyvault.tf | 20 +--- core/terraform/locals.tf | 4 - core/terraform/scripts/letsencrypt.sh | 8 +- .../add_deployment_network_exceptions.sh | 100 ------------------ devops/scripts/destroy_env_no_terraform.sh | 8 +- devops/scripts/key_vault_list.sh | 8 +- devops/scripts/kv_add_network_exception.sh | 66 ++++++++++++ devops/scripts/kv_remove_network_exception.sh | 43 ++++++++ .../remove_deployment_network_exceptions.sh | 75 ------------- devops/scripts/set_contributor_sp_secrets.sh | 8 +- 12 files changed, 136 insertions(+), 220 deletions(-) delete mode 100755 devops/scripts/add_deployment_network_exceptions.sh create mode 100644 devops/scripts/kv_add_network_exception.sh create mode 100644 devops/scripts/kv_remove_network_exception.sh delete mode 100755 devops/scripts/remove_deployment_network_exceptions.sh diff --git a/core/terraform/deploy.sh b/core/terraform/deploy.sh index b6ea570796..960041c7d7 100755 --- a/core/terraform/deploy.sh +++ b/core/terraform/deploy.sh @@ -5,13 +5,13 @@ set -o pipefail set -o nounset # set -o xtrace -# add trap to remove deployment network exceptions +# add trap to remove kv network exception # shellcheck disable=SC1091 -trap 'source "../../devops/scripts/remove_deployment_network_exceptions.sh"' EXIT +trap 'source "../../devops/scripts/kv_remove_network_exception.sh"' EXIT -# now add deployment network exceptions +# now add kv network exception # shellcheck disable=SC1091 -source "../../devops/scripts/add_deployment_network_exceptions.sh" +source "../../devops/scripts/kv_add_network_exception.sh" # This is where we can migrate any Terraform before we plan and apply # For instance deprecated Terraform resources diff --git a/core/terraform/destroy.sh b/core/terraform/destroy.sh index 08dae443cf..e3782c391e 100755 --- a/core/terraform/destroy.sh +++ b/core/terraform/destroy.sh @@ -5,13 +5,13 @@ set -o pipefail set -o nounset # set -o xtrace -# add trap to remove deployment network exceptions +# add trap to remove kv network exception # shellcheck disable=SC1091 -trap 'source "../../devops/scripts/remove_deployment_network_exceptions.sh"' EXIT +trap 'source "../../devops/scripts/kv_remove_network_exception.sh"' EXIT -# now add deployment network exceptions +# now add kv network exception # shellcheck disable=SC1091 -source "../../devops/scripts/add_deployment_network_exceptions.sh" +source "../../devops/scripts/kv_add_network_exception.sh" # These variables are loaded in for us # shellcheck disable=SC2154 diff --git a/core/terraform/keyvault.tf b/core/terraform/keyvault.tf index 34128e119e..c491a09517 100644 --- a/core/terraform/keyvault.tf +++ b/core/terraform/keyvault.tf @@ -6,14 +6,14 @@ resource "azurerm_key_vault" "kv" { sku_name = "standard" enable_rbac_authorization = true purge_protection_enabled = var.kv_purge_protection_enabled - tags = merge(local.tre_core_tags, { (local.tre_deployment_network_exception_tag) = "true" }) + tags = local.tre_core_tags public_network_access_enabled = local.kv_public_network_access_enabled network_acls { default_action = local.kv_network_default_action bypass = local.kv_network_bypass - ip_rules = [local.myip] # exception for deployment IP, this is removed in remove_deployment_network_exceptions.sh + ip_rules = [local.myip] # exception for deployment IP, this is removed in kv_remove_network_exception.sh } lifecycle { @@ -25,26 +25,12 @@ resource "azurerm_key_vault" "kv" { provisioner "local-exec" { when = create command = <&1); then - echo " Keyvault $KV_NAME is now accessible" - break - fi - - if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then - echo -e "Could not add deployment network exception for $KV_NAME" - echo -e "Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS.\n" - echo -e "$KV_OUTPUT\n" - - exit 1 - fi - - echo " Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS. Waiting for network rules to take effect." - sleep 5 - ((ATTEMPT++)) - - done - -} - -main "$@" diff --git a/devops/scripts/destroy_env_no_terraform.sh b/devops/scripts/destroy_env_no_terraform.sh index 6763381e15..bd470d333d 100755 --- a/devops/scripts/destroy_env_no_terraform.sh +++ b/devops/scripts/destroy_env_no_terraform.sh @@ -68,13 +68,13 @@ fi script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") -# add trap to remove deployment network exceptions on script exit +# add trap to remove kv network exception # shellcheck disable=SC1091 -trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT +trap 'source "$script_dir/kv_remove_network_exception.sh"' EXIT -# now add deployment network exceptions +# now add kv network exception # shellcheck disable=SC1091 -source "$script_dir/add_deployment_network_exceptions.sh" +source "$script_dir/kv_add_network_exception.sh" group_show_result=$(az group show --name "${core_tre_rg}" > /dev/null 2>&1; echo $?) if [[ "$group_show_result" != "0" ]]; then diff --git a/devops/scripts/key_vault_list.sh b/devops/scripts/key_vault_list.sh index 963a42118e..ab65ede789 100755 --- a/devops/scripts/key_vault_list.sh +++ b/devops/scripts/key_vault_list.sh @@ -9,13 +9,13 @@ echo "DEBUG: Check keyvault and secrets exist" script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") -# add trap to remove deployment network exceptions on script exit +# add trap to remove kv network exception # shellcheck disable=SC1091 -trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT +trap 'source "$script_dir/kv_remove_network_exception.sh"' EXIT -# now add deployment network exceptions +# now add kv network exception # shellcheck disable=SC1091 -source "$script_dir/add_deployment_network_exceptions.sh" +source "$script_dir/kv_add_network_exception.sh" echo "az keyvault show" az keyvault show --name "kv-${TRE_ID}" diff --git a/devops/scripts/kv_add_network_exception.sh b/devops/scripts/kv_add_network_exception.sh new file mode 100644 index 0000000000..41bbe9753c --- /dev/null +++ b/devops/scripts/kv_add_network_exception.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +function main() { + + set -o errexit + set -o pipefail + + # parse params/set up inputs + # + if [[ -z "$TRE_ID" ]]; then + echo -e "Could not add keyvault deployment network exception: TRE_ID is not set\nExiting...\n" + exit 1 + fi + + local RG_NAME="rg-${TRE_ID}" + local KV_NAME="kv-${TRE_ID}" + local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}" + + if [[ -z "$MY_IP" ]]; then + MY_IP=$(curl -s "ipecho.net/plain"; echo) + fi + + + # add keyvault network exception + # + echo -e "\nAdding deployment network exception to key vault $KV_NAME..." + + if [[ -z "$(az group list --query "[?name=='$RG_NAME']" --output tsv)" ]]; then + echo -e " Core resource group $RG_NAME not found\n" + return 0 + fi + + if [[ -z "$(az keyvault list --resource-group "$RG_NAME" --query "[?name=='$KV_NAME'].id" --output tsv)" ]]; then + echo -e " Core key vault $KV_NAME not found\n" + return 0 + fi + + az keyvault network-rule add --resource-group "$RG_NAME" --name "$KV_NAME" --ip-address "$MY_IP" --output none + + local ATTEMPT=1 + local MAX_ATTEMPTS=10 + + while true; do + + if KV_OUTPUT=$(az keyvault secret list --vault-name "$KV_NAME" --query '[].name' --output tsv 2>&1); then + echo -e " Keyvault $KV_NAME is now accessible\n" + break + fi + + if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then + echo -e "Could not add deployment network exception for $KV_NAME" + echo -e "Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS.\n" + echo -e "$KV_OUTPUT\n" + + exit 1 + fi + + echo " Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS. Waiting for network rules to take effect." + sleep 5 + ((ATTEMPT++)) + + done + +} + +main "$@" diff --git a/devops/scripts/kv_remove_network_exception.sh b/devops/scripts/kv_remove_network_exception.sh new file mode 100644 index 0000000000..bf048f3581 --- /dev/null +++ b/devops/scripts/kv_remove_network_exception.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +function main() { + + set -o errexit + set -o pipefail + + # parse params/set up inputs + # + if [[ -z "$TRE_ID" ]]; then + echo -e "Could not remove keyvault deployment network exception: TRE_ID is not set\nExiting...\n" + exit 1 + fi + + local RG_NAME="rg-${TRE_ID}" + local KV_NAME="kv-${TRE_ID}" + local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}" + + if [[ -z "$MY_IP" ]]; then + MY_IP=$(curl -s "ipecho.net/plain"; echo) + fi + + + # remove keyvault network exception + # + echo -e "\nRemoving deployment network exception to key vault $KV_NAME..." + + if [[ -z "$(az group list --query "[?name=='$RG_NAME']" --output tsv)" ]]; then + echo -e " Core resource group $RG_NAME not found\n" + return 0 + fi + + if [[ -z "$(az keyvault list --resource-group "$RG_NAME" --query "[?name=='$KV_NAME'].id" --output tsv)" ]]; then + echo -e " Core key vault $KV_NAME not found\n" + return 0 + fi + + az keyvault network-rule remove --name "$KV_NAME" --ip-address "$MY_IP" --output none + echo -e " Deployment network exception removed\n" + +} + +main "$@" diff --git a/devops/scripts/remove_deployment_network_exceptions.sh b/devops/scripts/remove_deployment_network_exceptions.sh deleted file mode 100755 index 5cffb79f81..0000000000 --- a/devops/scripts/remove_deployment_network_exceptions.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/bash - -TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG="tre_deployment_network_exception" - -function main() { - - set -o errexit - set -o pipefail - - - # parse params/set up inputs - # - if [[ -z "$TRE_ID" ]]; then - echo -e "Could not close deployment network exceptions: TRE_ID is not set\nExiting...\n" - exit 1 - fi - - local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}" - - if [[ -z "$MY_IP" ]]; then - MY_IP=$(curl -s "ipecho.net/plain"; echo) - fi - - local TRE_CORE_RG="rg-${TRE_ID}" - - - # find resources that require network exceptions - # - echo -e "\nQuerying resources that require network exceptions removing for deployment..." - - if [[ -z "$(az group list --query "[?name=='$TRE_CORE_RG']" --output tsv)" ]]; then - echo -e " Core resource group $TRE_CORE_RG not found\n" - return 0 - fi - - local AZ_IDS - AZ_IDS=$(az resource list --resource-group "$TRE_CORE_RG" --query "[?tags.${TRE_DEPLOYMENT_NETWORK_EXCEPTION_TAG}=='true'].id" --output tsv) - - if [ -z "$AZ_IDS" ]; then - echo -e " No resources found\n" - return 0 - fi - - - # remove network exceptions - # - local AZ_ID - for AZ_ID in $AZ_IDS; do - - local RESOURCE_TYPE - RESOURCE_TYPE=$(az resource show --ids "${AZ_ID}" --query 'type' --output tsv) - - if [ "$RESOURCE_TYPE" == "Microsoft.KeyVault/vaults" ]; then - remove_keyvault_network_exception "$AZ_ID" "$MY_IP" - fi - - done - - echo "" - -} - -function remove_keyvault_network_exception() { - local AZ_ID="$1" - local MY_IP="$2" - - local KV_NAME - KV_NAME=$(basename "$AZ_ID") - - echo " Removing keyvault deployment network exception for $KV_NAME" - - az keyvault network-rule remove --name "$KV_NAME" --ip-address "$MY_IP" --output none -} - -main "$@" diff --git a/devops/scripts/set_contributor_sp_secrets.sh b/devops/scripts/set_contributor_sp_secrets.sh index 9b11edc010..838263c3e0 100755 --- a/devops/scripts/set_contributor_sp_secrets.sh +++ b/devops/scripts/set_contributor_sp_secrets.sh @@ -19,13 +19,13 @@ echo -e "\n\e[34m»»» 🤖 \e[96mCreating (or updating) service principal ID a script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") -# add trap to remove deployment network exceptions on script exit +# add trap to remove kv network exception # shellcheck disable=SC1091 -trap 'source "$script_dir/remove_deployment_network_exceptions.sh"' EXIT +trap 'source "$script_dir/kv_remove_network_exception.sh"' EXIT -# now add deployment network exceptions +# now add kv network exception # shellcheck disable=SC1091 -source "$script_dir/add_deployment_network_exceptions.sh" +source "$script_dir/kv_add_network_exception.sh" key_vault_name="kv-$TRE_ID" From f6ed85a907edfc8a1e28dcc44bec370871366b9c Mon Sep 17 00:00:00 2001 From: jonnyry Date: Wed, 8 Jan 2025 10:50:05 +0000 Subject: [PATCH 08/17] Update core version --- core/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/version.txt b/core/version.txt index d0f18418d1..b663def5a3 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.17" +__version__ = "0.11.18" From dcb0b8f5ff693d229e82371b3e1c946f07880124 Mon Sep 17 00:00:00 2001 From: jonnyry Date: Wed, 8 Jan 2025 10:55:06 +0000 Subject: [PATCH 09/17] Linting --- core/terraform/main.tf | 4 ---- devops/scripts/kv_add_network_exception.sh | 0 devops/scripts/kv_remove_network_exception.sh | 0 3 files changed, 4 deletions(-) mode change 100644 => 100755 devops/scripts/kv_add_network_exception.sh mode change 100644 => 100755 devops/scripts/kv_remove_network_exception.sh diff --git a/core/terraform/main.tf b/core/terraform/main.tf index ff0d6efbca..49693884c1 100644 --- a/core/terraform/main.tf +++ b/core/terraform/main.tf @@ -21,10 +21,6 @@ terraform { source = "Azure/azapi" version = "~> 1.15.0" } - null = { - source = "hashicorp/null" - version = "3.2.3" - } } backend "azurerm" {} diff --git a/devops/scripts/kv_add_network_exception.sh b/devops/scripts/kv_add_network_exception.sh old mode 100644 new mode 100755 diff --git a/devops/scripts/kv_remove_network_exception.sh b/devops/scripts/kv_remove_network_exception.sh old mode 100644 new mode 100755 From 135be76a0c68c290f4fe3fe257f46990468d1180 Mon Sep 17 00:00:00 2001 From: jonnyry Date: Wed, 8 Jan 2025 15:23:26 +0000 Subject: [PATCH 10/17] Update to deal with scenario where TRE_ID is not available --- devops/scripts/kv_add_network_exception.sh | 18 ++++++++++++++---- devops/scripts/kv_remove_network_exception.sh | 18 ++++++++++++++---- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/devops/scripts/kv_add_network_exception.sh b/devops/scripts/kv_add_network_exception.sh index 41bbe9753c..90786ab2f3 100755 --- a/devops/scripts/kv_add_network_exception.sh +++ b/devops/scripts/kv_add_network_exception.sh @@ -5,15 +5,25 @@ function main() { set -o errexit set -o pipefail - # parse params/set up inputs + # attempt to determine our tre id # - if [[ -z "$TRE_ID" ]]; then + local TRE_ID_LOCAL="${TRE_ID:-}" + + if [[ -z "$TRE_ID_LOCAL" ]]; then + if [[ "${core_tre_rg:-}" == rg-* ]]; then # TRE_ID may not be available when called from destroy_env_no_terraform.sh + TRE_ID_LOCAL="${core_tre_rg#rg-}" + fi + fi + + if [[ -z "$TRE_ID_LOCAL" ]]; then echo -e "Could not add keyvault deployment network exception: TRE_ID is not set\nExiting...\n" exit 1 fi - local RG_NAME="rg-${TRE_ID}" - local KV_NAME="kv-${TRE_ID}" + # set up variables + # + local RG_NAME="rg-${TRE_ID_LOCAL}" + local KV_NAME="kv-${TRE_ID_LOCAL}" local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}" if [[ -z "$MY_IP" ]]; then diff --git a/devops/scripts/kv_remove_network_exception.sh b/devops/scripts/kv_remove_network_exception.sh index bf048f3581..d46e6e1fd6 100755 --- a/devops/scripts/kv_remove_network_exception.sh +++ b/devops/scripts/kv_remove_network_exception.sh @@ -5,15 +5,25 @@ function main() { set -o errexit set -o pipefail - # parse params/set up inputs + # attempt to determine our tre id # - if [[ -z "$TRE_ID" ]]; then + local TRE_ID_LOCAL="${TRE_ID:-}" + + if [[ -z "$TRE_ID_LOCAL" ]]; then + if [[ "${core_tre_rg:-}" == rg-* ]]; then # TRE_ID may not be available when called from destroy_env_no_terraform.sh + TRE_ID_LOCAL="${core_tre_rg#rg-}" + fi + fi + + if [[ -z "$TRE_ID_LOCAL" ]]; then echo -e "Could not remove keyvault deployment network exception: TRE_ID is not set\nExiting...\n" exit 1 fi - local RG_NAME="rg-${TRE_ID}" - local KV_NAME="kv-${TRE_ID}" + # set up variables + # + local RG_NAME="rg-${TRE_ID_LOCAL}" + local KV_NAME="kv-${TRE_ID_LOCAL}" local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}" if [[ -z "$MY_IP" ]]; then From 4a1b8b8c709ae80c9c1de0ed256601904905ec5a Mon Sep 17 00:00:00 2001 From: jonnyry Date: Wed, 8 Jan 2025 16:30:38 +0000 Subject: [PATCH 11/17] Remove unused null provisioner from .terraform.lock.hcl --- core/terraform/.terraform.lock.hcl | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/core/terraform/.terraform.lock.hcl b/core/terraform/.terraform.lock.hcl index 7c6b650d30..1c20359910 100644 --- a/core/terraform/.terraform.lock.hcl +++ b/core/terraform/.terraform.lock.hcl @@ -82,25 +82,6 @@ provider "registry.terraform.io/hashicorp/local" { ] } -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.3" - hashes = [ - "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", - "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", - "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", - "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", - "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", - "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", - "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", - "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", - "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", - "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", - "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", - ] -} - provider "registry.terraform.io/hashicorp/random" { version = "3.6.3" constraints = ">= 3.0.0, ~> 3.6" From 6251320f4d436e736ce1860ba439a183151b2a98 Mon Sep 17 00:00:00 2001 From: jonnyry Date: Thu, 6 Feb 2025 11:00:19 +0000 Subject: [PATCH 12/17] Remove unused scripts: key_vault_list.sh & set_contributor_sp_secrets.sh --- devops/scripts/key_vault_list.sh | 27 ---------------- devops/scripts/set_contributor_sp_secrets.sh | 34 -------------------- 2 files changed, 61 deletions(-) delete mode 100755 devops/scripts/key_vault_list.sh delete mode 100755 devops/scripts/set_contributor_sp_secrets.sh diff --git a/devops/scripts/key_vault_list.sh b/devops/scripts/key_vault_list.sh deleted file mode 100755 index ab65ede789..0000000000 --- a/devops/scripts/key_vault_list.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash - -if [[ -z ${TRE_ID:-} ]]; then - echo "TRE_ID environment variable must be set." - exit 1 -fi - -echo "DEBUG: Check keyvault and secrets exist" - -script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") - -# add trap to remove kv network exception -# shellcheck disable=SC1091 -trap 'source "$script_dir/kv_remove_network_exception.sh"' EXIT - -# now add kv network exception -# shellcheck disable=SC1091 -source "$script_dir/kv_add_network_exception.sh" - -echo "az keyvault show" -az keyvault show --name "kv-${TRE_ID}" - -echo "az keyvault secret list" -az keyvault secret list --vault-name "kv-${TRE_ID}" - -echo "az keyvault secret list-deleted" -az keyvault secret list-deleted --vault-name "kv-${TRE_ID}" diff --git a/devops/scripts/set_contributor_sp_secrets.sh b/devops/scripts/set_contributor_sp_secrets.sh deleted file mode 100755 index 838263c3e0..0000000000 --- a/devops/scripts/set_contributor_sp_secrets.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash -set -e - -# This script adds the client (app) ID and the client secret (app password) of the service principal used for deploying -# resources (workspaces and workspace services) to Key Vault. -# -# Running the script requires that Azure CLI login has been done with the credentials that have privileges to access -# the Key Vault. -# -# Required environment variables: -# -# - TRE_ID - The TRE ID, used to deduce the Key Vault name -# - ARM_SUBSCRIPTION_ID - The Azure subscription ID -# - RESOURCE_PROCESSOR_CLIENT_ID - The client ID of the service principal -# - RESOURCE_PROCESSOR_CLIENT_SECRET - The client secret of the service principal -# - -echo -e "\n\e[34m»»» 🤖 \e[96mCreating (or updating) service principal ID and secret to Key Vault\e[0m..." - -script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") - -# add trap to remove kv network exception -# shellcheck disable=SC1091 -trap 'source "$script_dir/kv_remove_network_exception.sh"' EXIT - -# now add kv network exception -# shellcheck disable=SC1091 -source "$script_dir/kv_add_network_exception.sh" - - -key_vault_name="kv-$TRE_ID" -az account set --subscription "$ARM_SUBSCRIPTION_ID" -az keyvault secret set --name deployment-processor-azure-client-id --vault-name "$key_vault_name" --value "$RESOURCE_PROCESSOR_CLIENT_ID" -az keyvault secret set --name deployment-processor-azure-client-secret --vault-name "$key_vault_name" --value "$RESOURCE_PROCESSOR_CLIENT_SECRET" > /dev/null From de9718380d3ed35fbaaba139f3d5eca6d2bac406 Mon Sep 17 00:00:00 2001 From: jonnyry Date: Thu, 6 Feb 2025 11:39:54 +0000 Subject: [PATCH 13/17] Refactor as per @marrobi --- core/terraform/deploy.sh | 5 - core/terraform/destroy.sh | 5 - core/terraform/scripts/letsencrypt.sh | 5 - devops/scripts/destroy_env_no_terraform.sh | 5 - devops/scripts/kv_add_network_exception.sh | 162 ++++++++++++------ devops/scripts/kv_remove_network_exception.sh | 53 ------ 6 files changed, 112 insertions(+), 123 deletions(-) delete mode 100755 devops/scripts/kv_remove_network_exception.sh diff --git a/core/terraform/deploy.sh b/core/terraform/deploy.sh index a622576b5c..ef547a8aa7 100755 --- a/core/terraform/deploy.sh +++ b/core/terraform/deploy.sh @@ -5,11 +5,6 @@ set -o pipefail set -o nounset # set -o xtrace -# add trap to remove kv network exception -# shellcheck disable=SC1091 -trap 'source "../../devops/scripts/kv_remove_network_exception.sh"' EXIT - -# now add kv network exception # shellcheck disable=SC1091 source "../../devops/scripts/kv_add_network_exception.sh" diff --git a/core/terraform/destroy.sh b/core/terraform/destroy.sh index e3782c391e..7c8506beef 100755 --- a/core/terraform/destroy.sh +++ b/core/terraform/destroy.sh @@ -5,11 +5,6 @@ set -o pipefail set -o nounset # set -o xtrace -# add trap to remove kv network exception -# shellcheck disable=SC1091 -trap 'source "../../devops/scripts/kv_remove_network_exception.sh"' EXIT - -# now add kv network exception # shellcheck disable=SC1091 source "../../devops/scripts/kv_add_network_exception.sh" diff --git a/core/terraform/scripts/letsencrypt.sh b/core/terraform/scripts/letsencrypt.sh index 4c19baf21a..b1e7029077 100755 --- a/core/terraform/scripts/letsencrypt.sh +++ b/core/terraform/scripts/letsencrypt.sh @@ -3,11 +3,6 @@ set -e script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") -# add trap to remove kv network exception -# shellcheck disable=SC1091 -trap 'source "$script_dir/../../../devops/scripts/kv_remove_network_exception.sh"' EXIT - -# now add kv network exception # shellcheck disable=SC1091 source "$script_dir/../../../devops/scripts/kv_add_network_exception.sh" diff --git a/devops/scripts/destroy_env_no_terraform.sh b/devops/scripts/destroy_env_no_terraform.sh index bd470d333d..628d8a5d65 100755 --- a/devops/scripts/destroy_env_no_terraform.sh +++ b/devops/scripts/destroy_env_no_terraform.sh @@ -68,11 +68,6 @@ fi script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") -# add trap to remove kv network exception -# shellcheck disable=SC1091 -trap 'source "$script_dir/kv_remove_network_exception.sh"' EXIT - -# now add kv network exception # shellcheck disable=SC1091 source "$script_dir/kv_add_network_exception.sh" diff --git a/devops/scripts/kv_add_network_exception.sh b/devops/scripts/kv_add_network_exception.sh index 90786ab2f3..ad31ceee6d 100755 --- a/devops/scripts/kv_add_network_exception.sh +++ b/devops/scripts/kv_add_network_exception.sh @@ -1,76 +1,138 @@ #!/bin/bash -function main() { +# +# Add an IP exception to the Key Vault firewall for deployment, and remove on script exit +# The current machine's IP address is used, or $PUBLIC_DEPLOYMENT_IP_ADDRESS if set +# +# Note: Ensure you "source" this script, or else the EXIT trap won't fire at the right time +# - set -o errexit - set -o pipefail - # attempt to determine our tre id - # - local TRE_ID_LOCAL="${TRE_ID:-}" +function kv_add_network_exception() { - if [[ -z "$TRE_ID_LOCAL" ]]; then - if [[ "${core_tre_rg:-}" == rg-* ]]; then # TRE_ID may not be available when called from destroy_env_no_terraform.sh - TRE_ID_LOCAL="${core_tre_rg#rg-}" - fi + # set up variables + # + local TRE_ID + TRE_ID=$(get_tre_id) + + local RG_NAME="rg-${TRE_ID_LOCAL}" + local KV_NAME="kv-${TRE_ID_LOCAL}" + local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}" + + if [[ -z "$MY_IP" ]]; then + MY_IP=$(curl -s "ipecho.net/plain"; echo) + fi + + echo -e "\nAdding deployment network exception to key vault $KV_NAME..." + + # ensure kv exists + # + if ! does_kv_exist "$RG_NAME" "$KV_NAME"; then + echo "Exiting..." + return 0 # don't cause outer sourced script to fail + fi + + # add keyvault network exception + # + az keyvault network-rule add --resource-group "$RG_NAME" --name "$KV_NAME" --ip-address "$MY_IP" --output none + + local ATTEMPT=1 + local MAX_ATTEMPTS=10 + + while true; do + + if KV_OUTPUT=$(az keyvault secret list --vault-name "$KV_NAME" --query '[].name' --output tsv 2>&1); then + echo -e " Keyvault $KV_NAME is now accessible\n" + break fi - if [[ -z "$TRE_ID_LOCAL" ]]; then - echo -e "Could not add keyvault deployment network exception: TRE_ID is not set\nExiting...\n" + if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then + echo -e "Could not add deployment network exception for $KV_NAME" + echo -e "Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS.\n" + echo -e "$KV_OUTPUT\n" + exit 1 fi - # set up variables - # - local RG_NAME="rg-${TRE_ID_LOCAL}" - local KV_NAME="kv-${TRE_ID_LOCAL}" - local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}" + echo " Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS. Waiting for network rules to take effect." + sleep 5 + ((ATTEMPT++)) - if [[ -z "$MY_IP" ]]; then - MY_IP=$(curl -s "ipecho.net/plain"; echo) - fi + done +} - # add keyvault network exception - # - echo -e "\nAdding deployment network exception to key vault $KV_NAME..." +function kv_remove_network_exception() { - if [[ -z "$(az group list --query "[?name=='$RG_NAME']" --output tsv)" ]]; then - echo -e " Core resource group $RG_NAME not found\n" - return 0 - fi + # set up variables + # + local TRE_ID + TRE_ID=$(get_tre_id) - if [[ -z "$(az keyvault list --resource-group "$RG_NAME" --query "[?name=='$KV_NAME'].id" --output tsv)" ]]; then - echo -e " Core key vault $KV_NAME not found\n" - return 0 - fi + local RG_NAME="rg-${TRE_ID_LOCAL}" + local KV_NAME="kv-${TRE_ID_LOCAL}" + local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}" - az keyvault network-rule add --resource-group "$RG_NAME" --name "$KV_NAME" --ip-address "$MY_IP" --output none + if [[ -z "$MY_IP" ]]; then + MY_IP=$(curl -s "ipecho.net/plain"; echo) + fi - local ATTEMPT=1 - local MAX_ATTEMPTS=10 + echo -e "\nRemoving deployment network exception to key vault $KV_NAME..." - while true; do + # ensure kv exists + # + if ! does_kv_exist "$RG_NAME" "$KV_NAME"; then + echo "Exiting..." + return 0 # don't cause outer sourced script to fail + fi - if KV_OUTPUT=$(az keyvault secret list --vault-name "$KV_NAME" --query '[].name' --output tsv 2>&1); then - echo -e " Keyvault $KV_NAME is now accessible\n" - break - fi + # remove keyvault network exception + # + az keyvault network-rule remove --name "$KV_NAME" --ip-address "$MY_IP" --output none + echo -e " Deployment network exception removed\n" +} + + +function get_tre_id() { + + local TRE_ID_LOCAL="${TRE_ID:-}" + + if [[ -z "$TRE_ID_LOCAL" ]]; then + if [[ "${core_tre_rg:-}" == rg-* ]]; then # TRE_ID may not be available when called from destroy_env_no_terraform.sh + TRE_ID_LOCAL="${core_tre_rg#rg-}" + fi + fi - if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then - echo -e "Could not add deployment network exception for $KV_NAME" - echo -e "Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS.\n" - echo -e "$KV_OUTPUT\n" + if [[ -z "$TRE_ID_LOCAL" ]]; then + echo -e "Could not remove keyvault deployment network exception: TRE_ID is not set\nExiting...\n" + exit 1 + fi - exit 1 - fi + echo "$TRE_ID_LOCAL" +} + + +function does_kv_exist() { - echo " Unable to access keyvault $KV_NAME after $ATTEMPT/$MAX_ATTEMPTS. Waiting for network rules to take effect." - sleep 5 - ((ATTEMPT++)) + RG_NAME=$1 + KV_NAME=$2 - done + if [[ -z "$(az group list --query "[?name=='$RG_NAME']" --output tsv)" ]]; then + echo -e " Core resource group $RG_NAME not found\n" + return 1 + fi + if [[ -z "$(az keyvault list --resource-group "$RG_NAME" --query "[?name=='$KV_NAME'].id" --output tsv)" ]]; then + echo -e " Core key vault $KV_NAME not found\n" + return 1 + fi + + return 0 } -main "$@" + +# setup the trap to remove network exception on exit +trap remove_network_exception EXIT + +# now add the network exception +add_keyvault_network_exception "$@" diff --git a/devops/scripts/kv_remove_network_exception.sh b/devops/scripts/kv_remove_network_exception.sh deleted file mode 100755 index d46e6e1fd6..0000000000 --- a/devops/scripts/kv_remove_network_exception.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash - -function main() { - - set -o errexit - set -o pipefail - - # attempt to determine our tre id - # - local TRE_ID_LOCAL="${TRE_ID:-}" - - if [[ -z "$TRE_ID_LOCAL" ]]; then - if [[ "${core_tre_rg:-}" == rg-* ]]; then # TRE_ID may not be available when called from destroy_env_no_terraform.sh - TRE_ID_LOCAL="${core_tre_rg#rg-}" - fi - fi - - if [[ -z "$TRE_ID_LOCAL" ]]; then - echo -e "Could not remove keyvault deployment network exception: TRE_ID is not set\nExiting...\n" - exit 1 - fi - - # set up variables - # - local RG_NAME="rg-${TRE_ID_LOCAL}" - local KV_NAME="kv-${TRE_ID_LOCAL}" - local MY_IP="${PUBLIC_DEPLOYMENT_IP_ADDRESS:-}" - - if [[ -z "$MY_IP" ]]; then - MY_IP=$(curl -s "ipecho.net/plain"; echo) - fi - - - # remove keyvault network exception - # - echo -e "\nRemoving deployment network exception to key vault $KV_NAME..." - - if [[ -z "$(az group list --query "[?name=='$RG_NAME']" --output tsv)" ]]; then - echo -e " Core resource group $RG_NAME not found\n" - return 0 - fi - - if [[ -z "$(az keyvault list --resource-group "$RG_NAME" --query "[?name=='$KV_NAME'].id" --output tsv)" ]]; then - echo -e " Core key vault $KV_NAME not found\n" - return 0 - fi - - az keyvault network-rule remove --name "$KV_NAME" --ip-address "$MY_IP" --output none - echo -e " Deployment network exception removed\n" - -} - -main "$@" From bd786c4b72fe2241225d5a68254f66fac8e19979 Mon Sep 17 00:00:00 2001 From: jonnyry Date: Thu, 6 Feb 2025 11:42:53 +0000 Subject: [PATCH 14/17] Update letsencrypt.sh --- core/terraform/scripts/letsencrypt.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/core/terraform/scripts/letsencrypt.sh b/core/terraform/scripts/letsencrypt.sh index b1e7029077..6e45a42991 100755 --- a/core/terraform/scripts/letsencrypt.sh +++ b/core/terraform/scripts/letsencrypt.sh @@ -6,7 +6,6 @@ script_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") # shellcheck disable=SC1091 source "$script_dir/../../../devops/scripts/kv_add_network_exception.sh" - if [[ -z ${STORAGE_ACCOUNT} ]]; then echo "STORAGE_ACCOUNT not set" exit 1 From cc2551ebdc3c6e18bad5d67232b6ee9f23e4c1fe Mon Sep 17 00:00:00 2001 From: jonnyry Date: Thu, 6 Feb 2025 11:48:56 +0000 Subject: [PATCH 15/17] Update kv_add_network_exception.sh --- devops/scripts/kv_add_network_exception.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devops/scripts/kv_add_network_exception.sh b/devops/scripts/kv_add_network_exception.sh index ad31ceee6d..23f93cb373 100755 --- a/devops/scripts/kv_add_network_exception.sh +++ b/devops/scripts/kv_add_network_exception.sh @@ -104,7 +104,7 @@ function get_tre_id() { fi if [[ -z "$TRE_ID_LOCAL" ]]; then - echo -e "Could not remove keyvault deployment network exception: TRE_ID is not set\nExiting...\n" + echo -e "Could not add/remove keyvault deployment network exception: TRE_ID is not set\nExiting...\n" exit 1 fi From 417c195236298b5df090b21f5e5b85307cfc67e0 Mon Sep 17 00:00:00 2001 From: jonnyry Date: Thu, 6 Feb 2025 11:53:20 +0000 Subject: [PATCH 16/17] Update kv_add_network_exception.sh --- devops/scripts/kv_add_network_exception.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/devops/scripts/kv_add_network_exception.sh b/devops/scripts/kv_add_network_exception.sh index 23f93cb373..36a9917638 100755 --- a/devops/scripts/kv_add_network_exception.sh +++ b/devops/scripts/kv_add_network_exception.sh @@ -12,8 +12,8 @@ function kv_add_network_exception() { # set up variables # - local TRE_ID - TRE_ID=$(get_tre_id) + local TRE_ID_LOCAL + TRE_ID_LOCAL=$(get_tre_id) local RG_NAME="rg-${TRE_ID_LOCAL}" local KV_NAME="kv-${TRE_ID_LOCAL}" @@ -66,8 +66,8 @@ function kv_remove_network_exception() { # set up variables # - local TRE_ID - TRE_ID=$(get_tre_id) + local TRE_ID_LOCAL + TRE_ID_LOCAL=$(get_tre_id) local RG_NAME="rg-${TRE_ID_LOCAL}" local KV_NAME="kv-${TRE_ID_LOCAL}" @@ -132,7 +132,7 @@ function does_kv_exist() { # setup the trap to remove network exception on exit -trap remove_network_exception EXIT +trap kv_remove_network_exception EXIT # now add the network exception -add_keyvault_network_exception "$@" +kv_add_network_exception "$@" From dee1c149223f32143bb49e844d5598e934cbed7b Mon Sep 17 00:00:00 2001 From: jonnyry Date: Thu, 6 Feb 2025 12:01:47 +0000 Subject: [PATCH 17/17] Update kv_add_network_exception.sh --- devops/scripts/kv_add_network_exception.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/devops/scripts/kv_add_network_exception.sh b/devops/scripts/kv_add_network_exception.sh index 36a9917638..5888be30b5 100755 --- a/devops/scripts/kv_add_network_exception.sh +++ b/devops/scripts/kv_add_network_exception.sh @@ -28,7 +28,6 @@ function kv_add_network_exception() { # ensure kv exists # if ! does_kv_exist "$RG_NAME" "$KV_NAME"; then - echo "Exiting..." return 0 # don't cause outer sourced script to fail fi @@ -82,7 +81,6 @@ function kv_remove_network_exception() { # ensure kv exists # if ! does_kv_exist "$RG_NAME" "$KV_NAME"; then - echo "Exiting..." return 0 # don't cause outer sourced script to fail fi