From 7e0c1ea34f060250f4ba3adbbc4de203a6eb1cdf Mon Sep 17 00:00:00 2001 From: James Griffin Date: Thu, 3 Nov 2022 12:25:05 -0700 Subject: [PATCH] Fix nexus bootstrapping (#2818) * Add firewall exceptions for nexus to firewall bundle * Update changelog * Create new rule for nexus --- CHANGELOG.md | 1 + .../shared_services/firewall/porter.yaml | 2 +- .../firewall/terraform/firewall.tf | 27 ++++++++++++++++++- .../sonatype-nexus-vm/porter.yaml | 2 +- .../sonatype-nexus-vm/template_schema.json | 3 ++- 5 files changed, 31 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5dd017a4d..1ff5d30c11 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,7 @@ ENHANCEMENTS: BUG FIXES: * Show the correct createdBy value for airlock requests in UI and in API queries ([#2779](https://github.com/microsoft/AzureTRE/pull/2779)) * Fix deployment of Airlock Notifier ([#2745](https://github.com/microsoft/AzureTRE/pull/2745)) +* Fix Nexus bootstrapping firewall race condition ([#2811](https://github.com/microsoft/AzureTRE/pull/2811)) COMPONENTS: diff --git a/templates/shared_services/firewall/porter.yaml b/templates/shared_services/firewall/porter.yaml index e416d4912e..a88e04ec46 100644 --- a/templates/shared_services/firewall/porter.yaml +++ b/templates/shared_services/firewall/porter.yaml @@ -1,6 +1,6 @@ --- name: tre-shared-service-firewall -version: 0.6.1 +version: 0.6.2 description: "An Azure TRE Firewall shared service" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/shared_services/firewall/terraform/firewall.tf b/templates/shared_services/firewall/terraform/firewall.tf index 463792e9f0..d6779fbcaa 100644 --- a/templates/shared_services/firewall/terraform/firewall.tf +++ b/templates/shared_services/firewall/terraform/firewall.tf @@ -101,7 +101,32 @@ resource "azurerm_firewall_application_rule_collection" "shared_subnet" { "graph.microsoft.com", "login.microsoftonline.com", "aadcdn.msftauth.net", - "graph.windows.net" + "graph.windows.net", + "keyserver.ubuntu.com", + "packages.microsoft.com", + "download.docker.com" + ] + + source_addresses = data.azurerm_subnet.shared.address_prefixes + } + + rule { + name = "nexus-bootstrap" + + protocol { + port = "443" + type = "Https" + } + + protocol { + port = "80" + type = "Http" + } + + target_fqdns = [ + "keyserver.ubuntu.com", + "packages.microsoft.com", + "download.docker.com" ] source_addresses = data.azurerm_subnet.shared.address_prefixes diff --git a/templates/shared_services/sonatype-nexus-vm/porter.yaml b/templates/shared_services/sonatype-nexus-vm/porter.yaml index 87ada04057..c9f9131a03 100644 --- a/templates/shared_services/sonatype-nexus-vm/porter.yaml +++ b/templates/shared_services/sonatype-nexus-vm/porter.yaml @@ -1,6 +1,6 @@ --- name: tre-shared-service-sonatype-nexus -version: 2.2.2 +version: 2.2.3 description: "A Sonatype Nexus shared service" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/shared_services/sonatype-nexus-vm/template_schema.json b/templates/shared_services/sonatype-nexus-vm/template_schema.json index e31126744e..2ff717660c 100644 --- a/templates/shared_services/sonatype-nexus-vm/template_schema.json +++ b/templates/shared_services/sonatype-nexus-vm/template_schema.json @@ -11,7 +11,8 @@ "ssl_cert_name": { "type": "string", "title": "SSL certificate name", - "description": "The name of the certificate to use (located in the core KeyVault) for configuring Nexus SSL" + "description": "The name of the certificate to use (located in the core KeyVault) for configuring Nexus SSL", + "default": "nexus-ssl" } }, "pipeline": {