Fix keyvault extension authentication to always use a user managed id…

…entity (#3492) * nexus config for user id in keyvault extension * make env fix * reduce azure logging in e2e * update extension config * changelog
microsoft · May 21, 2023 · c916a0e · c916a0e
1 parent da9ab4f
commit c916a0e
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ FEATURES:
 ENHANCEMENTS:
 
 BUG FIXES:
+* Nexus might fail to deploy due to wrong identity used in key-vault extension ([#3492](https://github.com/microsoft/AzureTRE/issues/3492))
 
 COMPONENTS:
 

diff --git a/Makefile b/Makefile
@@ -152,6 +152,8 @@ terraform-import:
 terraform-destroy:
 	$(call target_title, "Destroying ${DIR} Service") \
 	&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \
+	&& . ${MAKEFILE_DIR}/devops/scripts/load_and_validate_env.sh \
+	&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${DIR}/.env \
 	&& cd ${DIR}/terraform/ && ./destroy.sh
 
 # This will validate all files, not only the changed ones as the CI version does.

diff --git a/e2e_tests/helpers.py b/e2e_tests/helpers.py
@@ -9,10 +9,12 @@
 import config
 from e2e_tests import cloud
 
-
 LOGGER = logging.getLogger(__name__)
 TIMEOUT = Timeout(10, read=30)
 
+azlogger = logging.getLogger("azure")
+azlogger.setLevel(logging.WARN)
+
 
 class InstallFailedException(Exception):
     pass

diff --git a/templates/shared_services/sonatype-nexus-vm/porter.yaml b/templates/shared_services/sonatype-nexus-vm/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-sonatype-nexus
-version: 2.5.0
+version: 2.5.2
 description: "A Sonatype Nexus shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
@@ -81,7 +81,7 @@ resource "azurerm_key_vault_access_policy" "nexus_msi" {
   tenant_id    = azurerm_user_assigned_identity.nexus_msi.tenant_id
   object_id    = azurerm_user_assigned_identity.nexus_msi.principal_id
 
-  secret_permissions = ["Get", "Recover"]
+  secret_permissions = ["Get", "List"]
 }
 
 resource "azurerm_linux_virtual_machine" "nexus" {
@@ -217,5 +217,9 @@ resource "azurerm_virtual_machine_extension" "keyvault" {
         data.azurerm_key_vault_certificate.nexus_cert.versionless_secret_id
       ]
     }
+    "authenticationSettings" : {
+      "msiEndpoint" : "http://169.254.169.254/metadata/identity",
+      "msiClientId" : azurerm_user_assigned_identity.nexus_msi.client_id
+    }
   })
 }