From c916a0e1cf150691051dd4f12525b17fd3e22a93 Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Sun, 21 May 2023 09:36:49 +0300
Subject: [PATCH] Fix keyvault extension authentication to always use a user
 managed identity (#3492)

* nexus config for user id in keyvault extension

* make env fix

* reduce azure logging in e2e

* update extension config

* changelog
---
 CHANGELOG.md                                                | 1 +
 Makefile                                                    | 2 ++
 e2e_tests/helpers.py                                        | 4 +++-
 templates/shared_services/sonatype-nexus-vm/porter.yaml     | 2 +-
 templates/shared_services/sonatype-nexus-vm/terraform/vm.tf | 6 +++++-
 5 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6705385dce..8825c86af9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ FEATURES:
 ENHANCEMENTS:
 
 BUG FIXES:
+* Nexus might fail to deploy due to wrong identity used in key-vault extension ([#3492](https://github.com/microsoft/AzureTRE/issues/3492))
 
 COMPONENTS:
 
diff --git a/Makefile b/Makefile
index 1bd3ea4ea3..09f2145ad7 100644
--- a/Makefile
+++ b/Makefile
@@ -152,6 +152,8 @@ terraform-import:
 terraform-destroy:
 	$(call target_title, "Destroying ${DIR} Service") \
 	&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \
+	&& . ${MAKEFILE_DIR}/devops/scripts/load_and_validate_env.sh \
+	&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${DIR}/.env \
 	&& cd ${DIR}/terraform/ && ./destroy.sh
 
 # This will validate all files, not only the changed ones as the CI version does.
diff --git a/e2e_tests/helpers.py b/e2e_tests/helpers.py
index 61fe6bbd5e..307fb88933 100644
--- a/e2e_tests/helpers.py
+++ b/e2e_tests/helpers.py
@@ -9,10 +9,12 @@
 import config
 from e2e_tests import cloud
 
-
 LOGGER = logging.getLogger(__name__)
 TIMEOUT = Timeout(10, read=30)
 
+azlogger = logging.getLogger("azure")
+azlogger.setLevel(logging.WARN)
+
 
 class InstallFailedException(Exception):
     pass
diff --git a/templates/shared_services/sonatype-nexus-vm/porter.yaml b/templates/shared_services/sonatype-nexus-vm/porter.yaml
index 7649abf2a1..296584bfef 100644
--- a/templates/shared_services/sonatype-nexus-vm/porter.yaml
+++ b/templates/shared_services/sonatype-nexus-vm/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-sonatype-nexus
-version: 2.5.0
+version: 2.5.2
 description: "A Sonatype Nexus shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
index 139bab06cd..dcfdafdabf 100644
--- a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
+++ b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
@@ -81,7 +81,7 @@ resource "azurerm_key_vault_access_policy" "nexus_msi" {
   tenant_id    = azurerm_user_assigned_identity.nexus_msi.tenant_id
   object_id    = azurerm_user_assigned_identity.nexus_msi.principal_id
 
-  secret_permissions = ["Get", "Recover"]
+  secret_permissions = ["Get", "List"]
 }
 
 resource "azurerm_linux_virtual_machine" "nexus" {
@@ -217,5 +217,9 @@ resource "azurerm_virtual_machine_extension" "keyvault" {
         data.azurerm_key_vault_certificate.nexus_cert.versionless_secret_id
       ]
     }
+    "authenticationSettings" : {
+      "msiEndpoint" : "http://169.254.169.254/metadata/identity",
+      "msiClientId" : azurerm_user_assigned_identity.nexus_msi.client_id
+    }
   })
 }