Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable purge protection #1973

Merged
merged 56 commits into from
Jun 13, 2022
Merged

Enable purge protection #1973

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
56 commits
Select commit Hold shift + click to select a range
7b4725e
azurerm_app_service_plan to azurerm_service_plan
ross-p-smith May 12, 2022
50b79c5
wip: purge protection enabled
tanya-borisova May 12, 2022
37fa865
Purge protection is enabled
tanya-borisova May 12, 2022
1c70c3e
remove purge protection variable from .env.sample
tanya-borisova May 12, 2022
ef32607
azurerm 3.x migration
tanya-borisova May 12, 2022
6236e78
Upgrade to 3.5.0
ross-p-smith May 12, 2022
35ba80d
Missed some
ross-p-smith May 12, 2022
05c2131
3.5.0
ross-p-smith May 12, 2022
99a7e06
3.5.0
ross-p-smith May 12, 2022
d40ffcf
gitea version
ross-p-smith May 12, 2022
1ff07e1
Upgraded lock files
ross-p-smith May 12, 2022
0e35f09
Tcp
ross-p-smith May 12, 2022
3f4bb6e
Merge branch 'main' into tborisova/1830-enable-purge-protection
tanya-borisova May 13, 2022
aaadeb1
Merge branch 'main' into tborisova/1830-enable-purge-protection
tanya-borisova May 18, 2022
8903e16
Fix azurerm provider for guacamole
tanya-borisova May 18, 2022
3ef2057
Merge branch 'tborisova/1830-enable-purge-protection' of github.com:m…
tanya-borisova May 18, 2022
ec829ff
Merge branch 'main' into tborisova/1830-enable-purge-protection
tanya-borisova May 19, 2022
b9b8ede
Merge branch 'main' into tborisova/1830-enable-purge-protection
tanya-borisova May 20, 2022
9677cb0
Merge branch 'main' into tborisova/1830-enable-purge-protection
ross-p-smith May 24, 2022
ae54f20
Merge branch 'main' into tborisova/1830-enable-purge-protection
tanya-borisova May 26, 2022
de0b95a
Merge branch 'main' into tborisova/1830-enable-purge-protection
tanya-borisova May 31, 2022
e654f56
Revert unnecessary changes
tanya-borisova May 31, 2022
3d2aaeb
Merge remote-tracking branch 'origin/main' into tborisova/1830-enable…
tanya-borisova May 31, 2022
551abe3
Remove app_service_plan related changes
tanya-borisova May 31, 2022
a0c3ff1
Steal Ross's changes to destroy access policies when destroying keyvault
tanya-borisova Jun 1, 2022
b0f1443
Disable all purging on delete
tanya-borisova Jun 1, 2022
2f35c4b
fmt
tanya-borisova Jun 1, 2022
e9d14d1
Merge branch 'main' into tborisova/1830-enable-purge-protection
tamirkamara Jun 1, 2022
941377d
Merge branch 'main' into tborisova/1830-enable-purge-protection
tanya-borisova Jun 6, 2022
5d1490b
fix build
tanya-borisova Jun 6, 2022
99e32db
Merge branch 'main' into tborisova/1830-enable-purge-protection
tanya-borisova Jun 6, 2022
cfc65fc
Delete manually keys, secrets and certs
tanya-borisova Jun 6, 2022
d75e4d7
Merge branch 'main' into tborisova/1830-enable-purge-protection-2
tanya-borisova Jun 7, 2022
b09d8c5
Merge branch 'main' into tborisova/1830-enable-purge-protection-2
tanya-borisova Jun 7, 2022
ee893a2
Temporarily: do not delete certificates
tanya-borisova Jun 7, 2022
7092b2d
Merge branch 'tborisova/1830-enable-purge-protection-2' of github.com…
tanya-borisova Jun 7, 2022
7c10743
Very WIP: cert struggles
tanya-borisova Jun 7, 2022
9dccbb2
Revert "Very WIP: cert struggles"
tanya-borisova Jun 7, 2022
79a98cb
Uncomment deletion of certs
tanya-borisova Jun 7, 2022
8621add
Merge branch 'main' into tborisova/1830-enable-purge-protection-2
tanya-borisova Jun 8, 2022
d9cd8a9
Merge branch 'tborisova/1830-enable-purge-protection-2' of github.com…
tanya-borisova Jun 9, 2022
1f320ac
Try to generate a temp cert instead of importing it
tanya-borisova Jun 9, 2022
aab3da6
Merge remote-tracking branch 'origin/main' into tborisova/1830-enable…
tanya-borisova Jun 9, 2022
5168b84
Add new features to all guac user resources
tanya-borisova Jun 9, 2022
026fe63
Bump gitea version
tanya-borisova Jun 9, 2022
aebf837
bump
tanya-borisova Jun 9, 2022
d201b31
Merge branch 'main' into tborisova/1830-enable-purge-protection-2
tanya-borisova Jun 9, 2022
0f1e169
Apply comments
tanya-borisova Jun 9, 2022
c94c6c4
Merge branch 'tborisova/1830-enable-purge-protection-2' of github.com…
tanya-borisova Jun 9, 2022
967daeb
bumping
tanya-borisova Jun 9, 2022
4cdd277
bumps plus forgotten settings
tanya-borisova Jun 9, 2022
b9258a7
Make cert trustable
tanya-borisova Jun 9, 2022
365d8fc
Merge branch 'main' into tborisova/1830-enable-purge-protection-2
tanya-borisova Jun 10, 2022
2f8f6f5
format tf
tanya-borisova Jun 10, 2022
a6f39bc
Merge branch 'tborisova/1830-enable-purge-protection-2' of github.com…
tanya-borisova Jun 10, 2022
2b169cd
Merge branch 'main' into tborisova/1830-enable-purge-protection-2
tanya-borisova Jun 13, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions .github/actions/devcontainer_run_command/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,10 +111,6 @@ inputs:
description: "Indicates if the API endpoint has valid TLS certificate and if we validate it during E2E."
required: false
default: "true"
TF_VAR_keyvault_purge_protection_enabled:
description: "A value indicating if keyvaults will have purge protection."
required: false
default: "true"
TF_VAR_stateful_resources_locked:
description: "A value indicating if resources with state will be protected with locks."
required: false
Expand Down Expand Up @@ -213,7 +209,6 @@ runs:
-e TEST_ACCOUNT_CLIENT_SECRET \
-e IS_API_SECURED \
-e DOCKER_BUILDKIT=1 \
-e TF_VAR_keyvault_purge_protection_enabled=${{ inputs.TF_VAR_keyvault_purge_protection_enabled }} \
-e TF_VAR_stateful_resources_locked=${{ inputs.TF_VAR_stateful_resources_locked }} \
-e CI_CACHE_ACR_NAME="${{ inputs.CI_CACHE_ACR_NAME }}" \
'${{ inputs.ACTIONS_ACR_URI }}tredev:${{ inputs.ACTIONS_DEVCONTAINER_TAG }}' \
Expand Down
8 changes: 0 additions & 8 deletions .github/workflows/deploy_tre_reusable.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -285,8 +285,6 @@ jobs:
TF_VAR_swagger_ui_client_id: "${{ secrets.SWAGGER_UI_CLIENT_ID }}"
TF_VAR_api_client_id: "${{ secrets.API_CLIENT_ID }}"
TF_VAR_api_client_secret: "${{ secrets.API_CLIENT_SECRET }}"
TF_VAR_keyvault_purge_protection_enabled:
"${{ github.ref == 'refs/heads/main' && inputs.prRef == '' && true || false }}"
TF_VAR_stateful_resources_locked:
"${{ github.ref == 'refs/heads/main' && inputs.prRef == '' && true || false }}"

Expand Down Expand Up @@ -336,8 +334,6 @@ jobs:
TF_VAR_api_client_secret: "${{ secrets.API_CLIENT_SECRET }}"
TF_VAR_application_admin_client_id: "${{ secrets.APPLICATION_ADMIN_CLIENT_ID }}"
TF_VAR_application_admin_client_secret: "${{ secrets.APPLICATION_ADMIN_CLIENT_SECRET }}"
TF_VAR_keyvault_purge_protection_enabled:
"${{ github.ref == 'refs/heads/main' && inputs.prRef == '' && true || false }}"
TF_VAR_stateful_resources_locked:
"${{ github.ref == 'refs/heads/main' && inputs.prRef == '' && true || false }}"

Expand Down Expand Up @@ -371,8 +367,6 @@ jobs:
TF_VAR_swagger_ui_client_id: "${{ secrets.SWAGGER_UI_CLIENT_ID }}"
TF_VAR_api_client_id: "${{ secrets.API_CLIENT_ID }}"
TF_VAR_api_client_secret: "${{ secrets.API_CLIENT_SECRET }}"
TF_VAR_keyvault_purge_protection_enabled:
"${{ github.ref == 'refs/heads/main' && inputs.prRef == '' && true || false }}"
TF_VAR_stateful_resources_locked:
"${{ github.ref == 'refs/heads/main' && inputs.prRef == '' && true || false }}"

Expand Down Expand Up @@ -598,8 +592,6 @@ jobs:
TF_VAR_swagger_ui_client_id: "${{ secrets.SWAGGER_UI_CLIENT_ID }}"
TF_VAR_api_client_id: "${{ secrets.API_CLIENT_ID }}"
TF_VAR_api_client_secret: "${{ secrets.API_CLIENT_SECRET }}"
TF_VAR_keyvault_purge_protection_enabled:
"${{ github.ref == 'refs/heads/main' && inputs.prRef == '' && true || false }}"
TF_VAR_stateful_resources_locked:
"${{ github.ref == 'refs/heads/main' && inputs.prRef == '' && true || false }}"

Expand Down
36 changes: 31 additions & 5 deletions devops/scripts/destroy_env_no_terraform.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ if [[ "$group_show_result" != "0" ]]; then
exit 0
fi

locks=$(az group lock list -g "${core_tre_rg}" --query [].id -o tsv)
locks=$(az group lock list -g "${core_tre_rg}" --query [].id -o tsv | tr -d \')
if [ -n "${locks:-}" ]
then
echo "Deleting locks..."
Expand Down Expand Up @@ -111,17 +111,43 @@ if [[ -n ${SHOW_KEYVAULT_DEBUG_ON_DESTROY:-} ]]; then
fi
# DEBUG END

if [[ $(az keyvault list --resource-group "${core_tre_rg}" --query "[?properties.enablePurgeProtection==``null``] | length (@)") != 0 ]]; then
tre_id=${core_tre_rg#"rg-"}
keyvault_name="kv-${tre_id}"
tre_id=${core_tre_rg#"rg-"}
keyvault_name="kv-${tre_id}"
keyvault=$(az keyvault show --name "${keyvault_name}" --resource-group "${core_tre_rg}" || echo 0)
if [ "${keyvault}" != "0" ]; then
secrets=$(az keyvault secret list --vault-name "${keyvault_name}" | jq -r '.[].id')
for secret_id in ${secrets}; do
az keyvault secret delete --id "${secret_id}"
done

keys=$(az keyvault key list --vault-name "${keyvault_name}" | jq -r '.[].id')
for key_id in ${keys}; do
az keyvault key delete --id "${key_id}"
done

certificates=$(az keyvault certificate list --vault-name "${keyvault_name}" | jq -r '.[].id')
for certificate_id in ${certificates}; do
az keyvault certificate delete --id "${certificate_id}"
done

echo "Removing access policies so if the vault is recovered there are not there"
access_policies=$(echo "$keyvault" | jq -r '.properties.accessPolicies[].objectId' )
for access_policy_id in ${access_policies}; do
echo "Attempting to delete access policy ${access_policy_id}"
az keyvault delete-policy --name "${keyvault_name}" --resource-group "${core_tre_rg}" --object-id "${access_policy_id}" || echo "Not deleting access policy for ${access_policy_id}."
tanya-borisova marked this conversation as resolved.
Show resolved Hide resolved
done

fi

# Delete the vault if purge protection is not on.
if [[ $(az keyvault list --resource-group "${core_tre_rg}" --query "[?properties.enablePurgeProtection==``null``] | length (@)") != 0 ]]; then
echo "Deleting keyvault: ${keyvault_name}"
az keyvault delete --name "${keyvault_name}" --resource-group "${core_tre_rg}"

echo "Purging keyvault: ${keyvault_name}"
az keyvault purge --name "${keyvault_name}" ${no_wait_option}
else
echo "Resource group ${core_tre_rg} doesn't have a keyvault without pruge protection."
echo "Resource group ${core_tre_rg} doesn't have a keyvault without purge protection."
fi

# this will find the mgmt, core resource groups as well as any workspace ones
Expand Down
5 changes: 0 additions & 5 deletions templates/core/.env.sample
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,11 +41,6 @@ SWAGGER_UI_CLIENT_ID=<__CHANGE_ME__Generated when you run `make auth`>
# Useful developer settings
####################################

# This will prevent AKV purge protection issues when deleting AKV resources.
# Important if you need to frequently provision/destroy AzureTRE environments
# during testing.
# keyvault_purge_protection_enabled=false

# Locks will not be added to stateful resources so they can be easily removed
# stateful_resources_locked=false

Expand Down
53 changes: 27 additions & 26 deletions templates/core/terraform/.terraform.lock.hcl
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

31 changes: 25 additions & 6 deletions templates/core/terraform/appgateway/certificate.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,25 +16,44 @@ resource "azurerm_key_vault_certificate" "tlscert" {
name = "letsencrypt"
key_vault_id = var.keyvault_id

# This is a temporary self-signed cert for CN=temp
certificate {
contents = "MIIKOgIBAzCCCfYGCSqGSIb3DQEHAaCCCecEggnjMIIJ3zCCBgAGCSqGSIb3DQEHAaCCBfEEggXtMIIF6TCCBeUGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAiyQRLJomrNiwICB9AEggTYT6yfTxjl0APqhcP+C2qQp/NbcyJfgpSJf6EEnWEcOuxXdaipNsClUyzaJ8B+v7GCOwjkoMqY/jgO4o8d5SlZbpu+yZ3ItTWQlPbFK83uwn8kTxZzhScEujsV2txPNxe5z/kyrrgNyvRlOcmasBhN24hrv0SkuGJHu31xc+5I7AJjSbblp8ccDQgJHjHAf1oMxz05ZhQazfRZU6WElDvvMP5ZGybxGpyksw4/A9GZz0XiMiJha3bJqpyAeZ/HXYucgnO5/ztOnCNgQC+qaQdOxSKLub0aFwfnnRZtfdRE4JcFRMr4ONGaUOR59OB6MYBZmk+X1sPFar/f+zNA4j6/yhTX6gf0EbjPjmDu1WP02qiJ9jTZv0pD07J98eHU58iir7i/E5eyJ/8VYpinBJC4OCwyGyDWysv1XY7TnZmT9Vwu27I/1ONseY1wbwXarqixXJVhUXLHsMwluNAGUNigMZqMm+3UEsam0Q2ie5FPCWusLBaASvzNL8t9oyLEhJ48Op/7fcX3/OXb8EIceEpNCBZD0nRLsxWA03aO/+vp4iGKhxlzsTx7YqLKFU7ADxsZChYgzLIHAVEfrxPIRWYUIqzbSWutCswMdvw2iZRfWHDpz1jvNJ0aErRyDCQRimjm8kLTzaDTuAscmefmG1cx465I7olRpeVv96i3tBbf0xrKcqjQuz4yepAzvFcPv48GTrM6thngUdjApcPgZScsAv71V2WvW3mQF/TywJlvOSdsG5Hr6bH6jD6PEBkgwBtjZpKokzoWNgw3qpeqiGRdcpYQRv4qrad70Lk99wcaM1wQ5AfZDUTx+PWVlHL/+ikTO+i0UgXoQHp9JFG9vhRdT82tgNKEcFXWWng1+Vlpqk3l5XLi1MZWmBGMPNRb4uqVgH4ekWEvdZEyClbrIGOUe6zPntMsrDXh0M+zi9jqVrB88gLXgTw1UweGwR/xOlRZa/bBg4RwDzcePABia3A4ksREIatZ5rJFipTc6edeaQWFT6V5Q7nqv1Zzoxp3qV7zhc9eCkReOQCTs8Ds8uALP/szLIdT7vPIslme6PTX1mzjBWMnDhoca8xGvEPGBMgxY9kozQXwlgp2JdXw5JuW99rEBkpGuEtDu+yyjiBz80EKIi7kN8VltxAfZsOOt5KpHGleAdkhQifO8c92RC4oivzOREUKtD9cusqjdMrbXHWaJ9mBKbwdvR3SqqGGgxKC3I0nX7jYbHAC7HZTkq7Nuh5QcQmqjaAuOozLUiiv3eVO3FGMmSNFkXtf96NAE+66lx6q8PSXuOJl/EGNS94d5xNyLupqLljFgAwtPRtX/V01BqfuKgwqVAfwP2knBHhJ/CUi0wdG6Ev8YTPnQ+3OG2b0NGM7le6Qi9j07qgpWO2s0xS0jt3FGJeJi/LKxHp7A/7asKp5Evzrw+Nejfbit3EL8fml8DjLDZS7D/6HWYiVEqW85IDf2+iWOGztZIczeHYQqX7t7POv3G22x+PyXHCPSOF4F40sk0Mzw3FaWyow7KDpc0p3u1h/GuLKXgiP0ixNcmCCBdmHfYF/uCiaVoQGeh1rg08tnATdDOozBwaSB1jhiMn3DADy/7kGcej3Da+7elnY4ivWzWZEtv465eDrruxsalcTdbitNOUiPJM/Mos/bjwvlDGB0zATBgkqhkiG9w0BCRUxBgQEAQAAADBdBgkqhkiG9w0BCRQxUB5OAHQAZQAtADAAOQA4ADIANAA5AGUAZQAtADkAZgAxADEALQA0AGUAZQBjAC0AYQAxADYAMwAtAGMAZgBiAGMAZgBhADMANwA5ADQANQBiMF0GCSsGAQQBgjcRATFQHk4ATQBpAGMAcgBvAHMAbwBmAHQAIABTAG8AZgB0AHcAYQByAGUAIABLAGUAeQAgAFMAdABvAHIAYQBnAGUAIABQAHIAbwB2AGkAZABlAHIwggPXBgkqhkiG9w0BBwagggPIMIIDxAIBADCCA70GCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECM9JyfoDC5veAgIH0ICCA5BHYKLRmWNcYkQVs7Hn/BAw9uTJ+kzH9ZkjwgoRl0aSanS0TIOH+gKwjJgy4YIenm2H1KXoNhDBqqxXDvBIF1K5JP7OsQMCiViU8pdL8GmC5NOE4SPokIRe+2fUQBHtzaZx4GtkwpHq1Tlsv+2U9EmeuQTBX2C1Amj9Dup2uwYrGfSx6bVoIP8yEzB29f/3gxSmNLQAvlXjO5hdYZM6dDRX+SaYmIJHPg8SYG6EuzaJ2a++f2qJ1f7XtgB/Yt9/KPP4AnPTaEQMyR08CyJTf2MxAOBHHza+x4SqaWOEzL/SeOTalaQTY5vj7c6LkgYIXiyYi1QK3VHeJ+NYPBFgu4+B0Sk1ef8jZ6XeSnsxXj6lhLb8sUiemwsEfueh3RKpOhzQEZDRVYP6B/k3Nv9JwuOUiSWdgPGkhyTWu+xOD4+bixCMUJ0AI+MLEjI+ixkP429Ylp9nxyWxPUTG+PW2AR/euuCW222yEjzJzz0VPJXWeUWVyRzoYicrBWEvK3/KnnkWafYti2Ugsee5gCMCmeKeFKoCKEwdMzdAfafC3FI6x2LnUGNefv6E3hIzw6v0vYlEUmmgb5aI/zjCCXix4lSuqYtvfwtLZIf4aEu1OoCRE35zkHlIUh2Cf5kERPawNM6V/qnKEV/SsQQyNtOI2iUi11cBHkGwOxDzBiWkidhOZ8UB9r+453G8zWNWwXWdhxoYHF1CYDtjy2lrzw+ou5jW0yI1G82a2UpZkPMtMoXTuoErVgAfW2jZ894vFEsIqeny1FVoQtpKhmdX1hatxR3AyRYR2L9tdD1BcGMll6FkgJjqYNcV8mbZzLzFtYNoSljGGOr46xhW4Bfv1jPw2eKXJULMWwWxaHq4rTSbWq5q5eElM0OkPmAyrqoVbd8uwATmIqtwOgmJqeIh0HgmkuaJfDMSfOTBnamS2B9Fl01TvNV5EWmMC1qROBW8yi/7meEPmDyfWOHz5v6ltG5Ra5xC0UHv/ljYpce1kWKPTlGUEknhZwAbeyDpuy6ljneGtSdQPz9uqrzyMnDWGEguVQYubmxVbXICwzGI06UBB9JVRuXPuUHj3j0rSLny/9/A1sUb2kwXNhVlOQGMDWW/kcY5SsWqTb+z+rXL90aaaWmc6Mu0tJv/HZMraJ3KDR6Y1WXUUzYHBegMtwOWTtyVwb0b8W2Oo0c0g3t1dNcVY/nYbikx/lgC4Xanco7+i4gCVA0wOzAfMAcGBSsOAwIaBBR2TY2pU6UZFCDZUtZIO6qHyC3VSQQUogR884dqPwcCWXjPjzBB832hmIkCAgfQ"
password = "0000000000"
}

certificate_policy {
issuer_parameters {
name = "Self"
}

key_properties {
key_size = 2048
exportable = true
key_type = "RSA"
reuse_key = false
}

secret_properties {
content_type = "application/x-pkcs12"
}

x509_certificate_properties {
# Server Authentication = 1.3.6.1.5.5.7.3.1
# Client Authentication = 1.3.6.1.5.5.7.3.2
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

key_usage = [
"cRLSign",
"dataEncipherment",
"digitalSignature",
"keyAgreement",
"keyCertSign",
"keyEncipherment",
]

subject = "CN=${var.tre_id}.${var.location}.cloudapp.azure.com"

subject_alternative_names {
dns_names = ["${var.tre_id}.${var.location}.cloudapp.azure.com"]
}

validity_in_months = 12
}
}

# The certificate will get replaced with a real one, so we don't want Terrafomr to try and revert it.
Expand Down
2 changes: 1 addition & 1 deletion templates/core/terraform/keyvault.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ resource "azurerm_key_vault" "kv" {
location = azurerm_resource_group.core.location
resource_group_name = azurerm_resource_group.core.name
sku_name = "standard"
purge_protection_enabled = var.keyvault_purge_protection_enabled
purge_protection_enabled = true
tags = local.tre_core_tags

lifecycle { ignore_changes = [access_policy, tags] }
Expand Down
13 changes: 10 additions & 3 deletions templates/core/terraform/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,20 @@ terraform {
provider "azurerm" {
features {
key_vault {
purge_soft_delete_on_destroy = var.keyvault_purge_protection_enabled ? false : true
recover_soft_deleted_key_vaults = false
# Don't purge on destroy (this would fail due to purge protection being enabled on keyvault)
purge_soft_delete_on_destroy = false
purge_soft_deleted_secrets_on_destroy = false
purge_soft_deleted_certificates_on_destroy = false
purge_soft_deleted_keys_on_destroy = false
# When recreating an environment, recover any previously soft deleted secrets - set to true by default
recover_soft_deleted_key_vaults = true
recover_soft_deleted_secrets = true
recover_soft_deleted_certificates = true
recover_soft_deleted_keys = true
}
}
}


resource "azurerm_resource_group" "core" {
location = var.location
name = "rg-${var.tre_id}"
Expand Down
6 changes: 0 additions & 6 deletions templates/core/terraform/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,12 +136,6 @@ variable "resource_processor_type" {
type = string
}

variable "keyvault_purge_protection_enabled" {
type = bool
default = true
description = "Used to turn Keyvault purge protection"
}

variable "stateful_resources_locked" {
type = bool
default = true
Expand Down
2 changes: 1 addition & 1 deletion templates/shared_services/certs/porter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
name: tre-shared-service-certs
version: 0.0.12
version: 0.0.13
description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt"
registry: azuretre
dockerfile: Dockerfile.tmpl
Expand Down
14 changes: 10 additions & 4 deletions templates/shared_services/certs/terraform/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,16 @@ terraform {
provider "azurerm" {
features {
key_vault {
# Don't purge secrets on destroy (this would fail due to purge protection being enabled on keyvault)
purge_soft_deleted_secrets_on_destroy = false
# When recreating a shared service, recover any previously soft deleted secrets
recover_soft_deleted_secrets = true
# Don't purge on destroy (this would fail due to purge protection being enabled on keyvault)
purge_soft_delete_on_destroy = false
purge_soft_deleted_secrets_on_destroy = false
purge_soft_deleted_certificates_on_destroy = false
purge_soft_deleted_keys_on_destroy = false
# When recreating an environment, recover any previously soft deleted secrets - set to true by default
recover_soft_deleted_key_vaults = true
recover_soft_deleted_secrets = true
recover_soft_deleted_certificates = true
recover_soft_deleted_keys = true
}
}
}
2 changes: 1 addition & 1 deletion templates/shared_services/gitea/porter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
name: tre-shared-service-gitea
version: 0.3.5
version: 0.3.6
description: "A Gitea shared service"
registry: azuretre

Expand Down
14 changes: 10 additions & 4 deletions templates/shared_services/gitea/terraform/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,16 @@ terraform {
provider "azurerm" {
features {
key_vault {
# Don't purge secrets on destroy (this would fail due to purge protection being enabled on keyvault)
purge_soft_deleted_secrets_on_destroy = false
# When recreating a shared service, recover any previously soft deleted secrets
recover_soft_deleted_secrets = true
# Don't purge on destroy (this would fail due to purge protection being enabled on keyvault)
purge_soft_delete_on_destroy = false
purge_soft_deleted_secrets_on_destroy = false
purge_soft_deleted_certificates_on_destroy = false
purge_soft_deleted_keys_on_destroy = false
# When recreating an environment, recover any previously soft deleted secrets - set to true by default
recover_soft_deleted_key_vaults = true
recover_soft_deleted_secrets = true
recover_soft_deleted_certificates = true
recover_soft_deleted_keys = true
}
}
}
2 changes: 1 addition & 1 deletion templates/shared_services/gitea/version.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = "0.3.7"
__version__ = "0.3.8"
2 changes: 1 addition & 1 deletion templates/shared_services/sonatype-nexus-vm/porter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
name: tre-shared-service-sonatype-nexus
version: 2.0.2
version: 2.0.3
description: "A Sonatype Nexus shared service"
registry: azuretre
dockerfile: Dockerfile.tmpl
Expand Down
Loading