Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TES-309: Support for loading GraphDB license in VMSS #4

Merged
merged 1 commit into from
Nov 9, 2023
Merged

TES-309: Support for loading GraphDB license in VMSS #4

merged 1 commit into from
Nov 9, 2023

Conversation

mihailradkov
Copy link
Contributor

Changes

Updated the user data script to authenticate in Azure CLI and download the license.

Added new TF modules:

  • configuration - takes care of handling GraphDB configurations and secrets
  • identity - responsible for creating and managing a user assigned identity
  • vault - creates a key vault for storing sensitive configurations

@mihailradkov mihailradkov self-assigned this Nov 8, 2023
@mihailradkov mihailradkov requested review from rdstn and yaskoo November 8, 2023 11:58
@mihailradkov mihailradkov force-pushed the TES-309-loading-license-secret branch from a9acbb5 to 05b8558 Compare November 8, 2023 12:00
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 8, 2023
View reviewed changes
main.tf
Comment on lines +101 to +117
module "configuration" {
source = "./modules/configuration"

resource_group_name = azurerm_resource_group.graphdb.name

identity_name = module.identity.identity_name
graphdb_license_path = var.graphdb_license_path
key_vault_name = module.vault.key_vault_name

tags = local.tags

depends_on = [
azurerm_resource_group.graphdb,
# Wait for complete module creation
module.vault
]
}

Check notice

Code scanning / defsec

Key vault Secret should have a content type set Note

Secret does not have a content-type specified.
main.tf
Comment on lines +101 to +117
module "configuration" {
source = "./modules/configuration"

resource_group_name = azurerm_resource_group.graphdb.name

identity_name = module.identity.identity_name
graphdb_license_path = var.graphdb_license_path
key_vault_name = module.vault.key_vault_name

tags = local.tags

depends_on = [
azurerm_resource_group.graphdb,
# Wait for complete module creation
module.vault
]
}

Check notice

Code scanning / defsec

Key Vault Secret should have an expiration date set Note

Secret should have an expiry date specified.
main.tf
Comment on lines +90 to +99
module "vault" {
source = "./modules/vault"

resource_name_prefix = var.resource_name_prefix
resource_group_name = azurerm_resource_group.graphdb.name

tags = local.tags

depends_on = [azurerm_resource_group.graphdb]
}

Check warning

Code scanning / defsec

Key vault should have purge protection enabled Warning

Vault does not have purge protection enabled.
main.tf
Comment on lines +90 to +99
module "vault" {
source = "./modules/vault"

resource_name_prefix = var.resource_name_prefix
resource_group_name = azurerm_resource_group.graphdb.name

tags = local.tags

depends_on = [azurerm_resource_group.graphdb]
}

Check failure

Code scanning / defsec

Key vault should have the network acl block specified Error

Vault network ACL does not block access by default.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security issues will be address in another PR

viktor-ribchev
viktor-ribchev reviewed Nov 9, 2023
View reviewed changes
modules/vm/variables.tf Show resolved Hide resolved
variables.tf Show resolved Hide resolved
modules/vm/main.tf Show resolved Hide resolved
@mihailradkov
TES-309: Support for loading GraphDB license in VMSS
dd1cfe4 
Added new TF modules:
- configuration - takes care of handling GraphDB configurations and secrets
- identity - responsible for creating and managing a user assigned identity
- vault - creates a key vault for storing sensitive configurations

Updated the user data script to authenticate in Azure CLI and download the license.
@mihailradkov mihailradkov force-pushed the TES-309-loading-license-secret branch from d95749e to dd1cfe4 Compare November 9, 2023 11:24
@mihailradkov mihailradkov merged commit 483f2d6 into main Nov 9, 2023
1 check passed
@mihailradkov mihailradkov deleted the TES-309-loading-license-secret branch November 9, 2023 11:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viktor-ribchev viktor-ribchev viktor-ribchev approved these changes

@ivorusev ivorusev Awaiting requested review from ivorusev

@rdstn rdstn Awaiting requested review from rdstn

@yaskoo yaskoo Awaiting requested review from yaskoo

Assignees

@mihailradkov mihailradkov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mihailradkov @viktor-ribchev