🚚 Update 'password-update-server-linux-admin' to use pulumi-random

alan-turing-institute · Oct 10, 2023 · fd15158 · fd15158
1 parent 672b8c2
commit fd15158
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 16 deletions.
diff --git a/data_safe_haven/commands/deploy_shm.py b/data_safe_haven/commands/deploy_shm.py
@@ -51,9 +51,6 @@ def deploy_shm(
         stack.add_option("azure-native:tenantId", config.azure.tenant_id, replace=False)
         # Add necessary secrets
         stack.add_secret("password-domain-ldap-searcher", password(20), replace=False)
-        stack.add_secret(
-            "password-update-server-linux-admin", password(20), replace=False
-        )
         stack.add_secret(
             "verification-azuread-custom-domain", verification_record, replace=False
         )

diff --git a/data_safe_haven/infrastructure/stacks/shm/data.py b/data_safe_haven/infrastructure/stacks/shm/data.py
@@ -26,9 +26,6 @@ def __init__(
         self.password_domain_searcher = self.get_secret(
             pulumi_opts, "password-domain-ldap-searcher"
         )
-        self.password_update_server_linux_admin = self.get_secret(
-            pulumi_opts, "password-update-server-linux-admin"
-        )
         self.tenant_id = tenant_id
 
     def get_secret(self, pulumi_opts: Config, secret_name: str) -> Output[str]:
@@ -162,25 +159,30 @@ def __init__(
             tags=child_tags,
         )
 
-        # Deploy key vault secrets
+        # Secret: Linux update server admin password
+        password_update_server_linux_admin = pulumi_random.RandomPassword(
+            f"{self._name}_password_update_server_linux_admin", length=20, special=True
+        )
         keyvault.Secret(
-            f"{self._name}_kvs_password_domain_searcher",
+            f"{self._name}_kvs_password_update_server_linux_admin",
             properties=keyvault.SecretPropertiesArgs(
-                value=props.password_domain_searcher
+                value=password_update_server_linux_admin.result
             ),
             resource_group_name=resource_group.name,
-            secret_name="password-domain-ldap-searcher",
+            secret_name="password-update-server-linux-admin",
             vault_name=key_vault.name,
             opts=ResourceOptions.merge(child_opts, ResourceOptions(parent=key_vault)),
             tags=child_tags,
         )
+
+        # Add other Pulumi secrets to key vault
         keyvault.Secret(
-            f"{self._name}_kvs_password_update_server_linux_admin",
+            f"{self._name}_kvs_password_domain_searcher",
             properties=keyvault.SecretPropertiesArgs(
-                value=props.password_update_server_linux_admin
+                value=props.password_domain_searcher
             ),
             resource_group_name=resource_group.name,
-            secret_name="password-update-server-linux-admin",
+            secret_name="password-domain-ldap-searcher",
             vault_name=key_vault.name,
             opts=ResourceOptions.merge(child_opts, ResourceOptions(parent=key_vault)),
             tags=child_tags,
@@ -246,9 +248,9 @@ def __init__(
         self.password_domain_azure_ad_connect = Output.secret(
             password_domain_azure_ad_connect.result
         )
-        self.password_domain_searcher = props.password_domain_searcher
-        self.password_update_server_linux_admin = (
-            props.password_update_server_linux_admin
+        self.password_domain_searcher = Output.secret(props.password_domain_searcher)
+        self.password_update_server_linux_admin = Output.secret(
+            password_update_server_linux_admin.result
         )
         self.resource_group_name = Output.from_input(resource_group.name)
         self.vault = key_vault