From fd15158912344c06cc7a8f561633c51c4eeaafa6 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Tue, 10 Oct 2023 09:09:25 +0100 Subject: [PATCH] :truck: Update 'password-update-server-linux-admin' to use pulumi-random --- data_safe_haven/commands/deploy_shm.py | 3 -- .../infrastructure/stacks/shm/data.py | 28 ++++++++++--------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/data_safe_haven/commands/deploy_shm.py b/data_safe_haven/commands/deploy_shm.py index c3579a81e4..f23d52afae 100644 --- a/data_safe_haven/commands/deploy_shm.py +++ b/data_safe_haven/commands/deploy_shm.py @@ -51,9 +51,6 @@ def deploy_shm( stack.add_option("azure-native:tenantId", config.azure.tenant_id, replace=False) # Add necessary secrets stack.add_secret("password-domain-ldap-searcher", password(20), replace=False) - stack.add_secret( - "password-update-server-linux-admin", password(20), replace=False - ) stack.add_secret( "verification-azuread-custom-domain", verification_record, replace=False ) diff --git a/data_safe_haven/infrastructure/stacks/shm/data.py b/data_safe_haven/infrastructure/stacks/shm/data.py index 7f7c5b4862..7ad0b7e89f 100644 --- a/data_safe_haven/infrastructure/stacks/shm/data.py +++ b/data_safe_haven/infrastructure/stacks/shm/data.py @@ -26,9 +26,6 @@ def __init__( self.password_domain_searcher = self.get_secret( pulumi_opts, "password-domain-ldap-searcher" ) - self.password_update_server_linux_admin = self.get_secret( - pulumi_opts, "password-update-server-linux-admin" - ) self.tenant_id = tenant_id def get_secret(self, pulumi_opts: Config, secret_name: str) -> Output[str]: @@ -162,25 +159,30 @@ def __init__( tags=child_tags, ) - # Deploy key vault secrets + # Secret: Linux update server admin password + password_update_server_linux_admin = pulumi_random.RandomPassword( + f"{self._name}_password_update_server_linux_admin", length=20, special=True + ) keyvault.Secret( - f"{self._name}_kvs_password_domain_searcher", + f"{self._name}_kvs_password_update_server_linux_admin", properties=keyvault.SecretPropertiesArgs( - value=props.password_domain_searcher + value=password_update_server_linux_admin.result ), resource_group_name=resource_group.name, - secret_name="password-domain-ldap-searcher", + secret_name="password-update-server-linux-admin", vault_name=key_vault.name, opts=ResourceOptions.merge(child_opts, ResourceOptions(parent=key_vault)), tags=child_tags, ) + + # Add other Pulumi secrets to key vault keyvault.Secret( - f"{self._name}_kvs_password_update_server_linux_admin", + f"{self._name}_kvs_password_domain_searcher", properties=keyvault.SecretPropertiesArgs( - value=props.password_update_server_linux_admin + value=props.password_domain_searcher ), resource_group_name=resource_group.name, - secret_name="password-update-server-linux-admin", + secret_name="password-domain-ldap-searcher", vault_name=key_vault.name, opts=ResourceOptions.merge(child_opts, ResourceOptions(parent=key_vault)), tags=child_tags, @@ -246,9 +248,9 @@ def __init__( self.password_domain_azure_ad_connect = Output.secret( password_domain_azure_ad_connect.result ) - self.password_domain_searcher = props.password_domain_searcher - self.password_update_server_linux_admin = ( - props.password_update_server_linux_admin + self.password_domain_searcher = Output.secret(props.password_domain_searcher) + self.password_update_server_linux_admin = Output.secret( + password_update_server_linux_admin.result ) self.resource_group_name = Output.from_input(resource_group.name) self.vault = key_vault