Skip to content

Commit

Permalink
Support per-environment builder ssh keys
Browse files Browse the repository at this point in the history
Create and use a per-environment builder ssh key unless external
builders are used in the given ghaf-infra instance. Builder
ssh key used to access the external builders is still stored
and accessed from the persistent resource group.

After this change, ghaf-infra configurations that don't use external
builders (e.g. 'release') will create and use new builder ssh-keys on
every new ghaf-infra deployment.

Signed-off-by: Henri Rosten <[email protected]>
  • Loading branch information
henrirosten committed Dec 2, 2024
1 parent 6be2cb6 commit 012213e
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 26 deletions.
39 changes: 28 additions & 11 deletions terraform/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,6 @@ locals {
# E.g. 'Standard_D2_v3' means: 2 vCPU, 8 GiB RAM
opts = {
priv = {
builder_sshkey_id = "ext"
persistent_id = "priv"
vm_size_binarycache = "Standard_D2_v3"
osdisk_size_binarycache = "50"
Expand All @@ -112,7 +111,6 @@ locals {
ext_builder_keyscan = local.ext_builder_keyscan
}
dev = {
builder_sshkey_id = "ext"
persistent_id = "prod"
vm_size_binarycache = "Standard_D4_v3"
osdisk_size_binarycache = "250"
Expand All @@ -127,7 +125,6 @@ locals {
ext_builder_keyscan = local.ext_builder_keyscan
}
prod = {
builder_sshkey_id = "ext"
persistent_id = "prod"
vm_size_binarycache = "Standard_D4_v3"
osdisk_size_binarycache = "250"
Expand All @@ -142,7 +139,6 @@ locals {
ext_builder_keyscan = local.ext_builder_keyscan
}
release = {
builder_sshkey_id = "release"
persistent_id = "release"
vm_size_binarycache = "Standard_D4_v3"
osdisk_size_binarycache = "250"
Expand Down Expand Up @@ -175,9 +171,13 @@ locals {
"((Force invalid regex pattern\n\nERROR: Deployment to non-priv requires variable 'convince'" : "", "")

# Selects the persistent data for this ghaf-infra instance (see ./persistent)
persistent_rg = local.envs["persistent_rg_name"]
builder_sshkey_id = "id0${local.opts[local.conf].builder_sshkey_id}${local.shortloc}"
persistent_id = "id0${local.opts[local.conf].persistent_id}${local.shortloc}"
persistent_rg = local.envs["persistent_rg_name"]
persistent_id = "id0${local.opts[local.conf].persistent_id}${local.shortloc}"

# Selects builder ssh key
use_ext_builders = length(local.opts[local.conf].ext_builder_machines) > 0
builder_sshkey_id = local.use_ext_builders ? "sshb-id0ext${local.shortloc}" : "sshb${local.ws}${local.shortloc}"
builder_sshkey_rg = local.use_ext_builders ? local.persistent_rg : "ghaf-infra-${local.ws}"
}

################################################################################
Expand Down Expand Up @@ -232,6 +232,18 @@ resource "azurerm_storage_container" "vm_images" {
container_access_type = "private"
}

module "builder_ssh_key" {
# Create ssh builder key if external builders are not used
count = (local.use_ext_builders) ? 0 : 1
source = "./persistent/builder-ssh-key"
# Must be globally unique, max 24 characters
builder_ssh_keyvault_name = local.builder_sshkey_id
resource_group_name = azurerm_resource_group.infra.name
location = azurerm_resource_group.infra.location
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
}

################################################################################

# Data sources to access terraform state, see ./state-storage
Expand All @@ -243,14 +255,14 @@ data "azurerm_storage_account" "tfstate" {

################################################################################

# Data sources to access 'persistent' data
# see ./persistent and ./persistent/resources
# Data sources to access builder ssh key

# Builder ssh key
data "azurerm_key_vault" "ssh_remote_build" {
name = "sshb-${local.builder_sshkey_id}"
resource_group_name = local.persistent_rg
name = local.builder_sshkey_id
resource_group_name = local.builder_sshkey_rg
provider = azurerm
depends_on = [module.builder_ssh_key]
}

data "azurerm_key_vault_secret" "ssh_remote_build" {
Expand All @@ -265,6 +277,11 @@ data "azurerm_key_vault_secret" "ssh_remote_build_pub" {
provider = azurerm
}

################################################################################

# Data sources to access 'persistent' data
# see ./persistent and ./persistent/resources

# Binary cache storage
data "azurerm_storage_account" "binary_cache" {
name = "bches${local.persistent_id}"
Expand Down
13 changes: 8 additions & 5 deletions terraform/persistent/builder-ssh-key/builder-ssh-key.tf
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,11 @@ resource "tls_private_key" "ed25519_remote_build" {

# Create an Azure key vault
resource "azurerm_key_vault" "ssh_remote_build" {
name = var.builder_ssh_keyvault_name
location = var.location
resource_group_name = var.resource_group_name
sku_name = "standard"
name = var.builder_ssh_keyvault_name
location = var.location
resource_group_name = var.resource_group_name
sku_name = "standard"
purge_protection_enabled = false
# The Azure Active Directory tenant ID that should be used for authenticating
# requests to the key vault
tenant_id = var.tenant_id
Expand Down Expand Up @@ -79,6 +80,8 @@ resource "azurerm_key_vault_access_policy" "ssh_remote_build_terraform" {
secret_permissions = [
"Get",
"List",
"Set"
"Set",
"Delete",
"Purge"
]
}
10 changes: 0 additions & 10 deletions terraform/persistent/resources/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -72,16 +72,6 @@ resource "secret_resource" "binary_cache_signing_key" {
resource "secret_resource" "binary_cache_signing_key_pub" {
}

module "builder_ssh_key" {
source = "../builder-ssh-key"
# Must be globally unique, max 24 characters
builder_ssh_keyvault_name = "sshb-id0${local.ws}"
resource_group_name = data.azurerm_resource_group.persistent.name
location = data.azurerm_resource_group.persistent.location
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
}

module "binary_cache_sigkey" {
source = "../binary-cache-sigkey"
# Must be globally unique, max 24 characters
Expand Down

0 comments on commit 012213e

Please sign in to comment.