From d2ce83f4ac7cf2b5fb08958881e82e3b70d2722c Mon Sep 17 00:00:00 2001 From: Henri Rosten Date: Fri, 22 Nov 2024 14:11:43 +0200 Subject: [PATCH] Support per-environment builder ssh keys Create and use a per-environment builder ssh key unless external builders are used in the given ghaf-infra instance. Builder ssh key used to access the external builders is still stored and accessed from the persistent resource group. After this change, ghaf-infra configurations that don't use external builders (e.g. 'release') will create and use new builder ssh-keys on every new ghaf-infra deployment. Signed-off-by: Henri Rosten --- terraform/main.tf | 39 +++++++++++++------ .../builder-ssh-key/builder-ssh-key.tf | 13 ++++--- terraform/persistent/resources/main.tf | 10 ----- 3 files changed, 36 insertions(+), 26 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 1b833e48..be9a4aa7 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -97,7 +97,6 @@ locals { # E.g. 'Standard_D2_v3' means: 2 vCPU, 8 GiB RAM opts = { priv = { - builder_sshkey_id = "ext" persistent_id = "priv" vm_size_binarycache = "Standard_D2_v3" osdisk_size_binarycache = "50" @@ -112,7 +111,6 @@ locals { ext_builder_keyscan = local.ext_builder_keyscan } dev = { - builder_sshkey_id = "ext" persistent_id = "prod" vm_size_binarycache = "Standard_D4_v3" osdisk_size_binarycache = "250" @@ -127,7 +125,6 @@ locals { ext_builder_keyscan = local.ext_builder_keyscan } prod = { - builder_sshkey_id = "ext" persistent_id = "prod" vm_size_binarycache = "Standard_D4_v3" osdisk_size_binarycache = "250" @@ -142,7 +139,6 @@ locals { ext_builder_keyscan = local.ext_builder_keyscan } release = { - builder_sshkey_id = "release" persistent_id = "release" vm_size_binarycache = "Standard_D4_v3" osdisk_size_binarycache = "250" @@ -175,9 +171,13 @@ locals { "((Force invalid regex pattern\n\nERROR: Deployment to non-priv requires variable 'convince'" : "", "") # Selects the persistent data for this ghaf-infra instance (see ./persistent) - persistent_rg = local.envs["persistent_rg_name"] - builder_sshkey_id = "id0${local.opts[local.conf].builder_sshkey_id}${local.shortloc}" - persistent_id = "id0${local.opts[local.conf].persistent_id}${local.shortloc}" + persistent_rg = local.envs["persistent_rg_name"] + persistent_id = "id0${local.opts[local.conf].persistent_id}${local.shortloc}" + + # Selects builder ssh key + use_ext_builders = length(local.opts[local.conf].ext_builder_machines) > 0 + builder_sshkey_id = local.use_ext_builders ? "sshb-id0ext${local.shortloc}" : "sshb${local.ws}${local.shortloc}" + builder_sshkey_rg = local.use_ext_builders ? local.persistent_rg : "ghaf-infra-${local.ws}" } ################################################################################ @@ -232,6 +232,18 @@ resource "azurerm_storage_container" "vm_images" { container_access_type = "private" } +module "builder_ssh_key" { + # Create ssh builder key if external builders are not used + count = (local.use_ext_builders) ? 0 : 1 + source = "./persistent/builder-ssh-key" + # Must be globally unique, max 24 characters + builder_ssh_keyvault_name = local.builder_sshkey_id + resource_group_name = azurerm_resource_group.infra.name + location = azurerm_resource_group.infra.location + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id +} + ################################################################################ # Data sources to access terraform state, see ./state-storage @@ -243,14 +255,14 @@ data "azurerm_storage_account" "tfstate" { ################################################################################ -# Data sources to access 'persistent' data -# see ./persistent and ./persistent/resources +# Data sources to access builder ssh key # Builder ssh key data "azurerm_key_vault" "ssh_remote_build" { - name = "sshb-${local.builder_sshkey_id}" - resource_group_name = local.persistent_rg + name = local.builder_sshkey_id + resource_group_name = local.builder_sshkey_rg provider = azurerm + depends_on = [module.builder_ssh_key] } data "azurerm_key_vault_secret" "ssh_remote_build" { @@ -265,6 +277,11 @@ data "azurerm_key_vault_secret" "ssh_remote_build_pub" { provider = azurerm } +################################################################################ + +# Data sources to access 'persistent' data +# see ./persistent and ./persistent/resources + # Binary cache storage data "azurerm_storage_account" "binary_cache" { name = "bches${local.persistent_id}" diff --git a/terraform/persistent/builder-ssh-key/builder-ssh-key.tf b/terraform/persistent/builder-ssh-key/builder-ssh-key.tf index c48f785d..d80f7f27 100644 --- a/terraform/persistent/builder-ssh-key/builder-ssh-key.tf +++ b/terraform/persistent/builder-ssh-key/builder-ssh-key.tf @@ -36,10 +36,11 @@ resource "tls_private_key" "ed25519_remote_build" { # Create an Azure key vault resource "azurerm_key_vault" "ssh_remote_build" { - name = var.builder_ssh_keyvault_name - location = var.location - resource_group_name = var.resource_group_name - sku_name = "standard" + name = var.builder_ssh_keyvault_name + location = var.location + resource_group_name = var.resource_group_name + sku_name = "standard" + purge_protection_enabled = false # The Azure Active Directory tenant ID that should be used for authenticating # requests to the key vault tenant_id = var.tenant_id @@ -79,6 +80,8 @@ resource "azurerm_key_vault_access_policy" "ssh_remote_build_terraform" { secret_permissions = [ "Get", "List", - "Set" + "Set", + "Delete", + "Purge" ] } diff --git a/terraform/persistent/resources/main.tf b/terraform/persistent/resources/main.tf index 4afdc55a..b92f5346 100644 --- a/terraform/persistent/resources/main.tf +++ b/terraform/persistent/resources/main.tf @@ -72,16 +72,6 @@ resource "secret_resource" "binary_cache_signing_key" { resource "secret_resource" "binary_cache_signing_key_pub" { } -module "builder_ssh_key" { - source = "../builder-ssh-key" - # Must be globally unique, max 24 characters - builder_ssh_keyvault_name = "sshb-id0${local.ws}" - resource_group_name = data.azurerm_resource_group.persistent.name - location = data.azurerm_resource_group.persistent.location - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azurerm_client_config.current.object_id -} - module "binary_cache_sigkey" { source = "../binary-cache-sigkey" # Must be globally unique, max 24 characters