From 4ae1b305d39cb6a22a486132a23df105060898eb Mon Sep 17 00:00:00 2001 From: Abhi Markan Date: Mon, 15 Jul 2024 21:59:23 +0100 Subject: [PATCH 01/10] feat(EMS-2186): added key vault --- .cspell.json | 1 + .github/workflows/infrastructure.yml | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/.cspell.json b/.cspell.json index f1662798e4..1c020bdcab 100644 --- a/.cspell.json +++ b/.cspell.json @@ -145,6 +145,7 @@ "Useds", "venv", "VNET", + "vnets", "XLSX" ], "dictionaries": [ diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index 2648d8219c..d90ab094fd 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -165,6 +165,12 @@ jobs: --address-prefixes ${{ vars.VNET_SUBNET_PRIVATE_PREFIX }} \ --vnet-name vnet-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} + az network vnet subnet create \ + --name snet-keyvault-${{ env.PRODUCT }}-${{ vars.VERSION }} \ + --address-prefixes ${{ vars.VNET_SUBNET_KEYVAULT_PREFIX }} \ + --vnet-name vnet${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ + --service-endpoints $(az network vnet list-endpoint-services --query '[?contains(name, `KeyVault`)].name' -o tsv) + - name: VNET Peer - AMI 🔀 uses: azure/cli@v2 with: @@ -389,6 +395,15 @@ jobs: --group-id sites \ --tags ${{ env.TAGS }} + #Key Vault + az network private-endpoint create \ + --name private-endpoint-keyvault${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ + --private-connection-resource-id $(az keyvault show --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv) \ + --connection-name private-link-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ + --subnet snet-private-${{ env.PRODUCT }}-${{ vars.VERSION }} \ + --vnet-name vnet${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ + --group-id $(az network private-link-resource list --id $(az keyvault show --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv)) + - name: Private DNS 🌍 uses: azure/cli@v2 with: @@ -537,6 +552,18 @@ jobs: --name IPAllowListRule \ --policy-name waf${{ env.PRODUCT }}${{ env.TARGET }}${{ vars.VERSION }} + - name: Key Vault 🔑 + uses: azure/cli@v2 + with: + inlineScript: | + az keyvault create \ + --name kv-${{ env.PRODUCT }}${{ env.TARGET }}${{ vars.VERSION }} \ + --default-action Deny \ + --enable-purge-protection true \ + --public-network-access Disabled \ + --network-acls-ips ${{ secrets.WAF_ALLOWED_IP }} \ + --network-acls-vnets $(az network vnet subnet list --vnet-name vnet-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query '[?contains(name, `keyvault`)].id' -o tsv) + # 4. WebApp configuration webapp: name: Web App 🔧 From 295c7c5d0110d755b3afcf7684e65206ae2f8556 Mon Sep 17 00:00:00 2001 From: Abhi Markan Date: Tue, 16 Jul 2024 07:45:48 +0100 Subject: [PATCH 02/10] fix(EMS-2186): added tags to Key Vault --- .github/workflows/infrastructure.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index d90ab094fd..4273ff2eb8 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -36,6 +36,8 @@ on: push: branches: - infrastructure + # TODO: Remove below prior to merge + - feat/EMS-2186-ia-c-key-vault-cost-alerts env: PRODUCT: exip @@ -402,7 +404,8 @@ jobs: --connection-name private-link-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ --subnet snet-private-${{ env.PRODUCT }}-${{ vars.VERSION }} \ --vnet-name vnet${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ - --group-id $(az network private-link-resource list --id $(az keyvault show --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv)) + --group-id $(az network private-link-resource list --id $(az keyvault show --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv)) \ + --tags ${{ env.TAGS }} - name: Private DNS 🌍 uses: azure/cli@v2 From 68a4c4941af2af046119030d0b2ea85c1aabe446 Mon Sep 17 00:00:00 2001 From: Abhi Markan Date: Tue, 16 Jul 2024 08:11:02 +0100 Subject: [PATCH 03/10] fix(EMS-2186): azure IaC fix --- .github/workflows/infrastructure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index 4273ff2eb8..a88def2ee4 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -171,7 +171,7 @@ jobs: --name snet-keyvault-${{ env.PRODUCT }}-${{ vars.VERSION }} \ --address-prefixes ${{ vars.VNET_SUBNET_KEYVAULT_PREFIX }} \ --vnet-name vnet${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ - --service-endpoints $(az network vnet list-endpoint-services --query '[?contains(name, `KeyVault`)].name' -o tsv) + --service-endpoints Microsoft.KeyVault - name: VNET Peer - AMI 🔀 uses: azure/cli@v2 From 993e52b16bd931f2617d5f16668eb8e0c233daa0 Mon Sep 17 00:00:00 2001 From: Abhi Markan Date: Tue, 16 Jul 2024 08:21:44 +0100 Subject: [PATCH 04/10] fix(EMS-2186): azure IaC fix --- .github/workflows/infrastructure.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index a88def2ee4..40f6cd358a 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -170,7 +170,7 @@ jobs: az network vnet subnet create \ --name snet-keyvault-${{ env.PRODUCT }}-${{ vars.VERSION }} \ --address-prefixes ${{ vars.VNET_SUBNET_KEYVAULT_PREFIX }} \ - --vnet-name vnet${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ + --vnet-name vnet-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ --service-endpoints Microsoft.KeyVault - name: VNET Peer - AMI 🔀 @@ -403,7 +403,7 @@ jobs: --private-connection-resource-id $(az keyvault show --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv) \ --connection-name private-link-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ --subnet snet-private-${{ env.PRODUCT }}-${{ vars.VERSION }} \ - --vnet-name vnet${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ + --vnet-name vnet-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ --group-id $(az network private-link-resource list --id $(az keyvault show --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv)) \ --tags ${{ env.TAGS }} From 84d3b57d430db7b43341486c35c2158db45454cd Mon Sep 17 00:00:00 2001 From: Abhi Markan Date: Tue, 16 Jul 2024 08:57:56 +0100 Subject: [PATCH 05/10] fix(EMS-2186): azure IaC fix --- .github/workflows/infrastructure.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index 40f6cd358a..3aaf104970 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -373,6 +373,18 @@ jobs: inlineScript: | az extension add --name front-door + - name: Key Vault 🔑 + uses: azure/cli@v2 + with: + inlineScript: | + az keyvault create \ + --name kv-${{ env.PRODUCT }}${{ env.TARGET }}${{ vars.VERSION }} \ + --default-action Deny \ + --enable-purge-protection true \ + --public-network-access Disabled \ + --network-acls-ips ${{ secrets.WAF_ALLOWED_IP }} \ + --network-acls-vnets $(az network vnet subnet list --vnet-name vnet-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query '[?contains(name, `keyvault`)].id' -o tsv) + - name: Private endpoint 🔏 uses: azure/cli@v2 with: @@ -555,18 +567,6 @@ jobs: --name IPAllowListRule \ --policy-name waf${{ env.PRODUCT }}${{ env.TARGET }}${{ vars.VERSION }} - - name: Key Vault 🔑 - uses: azure/cli@v2 - with: - inlineScript: | - az keyvault create \ - --name kv-${{ env.PRODUCT }}${{ env.TARGET }}${{ vars.VERSION }} \ - --default-action Deny \ - --enable-purge-protection true \ - --public-network-access Disabled \ - --network-acls-ips ${{ secrets.WAF_ALLOWED_IP }} \ - --network-acls-vnets $(az network vnet subnet list --vnet-name vnet-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query '[?contains(name, `keyvault`)].id' -o tsv) - # 4. WebApp configuration webapp: name: Web App 🔧 From 5c24b330d460a5f4e5972439cd1e5e537b37c796 Mon Sep 17 00:00:00 2001 From: Abhi Markan Date: Tue, 16 Jul 2024 09:52:03 +0100 Subject: [PATCH 06/10] fix(EMS-2186): added tags to Key Vault --- .github/workflows/infrastructure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index 3aaf104970..76b7e30c57 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -378,7 +378,7 @@ jobs: with: inlineScript: | az keyvault create \ - --name kv-${{ env.PRODUCT }}${{ env.TARGET }}${{ vars.VERSION }} \ + --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ --default-action Deny \ --enable-purge-protection true \ --public-network-access Disabled \ From f23e285be2b2a25a50c02d02f141907fe2f33454 Mon Sep 17 00:00:00 2001 From: Abhi Markan Date: Tue, 16 Jul 2024 21:52:36 +0100 Subject: [PATCH 07/10] fix(DTFS2-7284): fixed private endpoint --- .github/workflows/infrastructure.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index 76b7e30c57..d66fce20f9 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -411,12 +411,12 @@ jobs: #Key Vault az network private-endpoint create \ - --name private-endpoint-keyvault${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ + --name private-endpoint-keyvault-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ --private-connection-resource-id $(az keyvault show --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv) \ --connection-name private-link-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ --subnet snet-private-${{ env.PRODUCT }}-${{ vars.VERSION }} \ --vnet-name vnet-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ - --group-id $(az network private-link-resource list --id $(az keyvault show --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv)) \ + --group-id vault \ --tags ${{ env.TAGS }} - name: Private DNS 🌍 From ac65a2e023ced9a73f12bf78142b307a5a0fc725 Mon Sep 17 00:00:00 2001 From: Abhi Markan Date: Wed, 17 Jul 2024 06:23:34 +0100 Subject: [PATCH 08/10] fix(EMS-2186): removed purge protection --- .github/workflows/infrastructure.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index d66fce20f9..926314f8d5 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -380,7 +380,6 @@ jobs: az keyvault create \ --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \ --default-action Deny \ - --enable-purge-protection true \ --public-network-access Disabled \ --network-acls-ips ${{ secrets.WAF_ALLOWED_IP }} \ --network-acls-vnets $(az network vnet subnet list --vnet-name vnet-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query '[?contains(name, `keyvault`)].id' -o tsv) From 8f7721f29bb450e2684fb8403d0a4f5b9e14fce4 Mon Sep 17 00:00:00 2001 From: Abhi Markan Date: Wed, 17 Jul 2024 10:04:52 +0100 Subject: [PATCH 09/10] fix(EMS-2186): removed * from flag --- .github/workflows/infrastructure.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index 926314f8d5..f1f440d78f 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -798,13 +798,13 @@ jobs: --record-set-name "@" \ --zone ${{ vars.DOMAIN_QUOTE }} \ --value ${{ vars.CA_VERIFICATION }} \ - --if-none-match "*" + --if-none-match az network dns record-set txt add-record \ --record-set-name "@" \ --zone ${{ vars.DOMAIN_INSURANCE }} \ --value ${{ vars.CA_VERIFICATION }} \ - --if-none-match "*" + --if-none-match - name: CAA records uses: azure/cli@v2 From 41d5d4cb9615d8afd7b3aec22a41fc8f1bc43d4e Mon Sep 17 00:00:00 2001 From: Abhi Markan Date: Wed, 17 Jul 2024 13:32:54 +0100 Subject: [PATCH 10/10] fix(EM-2186): fixed conditional deployment --- .github/workflows/deployment.yml | 3 ++- .github/workflows/infrastructure.yml | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 539f3db5f2..4674095039 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -59,7 +59,6 @@ jobs: name: Database 💾 needs: setup environment: ${{ needs.setup.outputs.environment }} - if: ${{ '1' == vars.DATABASE }} env: ENVIRONMENT: ${{ needs.setup.outputs.environment }} runs-on: [self-hosted, EXIP, deployment] @@ -81,12 +80,14 @@ jobs: az configure --defaults group=rg-${{ env.PRODUCT }}-${{ github.ref_name }}-${{ vars.VERSION }} - name: Extension ➕ + if: ${{ '1' == vars.DATABASE }} uses: azure/cli@v2 with: inlineScript: | az config set extension.use_dynamic_install=yes_without_prompt - name: Import ⬇ + if: ${{ '1' == vars.DATABASE }} uses: azure/cli@v2 with: inlineScript: | diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml index f1f440d78f..753343ba13 100644 --- a/.github/workflows/infrastructure.yml +++ b/.github/workflows/infrastructure.yml @@ -36,8 +36,6 @@ on: push: branches: - infrastructure - # TODO: Remove below prior to merge - - feat/EMS-2186-ia-c-key-vault-cost-alerts env: PRODUCT: exip