Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nexus Linux machine uses SSH keys #4366

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Nexus Linux machine uses SSH keys #4366

wants to merge 1 commit into from

Conversation

marrobi
Copy link
Member

@marrobi marrobi commented Feb 12, 2025
edited
Loading

Fixes #4359

Update Sonatype Nexus VM to require SSH key-based authentication.

  • Remove password-based authentication and related resources from templates/shared_services/sonatype-nexus-vm/terraform/vm.tf.
  • Add resources to generate and store SSH keys in Key Vault.
  • Update the connection block to use the SSH private key for authentication.
  • Update docs/tre-templates/shared-services/nexus.md to reflect the change to SSH key-based authentication and provide instructions on how to retrieve the SSH private key from Key Vault.

For more details, open the Copilot Workspace session.

@marrobi
Nexus Linux machine uses SSH keys
677fb05 
Fixes #4359

Update Sonatype Nexus VM to require SSH key-based authentication.

* Remove password-based authentication and related resources from `templates/shared_services/sonatype-nexus-vm/terraform/vm.tf`.
* Add resources to generate and store SSH keys in Key Vault.
* Update the `connection` block to use the SSH private key for authentication.
* Update `docs/tre-templates/shared-services/nexus.md` to reflect the change to SSH key-based authentication and provide instructions on how to retrieve the SSH private key from Key Vault.

---

For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/microsoft/AzureTRE/issues/4359?shareId=XXXX-XXXX-XXXX-XXXX).
@marrobi
Copy link
Member Author

marrobi commented Feb 12, 2025

@jonnyry ran his through copilot, fancy testing and fixing up?

@github-actions GitHub Actions
Copy link

Unit Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 677fb05.

@marrobi marrobi marked this pull request as draft February 12, 2025 13:40
@jonnyry
Copy link
Collaborator

jonnyry commented Feb 12, 2025
edited
Loading

@jonnyry ran his through copilot, fancy testing and fixing up?

there's a few issues with it that I can see at first glance -

  • the SSH key pair get written to the terraform state
  • the private key is passed to the Nexus VM rather than the public key
  • the Nexus VM will get destroyed since changing disable_password_authentication is destructive

I've got a fix for this issue locally that uses a bash script to keep the SSH private key out of TF state. Happy to PR back if you like.

@marrobi
Copy link
Member Author

marrobi commented Feb 13, 2025

@jonnyry ran his through copilot, fancy testing and fixing up?

there's a few issues with it that I can see at first glance -

  • the SSH key pair get written to the terraform state
  • the private key is passed to the Nexus VM rather than the public key
  • the Nexus VM will get destroyed since changing disable_password_authentication is destructive

I've got a fix for this issue locally that uses a bash script to keep the SSH private key out of TF state. Happy to PR back if you like.

Hmm, I'd like to avoid even more bash script to be honest. How about an Ephemeral resource - https://developer.hashicorp.com/terraform/language/resources/ephemeral

@jonnyry
Copy link
Collaborator

jonnyry commented Feb 13, 2025

@jonnyry ran his through copilot, fancy testing and fixing up?

there's a few issues with it that I can see at first glance -

  • the SSH key pair get written to the terraform state
  • the private key is passed to the Nexus VM rather than the public key
  • the Nexus VM will get destroyed since changing disable_password_authentication is destructive

I've got a fix for this issue locally that uses a bash script to keep the SSH private key out of TF state. Happy to PR back if you like.

Hmm, I'd like to avoid even more bash script to be honest. How about an Ephemeral resource - https://developer.hashicorp.com/terraform/language/resources/ephemeral

Currently they can only read existing secrets/certs in azurerm provider:

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/ephemeral-resources/key_vault_secret

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Defender: Authentication to Linux machines should require SSH keys (Sonatype Nexus VM)
2 participants
@marrobi @jonnyry