feat(azure): add ssh jumper (#993)

* feat(azure): add ssh jumper * feat(azure): add ssh jumper * feat(azure): add ssh jumper * feat(azure): add ssh jumper
Altinn · Aug 21, 2024 · a6bc0e6 · a6bc0e6
1 parent 7389767
commit a6bc0e6
Show file tree

Hide file tree

Showing 14 changed files with 349 additions and 1 deletion.
diff --git a/.azure/infrastructure/main.bicep b/.azure/infrastructure/main.bicep
@@ -17,6 +17,11 @@ param sourceKeyVaultResourceGroup string
 @minLength(3)
 param sourceKeyVaultName string
 
+@description('SSH public key for the ssh jumper')
+@secure()
+@minLength(3)
+param sourceKeyVaultSshJumperSshPublicKey string
+
 import { Sku as RedisSku } from '../modules/redis/main.bicep'
 param redisSku RedisSku
 @minLength(1)
@@ -30,6 +35,7 @@ var secrets = {
   sourceKeyVaultSubscriptionId: sourceKeyVaultSubscriptionId
   sourceKeyVaultResourceGroup: sourceKeyVaultResourceGroup
   sourceKeyVaultName: sourceKeyVaultName
+  sourceKeyVaultSshJumperSshPublicKey: sourceKeyVaultSshJumperSshPublicKey
 }
 
 var srcKeyVault = {
@@ -202,6 +208,18 @@ module postgresql '../modules/postgreSql/create.bicep' = {
   }
 }
 
+module sshJumper '../modules/ssh-jumper/main.bicep' = {
+  scope: resourceGroup
+  name: 'sshJumper'
+  params: {
+    namePrefix: namePrefix
+    location: location
+    subnetId: vnet.outputs.defaultSubnetId
+    tags: tags
+    sshPublicKey: secrets.sourceKeyVaultSshJumperSshPublicKey
+  }
+}
+
 module copySecrets '../modules/keyvault/copySecrets.bicep' = {
   scope: resourceGroup
   name: 'copySecrets'

diff --git a/.azure/infrastructure/prod.bicepparam b/.azure/infrastructure/prod.bicepparam
@@ -11,6 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD')
 param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID')
 param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP')
 param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME')
+param sourceKeyVaultSshJumperSshPublicKey = readEnvironmentVariable('AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY')
 
 // SKUs
 param redisSku = {

diff --git a/.azure/infrastructure/staging.bicepparam b/.azure/infrastructure/staging.bicepparam
@@ -11,6 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD')
 param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID')
 param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP')
 param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME')
+param sourceKeyVaultSshJumperSshPublicKey = readEnvironmentVariable('AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY')
 
 // SKUs
 param redisSku = {

diff --git a/.azure/infrastructure/test.bicepparam b/.azure/infrastructure/test.bicepparam
@@ -11,6 +11,7 @@ param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD')
 param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID')
 param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP')
 param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME')
+param sourceKeyVaultSshJumperSshPublicKey = readEnvironmentVariable('SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY')
 
 // SKUs
 param redisSku = {

diff --git a/.azure/modules/ssh-jumper/main.bicep b/.azure/modules/ssh-jumper/main.bicep
@@ -0,0 +1,132 @@
+@description('The name prefix to be used for the resource')
+param namePrefix string
+
+@description('The location to deploy the resource to')
+param location string
+
+@description('The subnet to deploy the network interface to')
+param subnetId string
+
+@description('Tags to be applied to the resource')
+param tags object
+
+@description('The SSH public key to be used for the virtual machine')
+@secure()
+param sshPublicKey string
+
+var name = '${namePrefix}-ssh-jumper'
+
+resource publicIp 'Microsoft.Network/publicIPAddresses@2023-11-01' = {
+  name: '${name}-ip'
+  location: location
+  sku: {
+    name: 'Standard'
+    tier: 'Regional'
+  }
+  zones: [
+    '1'
+  ]
+  properties: {
+    publicIPAddressVersion: 'IPv4'
+    publicIPAllocationMethod: 'Static'
+    idleTimeoutInMinutes: 4
+    ipTags: []
+  }
+  tags: tags
+}
+
+resource networkInterface 'Microsoft.Network/networkInterfaces@2023-11-01' = {
+  name: name
+  location: location
+  properties: {
+    ipConfigurations: [
+      {
+        name: '${name}-ipconfig'
+        type: 'Microsoft.Network/networkInterfaces/ipConfigurations'
+        properties: {
+          privateIPAddress: '10.0.0.4'
+          privateIPAllocationMethod: 'Dynamic'
+          publicIPAddress: {
+            id: publicIp.id
+            properties: {
+              deleteOption: 'Delete'
+            }
+          }
+          subnet: {
+            id: subnetId
+          }
+          primary: true
+          privateIPAddressVersion: 'IPv4'
+        }
+      }
+    ]
+    dnsSettings: {
+      dnsServers: []
+    }
+    enableAcceleratedNetworking: false
+    enableIPForwarding: false
+    disableTcpStateTracking: false
+    nicType: 'Standard'
+    auxiliaryMode: 'None'
+    auxiliarySku: 'None'
+  }
+}
+
+module virtualMachine '../../modules/virtualMachine/main.bicep' = {
+  name: name
+  params: {
+    name: name
+    sshPublicKey: sshPublicKey
+    location: location
+    tags: tags
+    hardwareProfile: {
+      vmSize: 'Standard_B1s'
+    }
+    additionalCapabilities: {
+      hibernationEnabled: false
+    }
+    storageProfile: {
+      imageReference: {
+        publisher: 'canonical'
+        offer: '0001-com-ubuntu-server-focal'
+        sku: '20_04-lts-gen2'
+        version: 'latest'
+      }
+      osDisk: {
+        osType: 'Linux'
+        name: '${name}-osdisk'
+        createOption: 'FromImage'
+        caching: 'ReadWrite'
+        managedDisk: {
+          storageAccountType: 'Premium_LRS'
+        }
+        deleteOption: 'Delete'
+        diskSizeGB: 30
+      }
+      dataDisks: []
+      diskControllerType: 'SCSI'
+    }
+    securityProfile: {
+      uefiSettings: {
+        secureBootEnabled: true
+        vTpmEnabled: true
+      }
+      securityType: 'TrustedLaunch'
+    }
+    networkProfile: {
+      networkInterfaces: [
+        {
+          id: networkInterface.id
+          properties: {
+            deleteOption: 'Delete'
+          }
+        }
+      ]
+    }
+    diagnosticsProfile: {
+      bootDiagnostics: {
+        enabled: true
+      }
+    }
+  }
+}
diff --git a/.azure/modules/virtualMachine/main.bicep b/.azure/modules/virtualMachine/main.bicep
@@ -0,0 +1,131 @@
+param name string
+param location string
+param tags object
+
+type HardwareProfile = {
+  vmSize: string
+}
+@description('Specifies the hardware profile for the virtual machine')
+param hardwareProfile HardwareProfile
+
+type AdditionalCapabilities = {
+  hibernationEnabled: bool
+}
+@description('Specifies the additional capabilities for the virtual machine')
+param additionalCapabilities AdditionalCapabilities
+
+type SecurityProfile = {
+  uefiSettings: {
+    secureBootEnabled: bool
+    vTpmEnabled: bool
+  }
+  securityType: string
+}
+@description('Specifies the security profile for the virtual machine')
+param securityProfile SecurityProfile
+
+type NetworkInterface = {
+  id: string
+  properties: {
+    deleteOption: string
+  }
+}
+type NetworkProfile = {
+  networkInterfaces: NetworkInterface[]
+}
+@description('Specifies the network profile for the virtual machine')
+param networkProfile NetworkProfile
+
+type DiagnosticsProfile = {
+  bootDiagnostics: {
+    enabled: bool
+  }
+}
+@description('Specifies the diagnostics profile for the virtual machine')
+param diagnosticsProfile DiagnosticsProfile
+
+type StorageProfile = {
+  imageReference: {
+    publisher: string
+    offer: string
+    sku: string
+    version: string
+  }
+  osDisk: {
+    osType: string
+    name: string
+    createOption: string
+    caching: string
+    managedDisk: {
+      storageAccountType: string
+    }
+    deleteOption: string
+    diskSizeGB: int
+  }
+  dataDisks: array
+  diskControllerType: string
+}
+@description('Specifies the storage profile for the virtual machine')
+param storageProfile StorageProfile
+
+@description('Specifies the SSH public key for the virtual machine')
+@secure()
+param sshPublicKey string
+
+resource virtualMachine 'Microsoft.Compute/virtualMachines@2024-03-01' = {
+  name: name
+  location: location
+  zones: [
+    '1'
+  ]
+  properties: {
+    hardwareProfile: hardwareProfile
+    additionalCapabilities: additionalCapabilities
+    storageProfile: storageProfile
+    osProfile: {
+      computerName: name
+      adminUsername: name
+      linuxConfiguration: {
+        disablePasswordAuthentication: true
+        ssh: {
+          publicKeys: [
+            {
+              path: '/home/${name}/.ssh/authorized_keys'
+              keyData: sshPublicKey
+            }
+          ]
+        }
+        provisionVMAgent: true
+        patchSettings: {
+          patchMode: 'AutomaticByPlatform'
+          automaticByPlatformSettings: {
+            rebootSetting: 'IfRequired'
+            bypassPlatformSafetyChecksOnUserSchedule: false
+          }
+          assessmentMode: 'ImageDefault'
+        }
+      }
+      secrets: []
+      allowExtensionOperations: true
+    }
+    securityProfile: securityProfile
+    networkProfile: networkProfile
+    diagnosticsProfile: diagnosticsProfile
+  }
+  identity: {
+    type: 'SystemAssigned'
+  }
+  tags: tags
+}
+
+resource aadLoginExtension 'Microsoft.Compute/virtualMachines/extensions@2023-03-01' = {
+  parent: virtualMachine
+  name: 'AADSSHLoginForLinux'
+  location: location
+  properties: {
+    publisher: 'Microsoft.Azure.ActiveDirectory'
+    type: 'AADSSHLoginForLinux'
+    typeHandlerVersion: '1.0'
+    autoUpgradeMinorVersion: true
+  }
+}
diff --git a/.github/workflows/ci-cd-main.yml b/.github/workflows/ci-cd-main.yml
@@ -82,6 +82,7 @@ jobs:
       AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }}
       AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }}
       AZURE_CERTIFICATE_KEY_VAULT_NAME: ${{ secrets.AZURE_CERTIFICATE_KEY_VAULT_NAME }}
+      AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }}
     with:
       environment: test
       region: norwayeast

diff --git a/.github/workflows/ci-cd-prod.yml b/.github/workflows/ci-cd-prod.yml
@@ -51,6 +51,7 @@ jobs:
       AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }}
       AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }}
       AZURE_CERTIFICATE_KEY_VAULT_NAME: ${{ secrets.AZURE_CERTIFICATE_KEY_VAULT_NAME }}
+      AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }}
     with:
       environment: prod
       region: norwayeast

diff --git a/.github/workflows/ci-cd-pull-request.yml b/.github/workflows/ci-cd-pull-request.yml
@@ -41,6 +41,7 @@ jobs:
       AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }}
       AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }}
       AZURE_CERTIFICATE_KEY_VAULT_NAME: ${{ secrets.AZURE_CERTIFICATE_KEY_VAULT_NAME }}
+      AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }}
     with:
       environment: test
       region: norwayeast

diff --git a/.github/workflows/ci-cd-staging.yml b/.github/workflows/ci-cd-staging.yml
@@ -47,6 +47,7 @@ jobs:
       AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }}
       AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }}
       AZURE_CERTIFICATE_KEY_VAULT_NAME: ${{ secrets.AZURE_CERTIFICATE_KEY_VAULT_NAME }}
+      AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }}
     with:
       environment: staging
       region: norwayeast

diff --git a/.github/workflows/dispatch-deploy-infrastructure.yml b/.github/workflows/dispatch-deploy-infrastructure.yml
@@ -37,6 +37,7 @@ jobs:
       AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }}
       AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }}
       AZURE_CERTIFICATE_KEY_VAULT_NAME: ${{ secrets.AZURE_CERTIFICATE_KEY_VAULT_NAME }}
+      AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }}
     with:
       environment: ${{ inputs.environment }}
       region: norwayeast

diff --git a/.github/workflows/workflow-deploy-infrastructure.yml b/.github/workflows/workflow-deploy-infrastructure.yml
@@ -20,7 +20,8 @@ on:
         required: true
       AZURE_CERTIFICATE_KEY_VAULT_NAME:
         required: true
-
+      AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY:
+        required: true
     inputs:
       region:
         required: true
@@ -101,6 +102,7 @@ jobs:
           SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }}
           SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }}
           CERTIFICATE_KEY_VAULT_NAME: ${{ secrets.AZURE_CERTIFICATE_KEY_VAULT_NAME }}
+          SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }}
         with:
           scope: subscription
           template: ./.azure/infrastructure/main.bicep
@@ -125,6 +127,7 @@ jobs:
           SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }}
           SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }}
           CERTIFICATE_KEY_VAULT_NAME: ${{ secrets.AZURE_CERTIFICATE_KEY_VAULT_NAME }}
+          SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SSH_JUMPER_SSH_PUBLIC_KEY }}
         with:
           scope: subscription
           template: ./.azure/infrastructure/main.bicep