Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state

CHANGELOG.md

@@ -69,6 +69,7 @@ BUG FIXES:
 * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222))
 * Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)])
 * Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)])
+* Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state ([#4294](https://github.com/microsoft/AzureTRE/issues/4294)])
 * Windows R version must be 4.1.2 otherwise post install script doesn't update package mirror URL ([#4288](https://github.com/microsoft/AzureTRE/issues/4288))
 * Recreate tre_output.json if empty. ([[#4292](https://github.com/microsoft/AzureTRE/issues/4292)])
 * Ensure R directory is present before attempting to update package mirror URL ([#4332](https://github.com/microsoft/AzureTRE/pull/4332))

templates/shared_services/certs/porter.yaml

@@ -88,6 +88,7 @@ install:
         - name: storage_account_name
         - name: resource_group_name
         - name: keyvault_name
+        - name: password_name
   - az:
       description: "Set Azure Cloud Environment"
       arguments:
@@ -114,6 +115,7 @@ install:
         resource_group_name: ${ bundle.outputs.resource_group_name }
         keyvault_name: ${ bundle.outputs.keyvault_name }
         cert_name: ${ bundle.parameters.cert_name }
+        password_name: ${ bundle.outputs.password_name }
   - az:
       description: "Stop application gateway"
       arguments:
@@ -167,6 +169,7 @@ renew:
         - name: storage_account_name
         - name: resource_group_name
         - name: keyvault_name
+        - name: password_name
   - az:
       description: "Set Azure Cloud Environment"
       arguments:
@@ -202,6 +205,7 @@ renew:
         resource_group_name: ${ bundle.outputs.resource_group_name }
         keyvault_name: ${ bundle.outputs.keyvault_name }
         cert_name: ${ bundle.parameters.cert_name }
+        password_name: ${ bundle.outputs.password_name }
   - az:
       description: "Stop application gateway"
       arguments:

templates/shared_services/certs/scripts/letsencrypt.sh

@@ -29,6 +29,10 @@ while [ "$1" != "" ]; do
         shift
         cert_name=$1
         ;;
+    --password_name)
+        shift
+        password_name=$1
+        ;;
     *)
         echo "Unexpected argument: '$1'"
         usage
@@ -122,8 +126,8 @@ sid=$(az keyvault certificate import \
     --password "${CERT_PASSWORD}" \
     | jq -r '.sid')
 
-echo "Saving certificate password to KV with key ${cert_name}-password"
-az keyvault secret set --name "${cert_name}"-password \
+echo "Saving certificate password to KV with key ${password_name}"
+az keyvault secret set --name "$password_name" \
   --vault-name "${keyvault_name}" \
   --value "${CERT_PASSWORD}"
 

templates/shared_services/certs/terraform/certificate.tf

@@ -36,3 +36,18 @@ resource "azurerm_key_vault_certificate" "tlscert" {
   }
 
 }
+
+# pre-create in advance of the real password being created
+# so if there is a deleted secret it will be recovered
+#
+resource "azurerm_key_vault_secret" "cert_password" {
+  name         = local.password_name
+  value        = "0000000000"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+  tags         = local.tre_shared_service_tags
+
+  # The password will get replaced with a real one, so we don't want Terraform to try and revert it.
+  lifecycle {
+    ignore_changes = all
+  }
+}

templates/shared_services/certs/terraform/locals.tf

@@ -26,4 +26,5 @@ locals {
 
   cmk_name                 = "tre-encryption-${var.tre_id}"
   encryption_identity_name = "id-encryption-${var.tre_id}"
+  password_name            = "${var.cert_name}-password"
 }

templates/shared_services/certs/terraform/outputs.tf

@@ -17,3 +17,7 @@ output "resource_group_name" {
 output "keyvault_name" {
   value = data.azurerm_key_vault.key_vault.name
 }
+
+output "password_name" {
+  value = local.password_name
+}