using cli to read a secret

hmcts · Jul 1, 2024 · 37181ca · 37181ca
1 parent e5f378e
commit 37181ca
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 18 deletions.
diff --git a/keyvault.tf b/keyvault.tf
@@ -48,14 +48,14 @@ data "azurerm_key_vault_secret" "nessus_agent_key" {
   key_vault_id = data.azurerm_key_vault.soc_vault[0].id
 }
 
-data "azurerm_key_vault" "rhel_cert_vault" {
-  provider            = azurerm.cnp
-  name                = var.env == "prod" ? "infra-vault-prod" : "infra-vault-nonprod"
-  resource_group_name = local.cnp_vault_rg
-}
-
-data "azurerm_key_vault_secret" "rhel_cert" {
-  provider     = azurerm.cnp
-  name         = var.env == "prod" ? "rhel-cert-prod" : "rhel-cert"
-  key_vault_id = data.azurerm_key_vault.rhel_cert_vault.id
-}
+# data "azurerm_key_vault" "rhel_cert_vault" {
+#   provider            = azurerm.cnp
+#   name                = var.env == "prod" ? "infra-vault-prod" : "infra-vault-nonprod"
+#   resource_group_name = local.cnp_vault_rg
+# }
+
+# data "azurerm_key_vault_secret" "rhel_cert" {
+#   provider     = azurerm.cnp
+#   name         = var.env == "prod" ? "rhel-cert-prod" : "rhel-cert"
+#   key_vault_id = data.azurerm_key_vault.rhel_cert_vault.id
+# }
diff --git a/locals.tf b/locals.tf
@@ -24,7 +24,7 @@ locals {
       NESSUS_SERVER   = var.nessus_server == null || var.nessus_server == "" ? local.nessus_server : var.nessus_server
       NESSUS_KEY      = var.nessus_key == null || var.nessus_key == "" ? (length(data.azurerm_key_vault_secret.nessus_agent_key) > 0 ? data.azurerm_key_vault_secret.nessus_agent_key[0].value : "") : var.nessus_key
       NESSUS_GROUPS   = var.nessus_groups == null || var.nessus_groups == "" ? "Platform-Operation-Bastions" : var.nessus_groups
-      RHEL_CERT       = var.rhel_cert == null || var.rhel_cert == "" ? (length(data.azurerm_key_vault_secret.rhel_cert) > 0 ? data.azurerm_key_vault_secret.rhel_cert.value : "") : var.rhel_cert
+      # RHEL_CERT       = var.rhel_cert == null || var.rhel_cert == "" ? (length(data.azurerm_key_vault_secret.rhel_cert) > 0 ? data.azurerm_key_vault_secret.rhel_cert.value : "") : var.rhel_cert
   }), var.additional_script_path == null ? "" : file("${var.additional_script_path}")))
 
   additional_template_file = var.additional_script_uri != null ? format("%s%s%s", "[ ", "\"${var.additional_script_uri}\"", " ]") : "\"\""

diff --git a/scripts/bootstrap_vm.sh b/scripts/bootstrap_vm.sh
@@ -189,11 +189,25 @@ then
   install_nessus "${NESSUS_SERVER}" "${NESSUS_KEY}" "${NESSUS_GROUPS}"
 fi
 
+# Redhat ELS
+
+keyvaultName="infra-vault-nonprod"
+secretName="rhel-cert"
+
+# Retrieve the certificate content from Azure Key Vault
+certificateContent=$(az keyvault secret show --vault-name $keyvaultName --name $secretName --query value -o tsv)
+
+# Check if the retrieval was successful
+if [ -z "$certificateContent" ]; then
+  echo "Failed to retrieve the certificate from Azure Key Vault."
+  exit 1
+fi
+
 # Create directory /etc/pki/product/.
 mkdir -p /etc/pki/product/
 
 # Write the certificate.
-echo "${RHEL_CERT}" > /etc/pki/product/204.pem
+echo "$certificateContent" > /etc/pki/product/204.pem
 
 # Change the permission and ownership of this file.
 restorecon -Rv /etc/pki/product

diff --git a/variables.tf b/variables.tf
@@ -317,8 +317,8 @@ variable "soc_vault_name" {
   default     = "soc-prod"
 }
 
-variable "rhel_cert" {
-  description = "Redhat linking key - read input from keyvault."
-  type        = string
-  default     = null
-}
+# variable "rhel_cert" {
+#   description = "Redhat linking key - read input from keyvault."
+#   type        = string
+#   default     = null
+# }