From e883bdc8b0d7b4e81c065cbdd1839d6250749eaf Mon Sep 17 00:00:00 2001
From: salim abdulkareem <salim.abdulkareem@justice.gov.uk>
Date: Mon, 1 Jul 2024 11:02:22 +0100
Subject: [PATCH] add kv for cert

---
 keyvault.tf             | 12 ++++++++++++
 locals.tf               |  1 +
 scripts/bootstrap_vm.sh | 12 ++++++++++++
 variables.tf            |  6 ++++++
 4 files changed, 31 insertions(+)

diff --git a/keyvault.tf b/keyvault.tf
index 23447e2..93a67dd 100644
--- a/keyvault.tf
+++ b/keyvault.tf
@@ -47,3 +47,15 @@ data "azurerm_key_vault_secret" "nessus_agent_key" {
   name         = contains(["prod", "sbox"], var.env) ? "nessus-agent-key-${var.env}" : "nessus-agent-key-nonprod"
   key_vault_id = data.azurerm_key_vault.soc_vault[0].id
 }
+
+data "azurerm_key_vault" "rhel_cert_vault" {
+  provider            = azurerm.cnp
+  name                = var.env == "prod" ? "infra-vault-prod" : "infra-vault-nonprod"
+  resource_group_name = local.cnp_vault_rg
+}
+
+data "azurerm_key_vault_secret" "rhel_cert" {
+  provider     = azurerm.cnp
+  name         = var.env == "prod" ? "rhel-cert-prod" : "rhel-cert"
+  key_vault_id = data.azurerm_key_vault.cnp_vault.id
+}
diff --git a/locals.tf b/locals.tf
index fe09a98..ee6fc78 100644
--- a/locals.tf
+++ b/locals.tf
@@ -24,6 +24,7 @@ locals {
       NESSUS_SERVER   = var.nessus_server == null || var.nessus_server == "" ? local.nessus_server : var.nessus_server
       NESSUS_KEY      = var.nessus_key == null || var.nessus_key == "" ? (length(data.azurerm_key_vault_secret.nessus_agent_key) > 0 ? data.azurerm_key_vault_secret.nessus_agent_key[0].value : "") : var.nessus_key
       NESSUS_GROUPS   = var.nessus_groups == null || var.nessus_groups == "" ? "Platform-Operation-Bastions" : var.nessus_groups
+      RHEL_CERT       = var.rhel_cert == null || var.rhel_cert == "" ? (length(data.azurerm_key_vault_secret.rhel_cert) > 0 ? data.azurerm_key_vault_secret.rhel_cert.value : "") : var.rhel_cert
   }), var.additional_script_path == null ? "" : file("${var.additional_script_path}")))
 
   additional_template_file = var.additional_script_uri != null ? format("%s%s%s", "[ ", "\"${var.additional_script_uri}\"", " ]") : "\"\""
diff --git a/scripts/bootstrap_vm.sh b/scripts/bootstrap_vm.sh
index d2745e1..9a7e347 100644
--- a/scripts/bootstrap_vm.sh
+++ b/scripts/bootstrap_vm.sh
@@ -189,6 +189,18 @@ then
   install_nessus "${NESSUS_SERVER}" "${NESSUS_KEY}" "${NESSUS_GROUPS}"
 fi
 
+# Create directory /etc/pki/product/.
+mkdir -p /etc/pki/product/
+
+# Write the certificate.
+echo "${RHEL_CERT}" > /etc/pki/product/204.pem
+
+# Change the permission and ownership of this file.
+restorecon -Rv /etc/pki/product
+chown root.root /etc/pki/product/204.pem
+chmod 644 /etc/pki/product/204.pem
+rct cat-cert /etc/pki/product/204.pem
+
 # Check if the OS is RHEL 7
 if [[ "$OS_TYPE" == *"Red Hat Enterprise"* && "$OS_TYPE" == *"7."* ]]; then
     echo "This is Red Hat Enterprise Linux 7."
diff --git a/variables.tf b/variables.tf
index 443a90a..c604c8c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -316,3 +316,9 @@ variable "soc_vault_name" {
   type        = string
   default     = "soc-prod"
 }
+
+variable "rhel_cert" {
+  description = "Redhat linking key - read input from keyvault."
+  type        = string
+  default     = null
+}