From b1b3f0ac37061ce58fd74735ce5e2546c9df5058 Mon Sep 17 00:00:00 2001 From: fpittelo Date: Sat, 29 Nov 2025 10:14:04 +0100 Subject: [PATCH 1/5] #94 correction --- .github/workflows/deploy-infra.yaml | 7 +++++++ infra/main.tf | 2 ++ infra/variables.tf | 6 ++++++ 3 files changed, 15 insertions(+) diff --git a/.github/workflows/deploy-infra.yaml b/.github/workflows/deploy-infra.yaml index 6da4d6b..faf91c6 100644 --- a/.github/workflows/deploy-infra.yaml +++ b/.github/workflows/deploy-infra.yaml @@ -53,6 +53,13 @@ jobs: echo "TF_VAR_google_client_id=${{ secrets.GOOGLE_CLIENT_ID }}" >> $GITHUB_ENV echo "TF_VAR_google_client_secret=${{ secrets.GOOGLE_CLIENT_SECRET }}" >> $GITHUB_ENV + - name: Get Runner IP + id: ip + run: | + ip=$(curl -s https://api.ipify.org) + echo "Runner IP: $ip" + echo "TF_VAR_client_ip_address=$ip" >> $GITHUB_ENV + - name: Set Up Terraform uses: hashicorp/setup-terraform@v2 diff --git a/infra/main.tf b/infra/main.tf index 3587d41..01d958b 100644 --- a/infra/main.tf +++ b/infra/main.tf @@ -28,6 +28,8 @@ module "key_vault" { depends_on = [azurerm_resource_group.rg] tags = local.environment_vars.tags + + key_vault_ip_rules = var.client_ip_address != null ? [var.client_ip_address] : [] } # Get the current service principal/client object ID diff --git a/infra/variables.tf b/infra/variables.tf index 958bc2f..77e1685 100644 --- a/infra/variables.tf +++ b/infra/variables.tf @@ -186,3 +186,9 @@ variable "google_client_secret" { + +variable "client_ip_address" { + description = "The IP address of the client (e.g., GitHub Actions runner) to allow access to Key Vault." + type = string + default = null +} From 3ae713114db433041ba2fd96ad7ab5d76919b31c Mon Sep 17 00:00:00 2001 From: fpittelo Date: Sat, 29 Nov 2025 10:19:56 +0100 Subject: [PATCH 2/5] #95 set up --- infra/main.tf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/infra/main.tf b/infra/main.tf index 01d958b..3ad9783 100644 --- a/infra/main.tf +++ b/infra/main.tf @@ -44,6 +44,20 @@ resource "azurerm_role_assignment" "key_vault_secrets_officer" { depends_on = [module.key_vault] } +# Look up the user to grant access to +data "azuread_user" "admin_user" { + user_principal_name = "frederic.pitteloud@fpittelo.ch" +} + +# Assign Key Vault Administrator role to the user +resource "azurerm_role_assignment" "key_vault_admin_user" { + scope = module.key_vault.key_vault_id + role_definition_name = "Key Vault Administrator" + principal_id = data.azuread_user.admin_user.object_id + + depends_on = [module.key_vault] +} + resource "azurerm_key_vault_secret" "openai_key" { name = "openai-api-key" value = module.cognitive_account.openai_key From ca94b53497d816ad1765169f3361a56bddeff747 Mon Sep 17 00:00:00 2001 From: fpittelo Date: Sat, 29 Nov 2025 10:24:47 +0100 Subject: [PATCH 3/5] #94 second fix --- .github/workflows/deploy-infra.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/deploy-infra.yaml b/.github/workflows/deploy-infra.yaml index faf91c6..203ac0e 100644 --- a/.github/workflows/deploy-infra.yaml +++ b/.github/workflows/deploy-infra.yaml @@ -59,6 +59,25 @@ jobs: ip=$(curl -s https://api.ipify.org) echo "Runner IP: $ip" echo "TF_VAR_client_ip_address=$ip" >> $GITHUB_ENV + echo "RUNNER_IP=$ip" >> $GITHUB_ENV + + - name: Add Runner IP to Key Vault Firewall + run: | + # Construct Key Vault name based on environment convention + KV_NAME="${{ env.ENVIRONMENT }}-alpinebot-vault" + + echo "Attempting to add IP $RUNNER_IP to Key Vault $KV_NAME..." + + # Check if Key Vault exists + if az keyvault show --name "$KV_NAME" --resource-group "${{ env.ENVIRONMENT }}-alpinebot" >/dev/null 2>&1; then + echo "Key Vault exists. Adding network rule..." + az keyvault network-rule add --name "$KV_NAME" --ip-address "$RUNNER_IP" + # Wait for propagation + sleep 30 + else + echo "Key Vault $KV_NAME does not exist (or is not accessible). Skipping network rule addition." + fi + - name: Set Up Terraform uses: hashicorp/setup-terraform@v2 From 0787806db29579ff5a14c51a344283db908e9e02 Mon Sep 17 00:00:00 2001 From: fpittelo Date: Sat, 29 Nov 2025 10:33:09 +0100 Subject: [PATCH 4/5] #94 third fix --- .github/workflows/deploy-infra.yaml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/deploy-infra.yaml b/.github/workflows/deploy-infra.yaml index 203ac0e..e574645 100644 --- a/.github/workflows/deploy-infra.yaml +++ b/.github/workflows/deploy-infra.yaml @@ -65,15 +65,20 @@ jobs: run: | # Construct Key Vault name based on environment convention KV_NAME="${{ env.ENVIRONMENT }}-alpinebot-vault" + RG_NAME="${{ env.ENVIRONMENT }}-alpinebot" - echo "Attempting to add IP $RUNNER_IP to Key Vault $KV_NAME..." + echo "Attempting to add IP $RUNNER_IP to Key Vault $KV_NAME in Resource Group $RG_NAME..." - # Check if Key Vault exists - if az keyvault show --name "$KV_NAME" --resource-group "${{ env.ENVIRONMENT }}-alpinebot" >/dev/null 2>&1; then + # Check if Key Vault exists (verbose) + if az keyvault show --name "$KV_NAME" --resource-group "$RG_NAME"; then echo "Key Vault exists. Adding network rule..." - az keyvault network-rule add --name "$KV_NAME" --ip-address "$RUNNER_IP" - # Wait for propagation - sleep 30 + az keyvault network-rule add --name "$KV_NAME" --resource-group "$RG_NAME" --ip-address "$RUNNER_IP" + + echo "Network rule added. Verifying..." + az keyvault network-rule list --name "$KV_NAME" --resource-group "$RG_NAME" + + echo "Waiting 60 seconds for propagation..." + sleep 60 else echo "Key Vault $KV_NAME does not exist (or is not accessible). Skipping network rule addition." fi From 15c04559933befaec3d3649de43a6131d65bab18 Mon Sep 17 00:00:00 2001 From: fpittelo Date: Sat, 29 Nov 2025 10:48:38 +0100 Subject: [PATCH 5/5] #94 fourth update --- .github/workflows/deploy-infra.yaml | 28 ---------------------------- infra/main.tf | 18 ++++++++++++++++-- infra/providers.tf | 8 ++++++++ infra/variables.tf | 6 +----- 4 files changed, 25 insertions(+), 35 deletions(-) diff --git a/.github/workflows/deploy-infra.yaml b/.github/workflows/deploy-infra.yaml index e574645..fd067d2 100644 --- a/.github/workflows/deploy-infra.yaml +++ b/.github/workflows/deploy-infra.yaml @@ -53,35 +53,7 @@ jobs: echo "TF_VAR_google_client_id=${{ secrets.GOOGLE_CLIENT_ID }}" >> $GITHUB_ENV echo "TF_VAR_google_client_secret=${{ secrets.GOOGLE_CLIENT_SECRET }}" >> $GITHUB_ENV - - name: Get Runner IP - id: ip - run: | - ip=$(curl -s https://api.ipify.org) - echo "Runner IP: $ip" - echo "TF_VAR_client_ip_address=$ip" >> $GITHUB_ENV - echo "RUNNER_IP=$ip" >> $GITHUB_ENV - - name: Add Runner IP to Key Vault Firewall - run: | - # Construct Key Vault name based on environment convention - KV_NAME="${{ env.ENVIRONMENT }}-alpinebot-vault" - RG_NAME="${{ env.ENVIRONMENT }}-alpinebot" - - echo "Attempting to add IP $RUNNER_IP to Key Vault $KV_NAME in Resource Group $RG_NAME..." - - # Check if Key Vault exists (verbose) - if az keyvault show --name "$KV_NAME" --resource-group "$RG_NAME"; then - echo "Key Vault exists. Adding network rule..." - az keyvault network-rule add --name "$KV_NAME" --resource-group "$RG_NAME" --ip-address "$RUNNER_IP" - - echo "Network rule added. Verifying..." - az keyvault network-rule list --name "$KV_NAME" --resource-group "$RG_NAME" - - echo "Waiting 60 seconds for propagation..." - sleep 60 - else - echo "Key Vault $KV_NAME does not exist (or is not accessible). Skipping network rule addition." - fi - name: Set Up Terraform diff --git a/infra/main.tf b/infra/main.tf index 3ad9783..600f57f 100644 --- a/infra/main.tf +++ b/infra/main.tf @@ -14,6 +14,12 @@ resource "azurerm_resource_group" "rg" { } #### Create the Azure Key Vault ##### + +# Retrieve the runner's public IP +data "http" "ip" { + url = "https://api.ipify.org" +} + module "key_vault" { source = "../modules/key_vault" @@ -29,7 +35,14 @@ module "key_vault" { tags = local.environment_vars.tags - key_vault_ip_rules = var.client_ip_address != null ? [var.client_ip_address] : [] + key_vault_ip_rules = [data.http.ip.response_body] +} + +# Wait for firewall rule propagation +resource "time_sleep" "wait_for_firewall" { + create_duration = "60s" + + depends_on = [module.key_vault] } # Get the current service principal/client object ID @@ -66,7 +79,8 @@ resource "azurerm_key_vault_secret" "openai_key" { depends_on = [ module.key_vault, module.cognitive_account, - azurerm_role_assignment.key_vault_secrets_officer + azurerm_role_assignment.key_vault_secrets_officer, + time_sleep.wait_for_firewall ] } diff --git a/infra/providers.tf b/infra/providers.tf index 0b2d347..fd0637b 100644 --- a/infra/providers.tf +++ b/infra/providers.tf @@ -19,6 +19,14 @@ terraform { source = "cyrilgdn/postgresql" version = "1.17.0" } + http = { + source = "hashicorp/http" + version = "~> 3.4.0" + } + time = { + source = "hashicorp/time" + version = "~> 0.9.0" + } } backend "azurerm" { diff --git a/infra/variables.tf b/infra/variables.tf index 77e1685..8eee13d 100644 --- a/infra/variables.tf +++ b/infra/variables.tf @@ -187,8 +187,4 @@ variable "google_client_secret" { -variable "client_ip_address" { - description = "The IP address of the client (e.g., GitHub Actions runner) to allow access to Key Vault." - type = string - default = null -} +