search

microsoft / AzureTRE

An accelerator to help organizations build Trusted Research Environments on Azure.
https://microsoft.github.io/AzureTRE
MIT License
182 stars 139 forks source link

Key vault + stateful resources #3922

Closed PoojanumN closed 4 months ago

PoojanumN commented 5 months ago

By default the TRE is deployed with purge protection on the keyvault and stateful resource locks. These make sense in a prod environment but hinder development and redeployment in dev. If a keyvault already existed for example, it will need to be imported into terraform state. having this as a switchable option however, aids development and delivery.

Please see information around this issue:

Tim Allen 26 February 2024 at 16:40

Need to remember to update the the action.yml

Kevin O'Connor 26 February 2024 at 16:14 Edited

terraform apply -var="KV_PURGE_PROTECTION_ENABLED=true" -var="STATEFUL_RESOURCES_LOCKED=true"

etc etc

Kevin O'Connor 26 February 2024 at 16:13

Might need to update the variables.tf file to add these to it for switch work

variable "KV_PURGE_PROTECTION_ENABLED" { description = "Enables or disables Key Vault purge protection" type = bool default = false }

variable "STATEFUL_RESOURCES_LOCKED" { description = "Determines if stateful resources should be locked" type = bool default = false }

marrobi commented 5 months ago

I believe this is covered here - https://github.com/microsoft/AzureTRE/blob/c8e5ed39fb8d2839c9a25ee79fe2de8d22be32b2/config.sample.yaml#L67-L69 If it doesn't work as designed, then might need amending.

Also not sure it is a bug, but more of a feature request, that may already exist?

PoojanumN commented 5 months ago

@marrobi bug removed and added as Feature. @Danny-Cooke-CK please review the above and close as necessary

tim-allen-ck commented 4 months ago

I think the key vault purge protection wants adding either as a separate config flag or to the existing one

tim-allen-ck commented 4 months ago

Confirmed with @marrobi to add another developer setting

Danny-Cooke-CK commented 4 months ago

I've reviewed this and can see that the functionality is already there for key_vault, although in Imperial we have handled it more centrally.

in our code we have one variable set which covers every keyvault but in the main code it gets set in every terraform provider in each part of the project like the below so on that basis, im closing this ticket.

provider "azurerm" { features { key_vault {

Don't purge on destroy (this would fail due to purge protection being enabled on keyvault)

  purge_soft_delete_on_destroy               = false
  purge_soft_deleted_secrets_on_destroy      = false
  purge_soft_deleted_certificates_on_destroy = false
  purge_soft_deleted_keys_on_destroy         = false
  # When recreating an environment, recover any previously soft deleted secrets - set to true by default
  recover_soft_deleted_key_vaults   = true
  recover_soft_deleted_secrets      = true
  recover_soft_deleted_certificates = true
  recover_soft_deleted_keys         = true
}

} }

marrobi commented 4 months ago

@Danny-Cooke-CK I thought you were trying to disable purge protection, not sure the code in the provider does this...

Danny-Cooke-CK commented 4 months ago

oh ok. i've made a mistake in assumption here. will look again