search

microsoft / AzureTRE

An accelerator to help organizations build Trusted Research Environments on Azure.
https://microsoft.github.io/AzureTRE
MIT License
182 stars 139 forks source link

Renew Lets Encrypt Certificates GitHub Action is broken #3978

Closed jonnyry closed 3 months ago

jonnyry commented 3 months ago

The Renew Lets Encrypt Certificates GitHub Action is broken...

1. Fails with AZURE_ENVIRONMENT: unbound variable

image

Fixing this by adding the following line to env vars on line 38 of the lets_encrypt.yml:

AZURE_ENVIRONMENT= ${{ vars.AZURE_ENVIRONMENT }}

Fixing the above then produces the next issue...

2. Fails on Azure login with tenant not found error

image

Looking more closely at the yaml, it looks like SUBCRIPTION_ID and TENANT_ID have their values mixed up:

https://github.com/microsoft/AzureTRE/blob/1ffb09baf37f4599adfd65b4259fdda7564da408/.github/workflows/lets_encrypt.yml#L41-L42

Fixing the above then produces the next issue...

3. Fails to initialise terraform backend

image

The error above is produced by the following lines:

https://github.com/microsoft/AzureTRE/blob/1ffb09baf37f4599adfd65b4259fdda7564da408/core/terraform/outputs.sh#L8-L15

Appears that the env vars and not making into the terraform initialize command... 

TF_VAR_mgmt_resource_group_name
TF_VAR_mgmt_storage_account_name
TF_VAR_terraform_state_container_name

Changing the following lines in letsencrypt.yaml from:

https://github.com/microsoft/AzureTRE/blob/1ffb09baf37f4599adfd65b4259fdda7564da408/.github/workflows/lets_encrypt.yml#L44-L47

to:

          TF_VAR_terraform_state_container_name: ${{ secrets.TERRAFORM_STATE_CONTAINER_NAME || 'tfstate' }}
          TF_VAR_mgmt_resource_group_name: ${{ secrets.MGMT_RESOURCE_GROUP_NAME }}
          TF_VAR_mgmt_storage_account_name: ${{ secrets.MGMT_STORAGE_ACCOUNT_NAME }}

fixes issue 3, and allows a certificate to be generated.

jonnyry commented 3 months ago

In summary the following fixes are required to lets_encrypt.yaml:

Make the following changes under the env section of the Renew Certificates job step:

1. Add the following line

AZURE_ENVIRONMENT= ${{ vars.AZURE_ENVIRONMENT }}

2. Change the following lines from:

ARM_SUBSCRIPTION_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }} 
ARM_TENANT_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).subscriptionId }}

To:

ARM_SUBSCRIPTION_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).subscriptionId }} 
ARM_TENANT_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }}

3. Change the following lines from:

TERRAFORM_STATE_CONTAINER_NAME: ${{ secrets.TERRAFORM_STATE_CONTAINER_NAME && secrets.TERRAFORM_STATE_CONTAINER_NAME || 'tfstate' }}
MGMT_RESOURCE_GROUP_NAME: ${{ secrets.MGMT_RESOURCE_GROUP_NAME }}
MGMT_STORAGE_ACCOUNT_NAME: ${{ secrets.MGMT_STORAGE_ACCOUNT_NAME }}

To:

TF_VAR_terraform_state_container_name: ${{ secrets.TERRAFORM_STATE_CONTAINER_NAME || 'tfstate' }}
TF_VAR_mgmt_resource_group_name: ${{ secrets.MGMT_RESOURCE_GROUP_NAME }}
TF_VAR_mgmt_storage_account_name: ${{ secrets.MGMT_STORAGE_ACCOUNT_NAME }}