Kv firewall

deployment/bin/deploy

@@ -113,16 +113,26 @@ setup_env
 
 if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
 
+    bin/azlogin
+
+    require_env "DEPLOY_SECRETS_KV"
+    require_env "DEPLOY_SECRETS_KV_SECRET"
+    require_env "DEPLOY_SECRETS_KV_RG_NAME"
+    require_env "PCTASKS_TASK_KV"
+    require_env "PCTASKS_TASK_KV_RESOURCE_GROUP_NAME"
+
+    #########################
+    # Add IP to KV firewall #
+    #########################
+
+    bin/kv_add_ip
+
     #####################
     # Deploy Terraform  #
     #####################
 
-    bin/azlogin
-
     source ${TERRAFORM_DIR}/env.sh
 
-    require_env "DEPLOY_SECRETS_KV"
-    require_env "DEPLOY_SECRETS_KV_SECRET"
 
     if [ -z "${SKIP_FETCH_TF_VARS}${SKIP_TF}${DEV_DEPLOY}" ]; then
 
@@ -178,6 +188,12 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
 
     popd
 
+    ##############################
+    # Remove IP from KV firewall #
+    ##############################
+
+    bin/kv_rmv_ip
+
     ############################
     # Render Helm chart values #
     ############################

deployment/bin/kv_add_ip

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+
+if [[ "${CI}" ]]; then
+    set -x
+fi
+
+function usage() {
+    echo -n \
+        "Usage: $(basename "$0")
+Add runner public IP to Key Vault firewall allow list
+"
+}
+
+while [[ "$#" -gt 0 ]]; do case $1 in
+    *)
+        usage "Unknown parameter passed: $1"
+        shift
+        shift
+        ;;
+    esac done
+
+
+if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
+
+    runnerIpAddress=$(curl http://ipinfo.io/json | jq -r ".ip")
+
+    az keyvault network-rule add -g ${DEPLOY_SECRETS_KV_RG_NAME}  -n ${DEPLOY_SECRETS_KV} --ip-address $runnerIpAddress
+
+    az keyvault network-rule add -g ${PCTASKS_TASK_KV_RESOURCE_GROUP_NAME}  -n ${PCTASKS_TASK_KV} --ip-address $runnerIpAddress
+
+fi

deployment/bin/kv_rmv_ip

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+
+if [[ "${CI}" ]]; then
+    set -x
+fi
+
+function usage() {
+    echo -n \
+        "Usage: $(basename "$0")
+Remove runner public IP from Key Vault firewall allow list
+"
+}
+
+while [[ "$#" -gt 0 ]]; do case $1 in
+    *)
+        usage "Unknown parameter passed: $1"
+        shift
+        shift
+        ;;
+    esac done
+
+
+if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
+
+    runnerIpAddress=$(curl http://ipinfo.io/json | jq -r ".ip")
+
+    az keyvault network-rule remove -g ${DEPLOY_SECRETS_KV_RG_NAME}  -n ${DEPLOY_SECRETS_KV} --ip-address $runnerIpAddress
+
+    az keyvault network-rule remove -g ${PCTASKS_TASK_KV_RESOURCE_GROUP_NAME}  -n ${PCTASKS_TASK_KV} --ip-address $runnerIpAddress
+
+fi

deployment/docker-compose.yml

@@ -15,7 +15,6 @@ services:
       - GITHUB_TOKEN
       - GITHUB_REPOSITORY
       - GITHUB_ACTOR
-
     working_dir: /opt/src/deployment
     volumes:
       - ../deployment:/opt/src/deployment

deployment/terraform/dev/env.sh

@@ -2,3 +2,7 @@
 
 export DEPLOY_SECRETS_KV=pc-test-deploy-secrets
 export DEPLOY_SECRETS_KV_SECRET=pctasks-test-tfvars-rob
+export DEPLOY_SECRETS_KV_RG_NAME=pc-test-manual-resources
+
+export PCTASKS_TASK_KV=
+export PCTASKS_TASK_KV_RESOURCE_GROUP_NAME=

deployment/terraform/staging/env.sh

@@ -2,3 +2,7 @@
 
 export DEPLOY_SECRETS_KV=pc-test-deploy-secrets
 export DEPLOY_SECRETS_KV_SECRET=pctasks-test-tfvars-staging
+export DEPLOY_SECRETS_KV_RG_NAME=pc-test-manual-resources
+
+export PCTASKS_TASK_KV=kv-pctaskstest-staging
+export PCTASKS_TASK_KV_RESOURCE_GROUP_NAME=rg-pctaskstest-staging-westeurope