Use SSH instead of authentication token to access code repository (#25)

Remove need for aithentication token

Author: fmeheust

README.md

@@ -42,7 +42,7 @@ For deploying your Java App with the App Stack, here is the list of OCI prerequi
 - **IAM:** The following rights are needed:
   - Two *dynamic groups* need to be created, one for *container instances* and the other for *DevOps*.
   - *Container instances* should be allowed to **read** **repos**. This will allow container instances to fetch the container image generated by the stack from the container registry.
-  - *DevOps* should be allowed to: **read** **secret-family** and **all-artifacts**; **use** **ons-topics**, **load-balancers** and **virtual-network-family**; and **manage** **devops-family**, **compute-container-instances**, **compute-containers** and **devops-family**. This will allow *DevOps* to build and deploy the application.
+  - *DevOps* should be allowed to: **read** **secret-family** and **all-artifacts**; **use** **ons-topics**, **load-balancers** and **virtual-network-family**; and **manage** **devops-family**, **generic-artifacts**, **repos**, **compute-container-instances** and **compute-containers**. This will allow *DevOps* to build and deploy the application.
   ```
   Allow dynamic-group 'appstack-container-instances' to read repos in tenancy 
   Allow dynamic-group 'appstack-devops' to read secret-family in tenancy
@@ -52,6 +52,8 @@ For deploying your Java App with the App Stack, here is the list of OCI prerequi
   Allow dynamic-group 'appstack-devops' to use virtual-network-family in tenancy
   Allow dynamic-group 'appstack-devops' to manage compute-container-instances in tenancy
   Allow dynamic-group 'appstack-devops' to manage compute-containers in tenancy
+  Allow dynamic-group 'appstack-devops' to manage repos in tenancy
+  Allow dynamic-group 'appstack-devops' to manage generic-artifacts in tenancy
   Allow dynamic-group 'appstack-devops' to manage devops-family in tenancy
   ```
 

config-repo.tf

@@ -16,6 +16,29 @@ resource "oci_devops_repository" "config_repo" {
   count = (local.use-image ? 0 : 1)
 }
 
+resource "tls_private_key" "rsa_api_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "oci_identity_api_key" "user_api_key" {
+    #Required
+    key_value = tls_private_key.rsa_api_key.public_key_pem
+    user_id = var.current_user_ocid
+}
+
+resource "local_file" "api_private_key" {
+  depends_on = [ tls_private_key.rsa_api_key ]
+  filename = "${path.module}/api-private-key.pem"
+  content = tls_private_key.rsa_api_key.private_key_pem
+}
+
+resource "local_file" "ssh_config" {
+  filename = "${path.module}/ssh_config"
+  content = data.template_file.ssh_config.rendered
+}
+
+
 # creates necessary files to configure Docker image
 # creates the Dockerfile
 resource "local_file" "dockerfile" {
@@ -71,12 +94,64 @@ resource "null_resource" "create_config_repo" {
     local_file.wallet,
     local_file.self_signed_certificate,
     local_file.oci_build_config,
+    local_file.ssh_config,
     random_password.wallet_password
   ]
 
+  # create .ssh directory
+  provisioner "local-exec" {
+    command = "mkdir ~/.ssh"
+    on_failure = fail
+    working_dir = "${path.module}"
+  }
+
+  # copy private key
+  provisioner "local-exec" {
+    command = "cp api-private-key.pem ~/.ssh/private-key.pem"
+    on_failure = fail
+    working_dir = "${path.module}"
+  }
+
+  # copy ssh-config
+  provisioner "local-exec" {
+    command = "cp ssh_config ~/.ssh/config"
+    on_failure = fail
+    working_dir = "${path.module}"
+  }
+
+  provisioner "local-exec" {
+    command = "less ~/.ssh/config"
+    on_failure = fail
+    working_dir = "${path.module}"
+  }
+
+  provisioner "local-exec" {
+    command = "less ~/.ssh/private-key.pem"
+    on_failure = fail
+    working_dir = "${path.module}"
+  }
+
+  provisioner "local-exec" {
+    command = "chmod 400 ~/.ssh/private-key.pem"
+    on_failure = fail
+    working_dir = "${path.module}"
+  }
+
+  provisioner "local-exec" {
+    command = "chmod 600 ~/.ssh/config"
+    on_failure = fail
+    working_dir = "${path.module}"
+  }
+
+  provisioner "local-exec" {
+    command = "ls -lai ~/.ssh"
+    on_failure = fail
+    working_dir = "${path.module}"
+  }
+
   # clone new repository
   provisioner "local-exec" {
-    command = "git clone ${local.config_repo_url}"
+    command = "git -c core.sshCommand='ssh -o StrictHostKeyChecking=no' clone ${oci_devops_repository.config_repo[0].ssh_url}"
     on_failure = fail
     working_dir = "${path.module}"
   }

datasources.tf

@@ -59,13 +59,8 @@ data "oci_artifacts_generic_artifact" "app_artifact" {
 
 # build spec file
 data "template_file" "oci_deploy_config" {
-  depends_on = [
-    oci_vault_secret.auth_token_secret
-  ]
   template = "${file("${path.module}/deploy.yaml.template")}"
   vars = {
-    oci_token = local.auth_token_secret
-    config_repo_url = local.config_repo_url
     config_repo_name = local.config_repo_name
     artifact_ocid = oci_generic_artifacts_content_artifact_by_path.update_container_instance_script.id
     registry_ocid = oci_artifacts_repository.application_repository.id
@@ -89,6 +84,16 @@ data "template_file" "deploy_script" {
   count = var.nb_copies
 }
 
+data "template_file" "ssh_config" {
+  depends_on = [
+    local_file.api_private_key
+  ]
+  template = "${file("${path.module}/ssh_config.template")}"
+  vars = {
+    "user" = local.ssh_login
+  }
+}
+
 data "oci_identity_api_keys" "dbconnection_api_key" {
   user_id = var.current_user_ocid
 }

devops.tf

@@ -177,12 +177,58 @@ resource "oci_devops_build_pipeline_stage" "art_build_pipeline_stage" {
   count = local.use-artifact ? 1 : 0
 }
 
+# image artifact
+resource "oci_devops_deploy_artifact" "container_image_artifact" {
+  argument_substitution_mode = "NONE"
+  deploy_artifact_type       = "DOCKER_IMAGE"
+  project_id                 = local.project_id
+  display_name               = "Container image"
+
+  deploy_artifact_source {
+    image_uri = local.image-latest-tag
+    deploy_artifact_source_type = "OCIR"
+  }
+}
+
+
+# push image to container registry
+resource "oci_devops_build_pipeline_stage" "push_image_to_container_registry" {
+  depends_on = [ 
+    oci_devops_build_pipeline_stage.repo_build_pipeline_stage,
+    oci_devops_build_pipeline_stage.art_build_pipeline_stage,
+    oci_artifacts_container_repository.application-container-repository
+  ]
+    build_pipeline_id = (local.use-artifact ? oci_devops_build_pipeline.build_pipeline_artifact[0].id : oci_devops_build_pipeline.build_pipeline[0].id)
+    build_pipeline_stage_predecessor_collection {
+        items {
+            id = (local.use-repository ? oci_devops_build_pipeline_stage.repo_build_pipeline_stage[0].id : oci_devops_build_pipeline_stage.art_build_pipeline_stage[0].id)
+        }
+    }
+    build_pipeline_stage_type = "DELIVER_ARTIFACT"
+
+    deploy_pipeline_id = oci_devops_deploy_pipeline.deploy_pipeline.id
+    description = "Push image to container registry"
+    display_name = "Push image to container registry"
+
+    deliver_artifact_collection {
+      items {
+        artifact_id = oci_devops_deploy_artifact.container_image_artifact.id
+        artifact_name = "application_image"
+      }
+    }
+    is_pass_all_parameters_enabled = false
+    count = (local.use-image ? 0 : 1)
+}
+
 # artifact or source case:
 resource "oci_devops_build_pipeline_stage" "trigger_deployment" {
+  depends_on = [ 
+    oci_devops_build_run.create_docker_image
+  ]
     build_pipeline_id = (local.use-artifact ? oci_devops_build_pipeline.build_pipeline_artifact[0].id : oci_devops_build_pipeline.build_pipeline[0].id)
     build_pipeline_stage_predecessor_collection {
         items {
-            id = (local.use-repository ? oci_devops_build_pipeline_stage.repo_build_pipeline_stage[0].id : oci_devops_build_pipeline_stage.art_build_pipeline_stage[0].id)
+            id = oci_devops_build_pipeline_stage.push_image_to_container_registry[0].id
         }
     }
     build_pipeline_stage_type = "TRIGGER_DEPLOYMENT_PIPELINE"
@@ -198,20 +244,18 @@ resource "oci_devops_build_pipeline_stage" "trigger_deployment" {
 
 resource "oci_devops_trigger" "generated_oci_devops_trigger" {
   depends_on = [
-    oci_devops_build_pipeline_stage.repo_build_pipeline_stage,
-    oci_devops_build_pipeline_stage.art_build_pipeline_stage,
-    oci_artifacts_container_repository.application-container-repository
+    oci_devops_build_run.create_docker_image
   ]
 	actions {
 		build_pipeline_id = (local.use-artifact ? oci_devops_build_pipeline.build_pipeline_artifact[0].id : oci_devops_build_pipeline.build_pipeline[0].id)
 		type = "TRIGGER_BUILD_PIPELINE"
-	filter {
-	  trigger_source = "DEVOPS_CODE_REPOSITORY"
-	  events = ["PUSH"]
-	  include {
-	    head_ref = var.branch
-	  }
-	}
+    filter {
+      trigger_source = "DEVOPS_CODE_REPOSITORY"
+      events = ["PUSH"]
+      include {
+        head_ref = var.branch
+      }
+    }
 	}
 	display_name = "${local.application_name}-trigger"
 	project_id = local.project_id
@@ -223,12 +267,7 @@ resource "oci_devops_trigger" "generated_oci_devops_trigger" {
 # run the pipeline
 resource "oci_devops_build_run" "create_docker_image" {
   depends_on = [
-    oci_artifacts_container_repository.application-container-repository,
-    oci_devops_build_pipeline.build_pipeline,
-    oci_devops_build_pipeline.build_pipeline_artifact,
-    oci_devops_build_pipeline_stage.repo_build_pipeline_stage,
-    oci_devops_build_pipeline_stage.art_build_pipeline_stage,
-    null_resource.commit_config_repo
+    oci_devops_build_pipeline_stage.push_image_to_container_registry
   ]
   dynamic "build_run_arguments" {
     for_each = local.use-artifact ? [1] : []
@@ -261,15 +300,12 @@ resource "oci_devops_deploy_artifact" "deploy_yaml_artifact" {
 }
 
 resource "oci_devops_deploy_pipeline" "deploy_pipeline" {
-  depends_on = [
-    oci_devops_deploy_artifact.deploy_yaml_artifact
-  ]
   project_id   = local.project_id
   description  = "Deploy pipeline"
   display_name = "${local.application_name}-deploy"
 }
 
- resource "oci_devops_deploy_stage" "deploy_stage" {
+resource "oci_devops_deploy_stage" "deploy_stage" {
    depends_on = [
     oci_devops_deploy_pipeline.deploy_pipeline
   ]

interface.yaml

@@ -30,8 +30,6 @@ variableGroups:
 ###APPLICATION_GROUP###
   - title: "Stack authentication"
     variables:
-      - use_existing_token
-      - current_user_token
       - use_existing_vault
       - new_vault_display_name
       - vault_compartment_id
@@ -246,17 +244,6 @@ variables:
     visible:
       and:
         - use_existing_vault
-  use_existing_token:
-    type: boolean
-    required: true
-    title: Use existing authentication token
-    description: This token will be used by the stack to authenticate the user when connecting to the code repository or container registry.
-    default: true
-  current_user_token:
-    type: password
-    required: true
-    title: User's authentication token
-    visible: use_existing_token
 ###APP_CONFIG###
   # FQDN
   create_fqdn:

java/build-artifact.yaml.template

@@ -7,7 +7,6 @@ timeoutInSeconds: 10000
 shell: bash
 env:
   vaultVariables:
-    OCI_TOKEN : "${oci_token}"
     DB_USER_PASSWORD : "${db_user_password}"
     WALLET_PASSWORD : "${wallet_password}"
 inputArtifacts:
@@ -41,15 +40,7 @@ steps:
     failImmediatelyOnError: true
     command: |
       docker build . --file Dockerfile --tag ${image_remote_tag}:${image_tag}-$${artifact_version} --tag ${image_latest_tag}
-  - type: Command
-    name: Login to repo
-    timeoutInSeconds: 900
-    failImmediatelyOnError: true
-    command: |
-      echo $${OCI_TOKEN} | docker login ${container_registry_repo} --username ${login} --password-stdin
-  - type: Command
-    name: Push image
-    timeoutInSeconds: 600
-    failImmediatelyOnError: true
-    command: |
-      docker push ${image_remote_tag} --all-tags
+outputArtifacts:
+  - name: application_image
+    type: DOCKER_IMAGE
+    location: ${image_latest_tag}

java/build-repo.yaml.template

@@ -10,7 +10,6 @@ env:
   variables:
     JAVA_HOME : "/usr/java/latest"
   vaultVariables:
-    OCI_TOKEN : "${oci_token}"
     DB_USER_PASSWORD : "${db_user_password}"
     WALLET_PASSWORD : "${wallet_password}"
 steps: 
@@ -70,15 +69,7 @@ steps:
       export commit=$(git rev-list --all --max-count=1 --abbrev-commit)
       cd $${OCI_WORKSPACE_DIR}/${config_repo_name}
       docker build . --file Dockerfile --tag ${image_remote_tag}:${image_tag}-$commit --tag ${image_latest_tag}
-  - type: Command
-    name: Login to repo
-    timeoutInSeconds: 900
-    failImmediatelyOnError: true
-    command: |
-      echo $${OCI_TOKEN} | docker login ${container_registry_repo} --username ${login} --password-stdin
-  - type: Command
-    name: Push image
-    timeoutInSeconds: 600
-    failImmediatelyOnError: true
-    command: |
-      docker push ${image_remote_tag} --all-tags
+outputArtifacts:
+  - name: application_image
+    type: DOCKER_IMAGE
+    location: ${image_latest_tag}

java/java-datasources.tf

@@ -41,9 +41,6 @@ data "template_file" "catalina_sh" {
 
 # build spec file
 data "template_file" "oci_build_config" {
-  depends_on = [
-    oci_vault_secret.auth_token_secret
-  ]
   template = "${(local.use-repository ? file("${path.module}/build-repo.yaml.template") : file("${path.module}/build-artifact.yaml.template"))}"
   vars = {
     image_remote_tag = "${local.image-remote-tag}"
@@ -55,7 +52,6 @@ data "template_file" "oci_build_config" {
     artifact_location = var.artifact_location
     artifact_path = (local.use-artifact ? data.oci_artifacts_generic_artifact.app_artifact[0].artifact_path : "")
     artifact_version = (local.use-artifact ? data.oci_artifacts_generic_artifact.app_artifact[0].version : "")
-    oci_token = local.auth_token_secret
     repo_name = (local.use-repository ? data.oci_devops_repository.devops_repository[0].name : "")
     config_repo_name = local.config_repo_name
     artifactId = (local.use-artifact ? var.artifact_id : "")

screenshots/7_Vault.png

@@ -0,0 +1,3 @@
+Host devops.scmservice.*.oci.oraclecloud.com
+User ${user}
+IdentityFile ~/.ssh/private-key.pem