Fix #2175 - certs generate custom action fails in makefile command (#…

…2177)

* Add cert renew

* Amended docs

* Remove unused custom action make

* readded custom action make

Makefile

@@ -348,7 +348,6 @@ firewall-install:
 nexus-install:
 	$(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \
 	DIR="${MAKEFILE_DIR}/templates/shared_services/certs" BUNDLE_TYPE=shared_service PROPS="--domain_prefix nexus --cert_name nexus-ssl" \
-	&& $(MAKE) bundle-custom-action DIR=${MAKEFILE_DIR}/templates/shared_services/certs/ ACTION=generate \
 	&& $(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \
   DIR=${MAKEFILE_DIR}/templates/shared_services/sonatype-nexus-vm/ BUNDLE_TYPE=shared_service
 

docs/tre-admins/setup-instructions/configuring-shared-services.md

@@ -2,7 +2,7 @@
 
 ## Deploy/configure Nexus manually
 
-Setting `DEPLOY_NEXUS=true` in your `.env` and running `make all` will install and configure Nexus automatically. You can also
+Setting `DEPLOY_NEXUS=true` in your `.env` and running `make all` will install and configure certs & Nexus automatically. You can also
 do this by running `make nexus-install`.
 
 If you're deploying a brand new environment and you didn't flag Nexus to be installed automatically, you should deploy the VM-based (V2) service manually (read section `A`). If you wish to migrate from an existing App Service Nexus service (V1) to the VM-based service, first manually deploy the new service (section `A`) then proceed to section `B`.
@@ -46,11 +46,9 @@ You can use the Certs Shared Service to set one up by following these steps:
 !!! caution
     If you have KeyVault Purge Protection enabled and are re-deploying your environment using the same `cert_name`, you may encounter this: `Status=409 Code=\"Conflict\" Message=\"Certificate nexus-ssl is currently in a deleted but recoverable state`. You need to either manually recover the certificate or purge it before redeploying.
 
-1. Once the shared service has been deployed (which you can check by querying the `/api/shared-services/operations` method), copy its `resource_id`, then find the `POST` operation for `/api/shared-services/{shared_service_id}/invoke_action`, click `Try it out` and paste in the resource id into the `shared_service_id` field, and enter `generate` into the `action` field, then click `Execute`.
+Once deployed, the certs service will use Letsencrypt to generate a certificate for the specified domain prefix followed by `-{TRE_ID}.{LOCATION}.cloudapp.azure.com`, so in our case, having entered `nexus`, this will be `nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com`, which will be the public domain for our Nexus service.
 
-This will invoke the certs service to use Letsencrypt to generate a certificate for the specified domain prefix followed by `-{TRE_ID}.{LOCATION}.cloudapp.azure.com`, so in our case, having entered `nexus`, this will be `nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com`, which will be the public domain for our Nexus service.
-
-Once this has completed, you can verify its success either from the operation output, or by navigating to your core keyvault (`kv-{TRE_ID}`) and looking for a certificate called `nexus-ssl` (or whatever you called it).
+You can verify whether this has been successful by navigating to your core keyvault (`kv-{TRE_ID}`) and looking for a certificate called `nexus-ssl` (or whatever you called it).
 
 After verifying the certificate has been generated, you can deploy Nexus:
 
@@ -84,7 +82,7 @@ This will deploy the infrastructure required for Nexus, then start the service a
 
 You can optionally go to the Nexus web interface by visiting `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/` in the jumpbox and signing in with the username `admin` and the password secret located in your core keyvault, with the key `nexus-admin-password`. Here you should be able to see all of the configured repositories and you can use the UI to manage settings etc.
 
-Just bear in mind that if this service is redeployed any changes in the UI won't be persisted. If you wish to add new repositories or alter existing ones, use the JSON files within the `./nexus_repos_config` directory.
+Just bear in mind that if this service is redeployed any changes made in the Nexus UI won't be persisted. If you wish to permanently add new repositories or alter existing ones, modify the JSON files within the `./nexus_repos_config` directory and redeploy.
 
 ### B. Migrate from an existing V1 Nexus service (hosted on App Service)
 
@@ -106,6 +104,12 @@ This has been created as a separate service as the domain name exposed for proxi
 
 The original Nexus service that runs on App Service (located in `./templates/shared_services/sonatype-nexus`) has the bundle name `tre-shared-service-nexus` so can co-exist with the new VM-based shared service to enable smoother upgrading of existing resources.
 
+## Renewing certificates for Nexus
+
+The Nexus V2 service checks Keyvault regularly for the latest certificate matching the name you passed on deploy (`nexus-ssl` by default).
+
+When approaching expiry, you can either provide an updated certificate if you brought your own, or if you used the certs shared service to generate one, just call the `renew` custom action on that service. This will generate a new certificate and persist it to the Keyvault.
+
 ## Configure Gitea repositories
 
 Note : This is a Gitea *shared service* which will be accessible from all workspaces intended for mirroring external Git repositories. A Gitea *workspace service* can also be deployed per workspace to enable Gitea to be used within a specific workspace.

templates/shared_services/certs/porter.yaml

@@ -1,6 +1,6 @@
 ---
 name: tre-shared-service-certs
-version: 0.0.13
+version: 0.1.0
 description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@@ -63,6 +63,31 @@ install:
         storage_account_name: "{{ bundle.parameters.tfstate_storage_account_name }}"
         container_name: "{{ bundle.parameters.tfstate_container_name }}"
         key: "{{ bundle.parameters.tre_id }}-shared-service-certs"
+      outputs:
+        - name: fqdn
+        - name: application_gateway_name
+        - name: storage_account_name
+        - name: resource_group_name
+        - name: keyvault_name
+  - az:
+      description: "Login to Azure"
+      arguments:
+        - login
+      flags:
+        identity:
+        username: "{{ bundle.credentials.azure_client_id }}"
+  - exec:
+      description: "Generate certificate"
+      command: bash
+      arguments:
+        - ./scripts/letsencrypt.sh
+      flags:
+        fqdn: "{{ bundle.outputs.fqdn }}"
+        application_gateway_name: "{{ bundle.outputs.application_gateway_name }}"
+        storage_account_name: "{{ bundle.outputs.storage_account_name }}"
+        resource_group_name: "{{ bundle.outputs.resource_group_name }}"
+        keyvault_name: "{{ bundle.outputs.keyvault_name }}"
+        cert_name: "{{ bundle.parameters.cert_name }}"
 
 upgrade:
   - exec:
@@ -89,7 +114,7 @@ uninstall:
         container_name: "{{ bundle.parameters.tfstate_container_name }}"
         key: "{{ bundle.parameters.tre_id }}-shared-service-certs"
 
-generate:
+renew:
   - terraform:
       arguments:
         - "output"
@@ -113,7 +138,7 @@ generate:
         identity:
         username: "{{ bundle.credentials.azure_client_id }}"
   - exec:
-      description: "Generate/renew certificate"
+      description: "Renew certificate"
       command: bash
       arguments:
         - ./scripts/letsencrypt.sh