feat(m365): Use Managed Identity for Getting Application Certificate in Container (#6)

* use managed identity to access app certificate directly from container
* update Terraform providers; change storage urls, add docs for setting subscrption_id
* remove cert rotation
* update readme variables and util file
* fix apply loop with containers by setting ip type to private
* add instruction for setting environment in provider.tf
* change keyvault name on serial number change

Author: jacdavi

m365/README.adoc

@@ -46,28 +46,31 @@ It is expected that this code is deployed by a user with administrator privledge
 [#deploy]
 === Deploying with Terraform
 
+. Run `az login` if not already done to configure your credentials
 . Prepare a directory for your deployment
 .. Change directories to `m365/terraform/env`
 .. Create a copy of the `example` directory with a name of your choice (e.g., `<myenv>`). **The remaining steps should be completed in this new directory**
 . Update variables and configurations
 .. In your new directory, `<myenv>`, modify the `variables.tfvars` file to configure the deployment for your needs
 ... Set `contact_emails` to administrators' emails and set `resource_group_name` to the resource group to create and deploy infrastructure in
 ... Review the defaults used for optional variables in <<terraform-variables>>. Some of these may need to be modified depending on your environment
-.. (Optional, but recommended) Modify the `provider.tf` file to configure Terraform to store state in Azure. See external https://developer.hashicorp.com/terraform/language/backend/azurerm[documentation]
+.. In `provider.tf`, replace `<YOUR_SUBSCRIPTION_UUID>` with the Subscription ID you'll be deploying in. The subscription ID can be found in the console, or as the `id` field output by the command `az account show`
+.. If you are deploying in GCC High, update `provider.tf` to replace the two instances of `environment = "public"` with `environment = "usgovernment"`
+.. (Optional, but recommended) Modify the `provider.tf` file to configure Terraform to store state in Azure. See external https://developer.hashicorp.com/terraform/language/backend/azurerm[documentation].
 . Run terraform
-.. Run `az login` if not already done to configure your credentials
 .. In your `<myenv>` directory, Run `terraform init`. This only needs to be done once unless providers are updated
 .. In your `<myenv>` directory, Run `terraform apply -var-file=variables.tfvars`. Confirm changes meet your expectations then type "yes"
 . Onboard a tenant following the guidance in <<onboard>>
 
 .Example of completing steps 1-3 in bash
 [source,shell]
 ----
+$ az login
 $ cd m365/terraform/env
 m365/terraform/env$ cp -r example myenv
 m365/terraform/env$ cd myenv
 m365/terraform/env/myenv$ vim variables.tfvars
-m365/terraform/env/myenv$ az login
+m365/terraform/env/myenv$ vim provider.tf
 m365/terraform/env/myenv$ terraform init # only needed once
 m365/terraform/env/myenv$ terraform apply -var-file=variables.tfvars
 ----
@@ -77,9 +80,8 @@ m365/terraform/env/myenv$ terraform apply -var-file=variables.tfvars
 This section provides the description for all terraform variables sorted by their likelihood of being changed.
 For a typical deployment, set `contact_emails` and `resource_group_name` then review the defaults for the optional variables and override in the `tfvars` file as needed.
 
-
 Required::
-`contact_emails` (string) ::: Emails to notify for alerts and before certificate expiry
+`contact_emails` (list(string)) ::: Emails to notify for alerts and before certificate expiry
 `resource_group_name` (string) ::: Resource group to create and build resources in
 Optional::
 `location` (string) [default=East US]::: Region to build resources in
@@ -92,14 +94,14 @@ Optional::
 `serial_number` (string) [default=01]::: Increment by 1 when re-provisioning with the same resource group name
 `image_path` (string) [default=./cisa_logo.png]::: Path to image used for app logo. Displayed in Azure console on installed tenants
 Advanced::
-`certificate_rotation_period_days` (number) [default=30]::: How many days between when the certificate key should be rotated. Note: rotation requires running terraform
 `create_app` (bool) [default=True]::: If true, the app will be created. If false, the app will be imported
 `prefix_override` (string) [default=None]::: Prefix for resource names. If null, one will be generated from app_name
-`input_storage_container_id` (string) [default=None]::: If not null, input container to read configs from (must give permissions to service account). Otherwise by default will create storage container.
-`output_storage_container_id` (string) [default=None]::: If not null, output container to put results in (must give permissions to service account). Otherwise by default will create storage container.
+`input_storage_container_url` (string) [default=None]::: If not null, input container to read configs from (must give permissions to service account). Otherwise by default will create storage container. Expect an https url pointing to a container
+`output_storage_container_url` (string) [default=None]::: If not null, output container to put results in (must give permissions to service account). Otherwise by default will create storage container. Expect an https url pointing to a container
 `tenants_dir_path` (string) [default=./tenants]::: Relative path to directory containing tenant configuration files in yaml
 `container_registry` (object) [default={'server': 'ghcr.io'}]::: Credentials for logging into registry with container image
 `container_image` (string) [default=ghcr.io/cisagov/scubaconnect-m365:latest]::: Docker image to use for running ScubaGear.
+`container_memory_gb` (number) [default=3]::: Amount of memory to allocate for ScubaGear container. Due to memory leaks in some dependencies, this may need to be increased if running on many tenants
 
 [#onboard]
 === Onboarding a Tenant
@@ -114,7 +116,7 @@ It will perform the following steps (note that the required permissions/roles co
 . Register the ScubaConnect application as a PowerApps Admin
 
 
-Once completed, upload a ScubaGear configuration file to the `input_storage_container_id` named `<tenant_fqdn>.yaml` (e.g., `myorg.onmicrosoft.com.yaml`).
+Once completed, upload a ScubaGear configuration file to the `input_storage_container_url` named `<tenant_fqdn>.yaml` (e.g., `myorg.onmicrosoft.com.yaml`).
 You may upload the file directly to Azure, or place it in `env/<your_env>/tenants/` and run `terraform apply`.
 Refer to the https://github.com/cisagov/ScubaGear/blob/main/docs/configuration/configuration.md#scuba-compliance-use[ScubaGear Configuration File documentation] for details on creating the configuration file.
 
@@ -133,13 +135,10 @@ Looks into the "Last Run Output" logs to determine the cause.
 
 === Maintenance
 
-GearConnect's architecture (limited by Managed Identity support in Windows containers) requires exporting the app's certificate as a secret variable in the container.
-To mitigate this, the certificate is short-lived.
-Terraform is set up to automatically generate a new certificate every `certificate_rotation_period_days` (defaults to 30).
-To utilize this mechanism, you must run `terraform apply` on a regular basis.
-This can be done through scheduled CI/CD or manually (an email will be sent one week prior to expiration).
-This will ensure the certificate is always valid.
-
+GearConnect utilizes a certificate to authenticate to tenants.
+This certificate is configured to expire after 1 year.
+60 days prior to expiration, an email will be sent.
+Running `terraform apply` will update the certificate for you.
 
 The container will be regularly rebuilt and updated overtime to support new versions of ScubaGear.
 No action is required for container updates as Azure Container Instances will grab the latest image by default.

m365/image/run_container.ps1

@@ -2,11 +2,47 @@
 $Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size (500, 25)
 $ErrorActionPreference = "Stop"
 
+if ($Env:DEBUG_LOG -eq "true") {
+    Get-ChildItem env:
+}
+
+Write-Output "Getting certificate from keyvault"
+# Retrieve an Access Token
+if (($Env:IS_VNET -eq "true") -and $Env:IDENTITY_ENDPOINT -like "http://10.92.0.*:2377/metadata/identity/oauth2/token?api-version=1.0") {
+    $identityEndpoint = "http://169.254.128.1:2377/metadata/identity/oauth2/token?api-version=1.0"
+} else {
+    $identityEndpoint = $Env:IDENTITY_ENDPOINT
+}
+
+if ($Env:IS_GOV -eq "true") {
+    $VaultURL = "https://$($Env:VAULT_NAME).vault.usgovcloudapi.net"
+    $RawVaultURL = "https%3A%2F%2F" + "vault.usgovcloudapi.net"
+}
+else {
+    $VaultURL = "https://$($Env:VAULT_NAME).vault.azure.net"
+    $RawVaultURL = "https%3A%2F%2F" + "vault.azure.net"    
+}
+
+$uri = $identityEndpoint + '&resource=' + $RawVaultURL + '&principalId=' + $Env:MI_PRINCIPAL_ID
+$headers = @{
+    secret = $Env:IDENTITY_HEADER
+    "Content-Type" = "application/x-www-form-urlencoded"
+}
+
+$response = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
+
+# Access values from Key Vault with token
+$accessToken = $Response.access_token
+$headers2 = @{
+    Authorization = "Bearer $accessToken"
+}
+
+$PrivKey = (Invoke-RestMethod -Uri "$($VaultURL)/Secrets/$($Env:CERT_NAME)/?api-version=7.4" -Headers $headers2).Value
+$PFX_BYTES = [Convert]::FromBase64String($PrivKey)
 Write-Output "Installing cert"
 # Install certificate by decoding env variable
 $PFX_FILE = '.\certificate.pfx'
-$BYTES = [Convert]::FromBase64String($Env:PFX_B64)
-[IO.File]::WriteAllBytes($PFX_FILE, $BYTES)
+[IO.File]::WriteAllBytes($PFX_FILE, $PFX_BYTES)
 $CertificateThumbPrint = (Import-PfxCertificate -FilePath $PFX_FILE -CertStoreLocation cert:\CurrentUser\My).Thumbprint
 Write-Output "  CERT: $CertificateThumbPrint"
 
@@ -16,6 +52,7 @@ $Env:AZCOPY_SPA_APPLICATION_ID= $Env:APP_ID
 $Env:AZCOPY_TENANT_ID=$Env:TENANT_ID
 $Env:AZCOPY_AUTO_LOGIN_TYPE="SPN"
 $Env:AZCOPY_SPA_CERT_PATH=$PFX_FILE
+$Env:AZCOPY_ACTIVE_DIRECTORY_ENDPOINT = if ($Env:IS_GOV -eq "true") {"https://login.microsoftonline.us"} else {"https://login.microsoftonline.com"}
 
 # Print scuba version to console for debugging
 Invoke-SCuBA -Version

m365/terraform/env/example/main.tf

@@ -1,19 +1,18 @@
 module "scuba_connect" {
-  source                           = "../.."
-  app_name                         = var.app_name
-  app_multi_tenant                 = var.app_multi_tenant
-  image_path                       = var.image_path
-  contact_emails                   = var.contact_emails
-  resource_group_name              = var.resource_group_name
-  serial_number                    = var.serial_number
-  location                         = var.location
-  schedule_interval                = var.schedule_interval
-  tenants_dir_path                 = var.tenants_dir_path
-  vnet                             = var.vnet
-  container_image                  = var.container_image
-  container_registry               = var.container_registry
-  input_storage_container_id       = var.input_storage_container_id
-  output_storage_container_id      = var.output_storage_container_id
-  certificate_rotation_period_days = var.certificate_rotation_period_days
-  tags                             = var.tags
+  source                       = "../.."
+  app_name                     = var.app_name
+  app_multi_tenant             = var.app_multi_tenant
+  image_path                   = var.image_path
+  contact_emails               = var.contact_emails
+  resource_group_name          = var.resource_group_name
+  serial_number                = var.serial_number
+  location                     = var.location
+  schedule_interval            = var.schedule_interval
+  tenants_dir_path             = var.tenants_dir_path
+  vnet                         = var.vnet
+  container_image              = var.container_image
+  container_registry           = var.container_registry
+  input_storage_container_url  = var.input_storage_container_url
+  output_storage_container_url = var.output_storage_container_url
+  tags                         = var.tags
 }

m365/terraform/env/example/outputs.tf

@@ -3,14 +3,14 @@ output "app_id" {
   value       = module.scuba_connect.app_id
 }
 
-output "output_storage_container_id" {
-  description = "ID of the output storage account results are written to"
-  value       = module.scuba_connect.output_storage_container_id
+output "output_storage_container_url" {
+  description = "URL of the output storage account results are written to"
+  value       = module.scuba_connect.output_storage_container_url
 }
 
-output "input_storage_container_id" {
-  description = "ID of the input storage account configs are read from"
-  value       = module.scuba_connect.output_storage_container_id
+output "input_storage_container_url" {
+  description = "URL of the input storage account configs are read from"
+  value       = module.scuba_connect.output_storage_container_url
 }
 
 output "sp_object_id" {

m365/terraform/env/example/provider.tf

@@ -3,11 +3,11 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.98.0"
+      version = "~> 4.22.0"
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "2.47.0"
+      version = "~> 3.1.0"
     }
   }
 
@@ -16,8 +16,10 @@ terraform {
 
 provider "azurerm" {
   features {}
+  subscription_id = "<YOUR_SUBSCRIPTION_UUID>"
+  environment = "public"
 }
 
 provider "azuread" {
-
+  environment = "public"
 }

m365/terraform/env/example/variables.tf

@@ -81,16 +81,6 @@ variable "image_path" {
 
 ### ADVANCED ###
 
-variable "certificate_rotation_period_days" {
-  type        = number
-  description = "How many days between when the certificate key should be rotated. Note: rotation requires running terraform"
-  default     = 30
-  validation {
-    condition     = var.certificate_rotation_period_days <= 60 && var.certificate_rotation_period_days >= 3
-    error_message = "Rotation period must be between 3 and 60 days"
-  }
-}
-
 variable "create_app" {
   default     = true
   type        = bool
@@ -103,16 +93,16 @@ variable "prefix_override" {
   description = "Prefix for resource names. If null, one will be generated from app_name"
 }
 
-variable "input_storage_container_id" {
+variable "input_storage_container_url" {
   default     = null
   type        = string
-  description = "If not null, input container to read configs from (must give permissions to service account). Otherwise by default will create storage container."
+  description = "If not null, input container to read configs from (must give permissions to service account). Otherwise by default will create storage container. Expect an https url pointing to a container"
 }
 
-variable "output_storage_container_id" {
+variable "output_storage_container_url" {
   default     = null
   type        = string
-  description = "If not null, output container to put results in (must give permissions to service account). Otherwise by default will create storage container."
+  description = "If not null, output container to put results in (must give permissions to service account). Otherwise by default will create storage container. Expect an https url pointing to a container"
 }
 
 variable "tenants_dir_path" {

m365/terraform/main.tf

@@ -25,23 +25,7 @@ resource "azurerm_log_analytics_workspace" "monitor_law" {
   lifecycle {
     ignore_changes = [tags]
   }
-  depends_on = [ azurerm_resource_group_policy_assignment.tagging_assignments ]
-}
-
-# Creates the app registration, or reads an existing one, which is used by the ScubaGear container
-module "app" {
-  source                           = "./modules/app"
-  resource_group_name              = azurerm_resource_group.rg.name
-  location                         = var.location
-  resource_prefix                  = local.name
-  app_name                         = var.app_name
-  image_path                       = var.image_path
-  create_app                       = var.create_app
-  contact_emails                   = var.contact_emails
-  allowed_access_ips               = try(var.vnet.allowed_access_ip_list, null)
-  certificate_rotation_period_days = var.certificate_rotation_period_days
-  app_multi_tenant                 = var.app_multi_tenant
-  depends_on                       = [azurerm_resource_group_policy_assignment.tagging_assignments]
+  depends_on = [azurerm_resource_group_policy_assignment.tagging_assignments]
 }
 
 module "networking" {
@@ -55,23 +39,38 @@ module "networking" {
   depends_on          = [azurerm_resource_group_policy_assignment.tagging_assignments]
 }
 
+# Creates the app registration, or reads an existing one, which is used by the ScubaGear container
+module "app" {
+  source              = "./modules/app"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = var.location
+  kv_prefix           = "${local.name}-${var.serial_number}"
+  app_name            = var.app_name
+  image_path          = var.image_path
+  create_app          = var.create_app
+  contact_emails      = var.contact_emails
+  allowed_access_ips  = try(var.vnet.allowed_access_ip_list, null)
+  aci_subnet_id       = try(module.networking[0].aci_subnet_id, null)
+  app_multi_tenant    = var.app_multi_tenant
+  depends_on          = [azurerm_resource_group_policy_assignment.tagging_assignments]
+}
 
 module "container" {
-  source                      = "./modules/container"
-  resource_prefix             = local.name
-  resource_group              = azurerm_resource_group.rg
-  container_registry          = var.container_registry
-  container_image             = var.container_image
-  application_client_id       = module.app.client_id
-  application_object_id       = module.app.sp_object_id
-  application_pfx_b64         = module.app.certificate_pfx_b64
-  allowed_access_ips          = try(var.vnet.allowed_access_ip_list, null)
-  subnet_ids                  = var.vnet == null ? null : [module.networking[0].aci_subnet_id]
-  schedule_interval           = var.schedule_interval
-  output_storage_container_id = var.output_storage_container_id
-  input_storage_container_id  = var.input_storage_container_id
-  contact_emails              = var.contact_emails
-  log_analytics_workspace     = azurerm_log_analytics_workspace.monitor_law
-  container_memory_gb         = var.container_memory_gb
-  depends_on                  = [azurerm_resource_group_policy_assignment.tagging_assignments]
+  source                       = "./modules/container"
+  resource_prefix              = local.name
+  resource_group               = azurerm_resource_group.rg
+  container_registry           = var.container_registry
+  container_image              = var.container_image
+  application_client_id        = module.app.client_id
+  application_object_id        = module.app.sp_object_id
+  allowed_access_ips           = try(var.vnet.allowed_access_ip_list, null)
+  subnet_ids                   = var.vnet == null ? null : [module.networking[0].aci_subnet_id]
+  schedule_interval            = var.schedule_interval
+  output_storage_container_url = var.output_storage_container_url
+  input_storage_container_url  = var.input_storage_container_url
+  contact_emails               = var.contact_emails
+  log_analytics_workspace      = azurerm_log_analytics_workspace.monitor_law
+  container_memory_gb          = var.container_memory_gb
+  cert_info                    = module.app.cert_info
+  depends_on                   = [azurerm_resource_group_policy_assignment.tagging_assignments]
 }