Specify VPN root certificate per environment

CDCgov · Mar 8, 2024 · 2362189 · 2362189
1 parent 9f20d1d
commit 2362189
Show file tree

Hide file tree

Showing 6 changed files with 9 additions and 3 deletions.
diff --git a/operations/environments/dev/main.tf b/operations/environments/dev/main.tf
@@ -29,4 +29,5 @@ module "template" {
 
   environment = "dev"
   deployer_id = "f5feabe7-5d37-40ba-94f2-e5c0760b4561" //github app registration in CDC Azure Entra
+  vpn_root_certificate = "MIIC5jCCAc6gAwIBAgIIWvb3sLkOQtcwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAxMGVlBOIENBMB4XDTI0MDMwODE1MjM0OFoXDTI3MDMwODE1MjM0OFowETEPMA0GA1UEAxMGVlBOIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt1v2bAATE7IOJkqUrbwQw6X99fi3Ywf1bv0uZ0gGDjG10H+PB2BUzZ94RNcB4Oezi6t+/WAQUkhRozemFkegSkfKHEehAT6nu6OBXKt2rH/oJtpKR791ab9H9aQ6e5LO9OZ237QL6XikhGG7HXqG9ndYnhBYPy2/pd8VV6ZwqMR3PkfBJaC4tKy4d8dim+PMpT5rqPGbsf9H+dydvG6JOKZiHb3/yqi6fqoise1yY64aDwFC9MbEbtgXpvmBFsei2PA/XH5FqE6F/kyCg7mO5TSYYEqx0PCTPmICAT4iw5ELMyAhVKL2OpMjqw5YAYr/TGqlfyEYpBBQMvC3K9OmUwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5idI+AFsHn8BjvNBE5ShE+aFor0wDQYJKoZIhvcNAQELBQADggEBAJkDtuHj4QGyXtooiM7xfHZ/lGdDZvF+KAVfFKAlsIO8y1NS2iAeNT6MmampwzWzXIUMk9vxvALUoh2MJkWP5CX2e3vDj2lGpbhK5//rfWDin1/jj28+KZzSVsk4i/EkdBWW7eCKU401rafVOjSLmM5mfDTAHNrFxzQWJF5WL7TxrQw7chrnpy4v0V7/y4h+QsQja8LXx9keEdB2BQSjndAqxB9dblFALantpuEOM2pS3GCaC2REXSnKsgSEQoVL07MSndpCpdv5bsEkppM5LBC6gL66a43Lho3kSCm4ZU51mjJtNwadeBXpHjkJ1yiBA7CG/Roa+THAiV+VMP75g3E="  # pragma: allowlist secret
 }
diff --git a/operations/environments/prd/main.tf b/operations/environments/prd/main.tf
@@ -29,4 +29,5 @@ module "template" {
 
   environment = "prd"
   deployer_id = "f5feabe7-5d37-40ba-94f2-e5c0760b4561" //github app registration in CDC Azure Entra
+  vpn_root_certificate = "MIIC5jCCAc6gAwIBAgIIeHnOQDhz00AwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAxMGVlBOIENBMB4XDTI0MDMwODE1NDA1M1oXDTI3MDMwODE1NDA1M1owETEPMA0GA1UEAxMGVlBOIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkgeXZ6ReEQ5HAqlXULUUdVfCMtMPmlTeCFFkhD9i5E5lRg78PyJqczHMzCB6l83O/PrLWXjT3/s/R58cfeHJg/SndGwt/2uKhj1kNW7Ivc8kF0pgSL3lDR+NSj5OPda45EY30ZlTjgygmb9MjfCT2BmgjGcfUbgm0jzgDZsk7bLUUJkL38DJP+v2M6sDxyxMjoY9gJ1Kq5Fg81serJlZHaACShuuhgiKqH3+hwvIPluK8Y40FWfiKpGRjdkAXGTmB+afMeA4L1amyticIPzzOytIHFIDMOKgJRL62UQe+alzubXkYbDtEgDCOwF8k5TRiu9MUwID34CLkp2VWnLnUwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUHyrypPmh+KVb2sspeGsxboG1hQwwDQYJKoZIhvcNAQELBQADggEBAGmfFRLgqLQxedGHeXQoajHzhCvk+62lDR1xy0s2mklA3eRxzOyaXRPgmM6lbGBm6LdLxo5nxGgfD4h2vOBZl4MXOFLryLm97QtDZ34YkxGn+tugUAXpWBB/EJIynib1Ywyg6Kv6g3oYjf2bc8Ae9bOWGR0FtOGn8TvmSzKLXoUwQd0u9DEA774YtpvPxHxw69uyf8x2nekpyWNyFbR6DWJEA9M+BHeR0oGEGoc5FH6zTgstbdeNVou3NNQlRKlWD26vWeCeQvbKDK5+KuOPjjDTimGdx1GfA9z/ai/pX+K/NKvvC4JXQdW7jYYu3QFglP70esT9mBCxVQbXd49oD9M="  # pragma: allowlist secret
 }
diff --git a/operations/environments/stg/main.tf b/operations/environments/stg/main.tf
@@ -29,4 +29,5 @@ module "template" {
 
   environment = "stg"
   deployer_id = "f5feabe7-5d37-40ba-94f2-e5c0760b4561" //github app registration in CDC Azure Entra
+  vpn_root_certificate = "MIIC5jCCAc6gAwIBAgIIUC720RvICDQwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAxMGVlBOIENBMB4XDTI0MDMwODE1MzY1MloXDTI3MDMwODE1MzY1MlowETEPMA0GA1UEAxMGVlBOIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtn+H6PbB2y/JmoTTNuxljVY7I02BblPmnzwzQhEPAZjoMVQTsEvS5rr/ILLFFF5FdTcyPYJpD5Tvd+w1v62xV4QhZSFpSSyfRvsi6uzOLOyDOhVN++GWAjKyTvaOO654JwX/qj7nHSYQLQFtnf9OkixZazO8o0snXpGCSYKgxhBox6+XyZpjjwoFt+wMrNalrAOWCtAp/pgIB7xyStcWyGEi7vACiV+7rzI2Kxh+PfaltS4wU1vWN7jN2GxMbVG3539ybiT4fpoGuDWjZ7t7tp1LgQa1n7tlvNR0W01pdt7U/fPL9ynfyuP8Wph8eetW9THYtJkBTNk7KyhE+z36TwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU85kmRn9Cnq9LjFeKjwrMUhgo3xowDQYJKoZIhvcNAQELBQADggEBAHjzfciR/TqJojJ3xd2AmMQev5Aw6Wf9gFfhv0eb9bmqyeJ23bYhOvqWxIxb01TBp5CNhWgWuUE68cQpEqafu9JOITDk9GtQ9m6/4sHOhzqM11beGqKlomQuT+I/M/gS0pUcr//W7riTkOQQI6DHKgpoGoRXpk9/V5GrwQauZjy1hRyRpVlg4xDgJJqRr5PKUErtA07DYck+AblJW4msglfyM2HTvvMLNdsmiZmjFdU1osT0WT/W9nY+RGadAo47x6qknpFoDoVtIQ3XNH3C5Scl1bGphfQdmEjNVhg7a8gSWat7n1OjFiz3OvTqy5MsssmRz4WlOM5+xOhiT2OambA="  # pragma: allowlist secret
 }
diff --git a/operations/template/key.tf b/operations/template/key.tf
@@ -81,5 +81,3 @@ resource "azurerm_key_vault_secret" "trusted_intermediary_private_key" {
   }
   depends_on = [azurerm_key_vault_access_policy.allow_github_deployer] //wait for the permission that allows our deployer to write the secret
 }
-
-
diff --git a/operations/template/variables.tf b/operations/template/variables.tf
@@ -7,3 +7,8 @@ variable "deployer_id" {
   type     = string
   nullable = false
 }
+
+variable "vpn_root_certificate" {
+  type     = string
+  nullable = false
+}
diff --git a/operations/template/vpn.tf b/operations/template/vpn.tf
@@ -31,7 +31,7 @@ resource "azurerm_virtual_network_gateway" "vpn" {
 
     root_certificate {
       name = "vpn-cert"
-      public_cert_data = "MIIC5jCCAc6gAwIBAgIIGMy2CjfbdWEwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAxMGVlBOIENBMB4XDTI0MDMwNTIxMTIzOVoXDTI3MDMwNTIxMTIzOVowETEPMA0GA1UEAxMGVlBOIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnF+rF0RxT8mFwVwQY976uEyR1dr6bC7G+18fJuk8yEG+vVhVrCldSCMNL4QkeZNvBNW4/W2DsuGVKFwc8u3iII/uSQ7ANU1EsFve0GdlSQv8gHYAWwKaR2Rt20uaFMBkeWIUScrMtesd+AvBk5h2Ll6opNR4SGOZSkH6lGl8KMWbUuQbiME4RIF07bNMF+fNHRXxsUMM6OWRzDS8VZaEAz8iuKr9qGi4hIB2dQlJa8fGgU+J5gt2C33t56VaJsde2/MJtTj9P/8elTeGpfPATMNqCThYK3UsfRe5Jrl/wHlugVhPLqwOKwrvVd+Vv3vTkiPhfIhPu37aoHYGZyMpfQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUOUXvWrL8eFMpB8Mc0GJKcySw56UwDQYJKoZIhvcNAQELBQADggEBAEkXMQ4iQ9pK3DutiwY1ejEShF+O0agMGaLDcKNFtNlc4UwN10RNkkBEPLSZhuBKGkBQIxuNLqsFUaZcL4x47a2VQUBuJhXvIXfNtNupYcRusVyBRSYbcZWpernbXSRutCUfO24tRsMG9m+QBAmJYU6XNDQUi55CwAhygg7mnARdcRZAP7qBVUr/ga59mWVVWWcO5VfKQD2XfBp88AOwkw/C9odX1bIfIEu+A9KWrvVh2eqMDmTb4sEOQcuP70kBU3udckPb51a4R4J/LxuDfWjAXrJGHA/W6srbO8FIkRvsUKHk5CEH487+gMKI9Jt70mG2dwdHTqiqE1VY6z3VDbs="  # pragma: allowlist secret
+      public_cert_data = var.vpn_root_certificate
     }
   }
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -81,5 +81,3 @@ resource "azurerm_key_vault_secret" "trusted_intermediary_private_key" {
		}
		depends_on = [azurerm_key_vault_access_policy.allow_github_deployer] //wait for the permission that allows our deployer to write the secret
		}