From 677fb052292efc4f2f3d6df1ad15cc694f537335 Mon Sep 17 00:00:00 2001
From: Marcus Robinson <marrobi@microsoft.com>
Date: Wed, 12 Feb 2025 13:35:08 +0000
Subject: [PATCH] Nexus Linux machine uses SSH keys

Fixes #4359

Update Sonatype Nexus VM to require SSH key-based authentication.

* Remove password-based authentication and related resources from `templates/shared_services/sonatype-nexus-vm/terraform/vm.tf`.
* Add resources to generate and store SSH keys in Key Vault.
* Update the `connection` block to use the SSH private key for authentication.
* Update `docs/tre-templates/shared-services/nexus.md` to reflect the change to SSH key-based authentication and provide instructions on how to retrieve the SSH private key from Key Vault.

---

For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/microsoft/AzureTRE/issues/4359?shareId=XXXX-XXXX-XXXX-XXXX).
---
 docs/tre-templates/shared-services/nexus.md   |  5 +-
 .../sonatype-nexus-vm/terraform/vm.tf         | 60 +++++++++----------
 2 files changed, 34 insertions(+), 31 deletions(-)

diff --git a/docs/tre-templates/shared-services/nexus.md b/docs/tre-templates/shared-services/nexus.md
index 51c134ebe4..50394ab77c 100644
--- a/docs/tre-templates/shared-services/nexus.md
+++ b/docs/tre-templates/shared-services/nexus.md
@@ -46,7 +46,6 @@ This will deploy the infrastructure required for Nexus, then start the service a
 
 ## Setup and usage
 
-1. A TRE Administrator can access Nexus though the admin jumpbox provisioned as part of the TRE deployment. The username is `adminuser` and the password is located in the Key Vault under `vm-<tre-id>-jumpbox-password`
 2. A researcher can access Nexus from within the workspace by using the internal Nexus URL of `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com`
 3. To fetch Python packages from the PyPI proxy, a researcher can use `pip install` while specifying the proxy server:
 
@@ -201,3 +200,7 @@ for ext in "${extensions[@]}"; do
     fi
 done
 ```
+
+# Virtual Machine Credentials
+
+A TRE Administrator can access Nexus though the bastion provisioned as part of the TRE deployment. The username is `adminuser` and the SSH private key is located in the Key Vault under `nexus-ssh-private-key`.
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
index 224143937a..292ec32692 100644
--- a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
+++ b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
@@ -34,19 +34,6 @@ resource "azurerm_private_dns_a_record" "nexus_vm" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "random_password" "nexus_vm_password" {
-  length           = 16
-  lower            = true
-  min_lower        = 1
-  upper            = true
-  min_upper        = 1
-  numeric          = true
-  min_numeric      = 1
-  special          = true
-  min_special      = 1
-  override_special = "_%@"
-}
-
 resource "random_password" "nexus_admin_password" {
   length           = 16
   lower            = true
@@ -60,15 +47,6 @@ resource "random_password" "nexus_admin_password" {
   override_special = "_%"
 }
 
-resource "azurerm_key_vault_secret" "nexus_vm_password" {
-  name         = "nexus-vm-password"
-  value        = random_password.nexus_vm_password.result
-  key_vault_id = data.azurerm_key_vault.kv.id
-  tags         = local.tre_shared_service_tags
-
-  lifecycle { ignore_changes = [tags] }
-}
-
 resource "azurerm_key_vault_secret" "nexus_admin_password" {
   name         = "nexus-admin-password"
   value        = random_password.nexus_admin_password.result
@@ -99,9 +77,8 @@ resource "azurerm_linux_virtual_machine" "nexus" {
   location                        = data.azurerm_resource_group.rg.location
   network_interface_ids           = [azurerm_network_interface.nexus.id]
   size                            = var.vm_size
-  disable_password_authentication = false
+  disable_password_authentication = true
   admin_username                  = "adminuser"
-  admin_password                  = random_password.nexus_vm_password.result
   tags                            = local.tre_shared_service_tags
   encryption_at_host_enabled      = true
   secure_boot_enabled             = true
@@ -143,12 +120,12 @@ resource "azurerm_linux_virtual_machine" "nexus" {
   ]
 
   connection {
-    type     = "ssh"
-    host     = azurerm_network_interface.nexus.private_ip_address
-    user     = "adminuser"
-    password = random_password.nexus_vm_password.result
-    agent    = false
-    timeout  = "10m"
+    type        = "ssh"
+    host        = azurerm_network_interface.nexus.private_ip_address
+    user        = "adminuser"
+    private_key = azurerm_key_vault_secret.ssh_private_key.value
+    agent       = false
+    timeout     = "10m"
   }
 }
 
@@ -274,3 +251,26 @@ resource "azurerm_virtual_machine_extension" "keyvault" {
 
   lifecycle { ignore_changes = [tags] }
 }
+
+resource "tls_private_key" "ssh_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "azurerm_key_vault_secret" "ssh_private_key" {
+  name         = "nexus-ssh-private-key"
+  value        = tls_private_key.ssh_key.private_key_pem
+  key_vault_id = data.azurerm_key_vault.kv.id
+  tags         = local.tre_shared_service_tags
+
+  lifecycle { ignore_changes = [tags] }
+}
+
+resource "azurerm_key_vault_secret" "ssh_public_key" {
+  name         = "nexus-ssh-public-key"
+  value        = tls_private_key.ssh_key.public_key_openssh
+  key_vault_id = data.azurerm_key_vault.kv.id
+  tags         = local.tre_shared_service_tags
+
+  lifecycle { ignore_changes = [tags] }
+}