From c8b18063a512998f493f56fa00939729c99916a6 Mon Sep 17 00:00:00 2001 From: Ron Shakutai Date: Thu, 20 Feb 2025 15:56:06 +0000 Subject: [PATCH 1/3] Enable anonymous access in Nexus configuration script --- .../scripts/configure_nexus_repos.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_repos.sh b/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_repos.sh index 8e6a8456de..29f6a5bcd2 100644 --- a/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_repos.sh +++ b/templates/shared_services/sonatype-nexus-vm/scripts/configure_nexus_repos.sh @@ -20,6 +20,23 @@ while [ ! -d "$(dirname "${BASH_SOURCE[0]}")"/nexus_repos_config ]; do ((timeout--)) done +echo 'Enabling anonymous access in Nexus...' +anon_status_code=$(curl -iu admin:"$1" -XPUT \ + 'http://localhost/service/rest/v1/security/anonymous' \ + -H 'accept: application/json' \ + -H 'Content-Type: application/json' \ + -d '{ + "enabled": true, + "userId": "anonymous", + "realmName": "NexusAuthorizingRealm" + }' \ + -k -s -w "%{http_code}" -o /dev/null) +echo "Response received from Nexus for anonymous access: $anon_status_code" +if [ "$anon_status_code" -ne 200 ]; then + echo "ERROR - Failed to enable anonymous access." + exit 1 +fi + # Create proxy for each .json file for filename in "$(dirname "${BASH_SOURCE[0]}")"/nexus_repos_config/*.json; do echo "Found config file: $filename. Sending to Nexus..." From ad89b5030648bab73103a7659664aee715cf049f Mon Sep 17 00:00:00 2001 From: Ron Shakutai Date: Wed, 26 Feb 2025 11:51:42 +0000 Subject: [PATCH 2/3] Add role assignment for Storage Account Contributor in bootstrap script --- devops/terraform/bootstrap.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh index 8abd7bc2c7..24cf30c3e4 100755 --- a/devops/terraform/bootstrap.sh +++ b/devops/terraform/bootstrap.sh @@ -28,8 +28,6 @@ else az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --output table fi -# shellcheck disable=SC1091 -source ../scripts/mgmtstorage_enable_public_access.sh # Grant user blob data contributor permissions echo -e "\n\e[34m»»» 🔑 \e[96mGranting Storage Blob Data Contributor role to the current user\e[0m..." @@ -38,6 +36,12 @@ if [ -n "${ARM_CLIENT_ID:-}" ]; then else USER_OBJECT_ID=$(az ad signed-in-user show --query id --output tsv) fi + +az role assignment create --assignee "$USER_OBJECT_ID" \ + --role "Storage Account Contributor" \ + --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" + + az role assignment create --assignee "$USER_OBJECT_ID" \ --role "Storage Blob Data Contributor" \ --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" @@ -55,6 +59,9 @@ while [ -z "$(check_role_assignment)" ]; do done echo "Role assignment applied." +# shellcheck disable=SC1091 +source ../scripts/mgmtstorage_enable_public_access.sh + # Blob container # shellcheck disable=SC2154 az storage container create --account-name "$TF_VAR_mgmt_storage_account_name" --name "$TF_VAR_terraform_state_container_name" --auth-mode login -o table From 0b932e286ec89c6f881f77d977dab7d2dc7759aa Mon Sep 17 00:00:00 2001 From: Ron Shakutai Date: Wed, 26 Feb 2025 12:28:42 +0000 Subject: [PATCH 3/3] Enhance role assignment check in bootstrap script to verify both "Storage Blob Data Contributor" and "Storage Account Contributor" roles are assigned --- devops/terraform/bootstrap.sh | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh index 24cf30c3e4..4044a26663 100755 --- a/devops/terraform/bootstrap.sh +++ b/devops/terraform/bootstrap.sh @@ -47,13 +47,28 @@ az role assignment create --assignee "$USER_OBJECT_ID" \ --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" # Function to check if the role assignment exists -check_role_assignment() { - az role assignment list --assignee "$USER_OBJECT_ID" --role "Storage Blob Data Contributor" --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" --query "[].id" --output tsv +check_role_assignments() { + local sbdc=$(az role assignment list \ + --assignee "$USER_OBJECT_ID" \ + --role "Storage Blob Data Contributor" \ + --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \ + --query "[].id" --output tsv) + + local sac=$(az role assignment list \ + --assignee "$USER_OBJECT_ID" \ + --role "Storage Account Contributor" \ + --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \ + --query "[].id" --output tsv) + + # Return a non-empty value only if both roles are assigned + if [[ -n "$sbdc" && -n "$sac" ]]; then + echo "both" + fi } # Wait for the role assignment to be applied echo -e "\n\e[34m»»» ⏳ \e[96mWaiting for role assignment to be applied\e[0m..." -while [ -z "$(check_role_assignment)" ]; do +while [ -z "$(check_role_assignments)" ]; do echo "Waiting for role assignment..." sleep 10 done