From 7f78e4fffce735f10135c20cf6f0d1a0579ad317 Mon Sep 17 00:00:00 2001
From: Richard Hagen <richard.hagen@gmail.com>
Date: Tue, 20 Feb 2024 15:13:47 +0100
Subject: [PATCH] Fix bugs, add FORCE_UPDATE argument (#1207)

---
 scripts/radix-zone/radix_zone_c2.env          |  6 ++---
 scripts/radix-zone/radix_zone_playground.env  |  6 ++---
 scripts/radix-zone/radix_zone_prod.env        |  6 ++---
 scripts/rotate-secrets/lib_keyvault.sh        |  2 +-
 scripts/rotate-secrets/rotate-secrets.sh      |  7 ++++--
 .../services/vulnerability-scan-reader.sh     | 24 ++++++++++++-------
 .../services/vulnerability-scan-writer.sh     | 23 +++++++++++-------
 7 files changed, 45 insertions(+), 29 deletions(-)

diff --git a/scripts/radix-zone/radix_zone_c2.env b/scripts/radix-zone/radix_zone_c2.env
index 1091bda8d..1435f470b 100644
--- a/scripts/radix-zone/radix_zone_c2.env
+++ b/scripts/radix-zone/radix_zone_c2.env
@@ -179,10 +179,10 @@ RADIX_API_REQUIRE_APP_AD_GROUPS=true
 ### Radix Vulnerability Scanner Environment
 ###
 
-AZ_RESOURCE_GROUP_VULNERABILITY_SCAN_SQL="vulnerability-scan-$AZ_RADIX_ZONE_LOCATION"
+AZ_RESOURCE_GROUP_VULNERABILITY_SCAN_SQL="vulnerability-scan-$RADIX_ZONE"
 KV_SECRET_VULNERABILITY_SCAN_SQL_ADMIN="radix-vulnerability-scan-db-admin"
-KV_SECRET_VULNERABILITY_SCAN_DB_WRITER="radix-vulnerability-scan-db-writer-$RADIX_ZONE-$RADIX_ENVIRONMENT"
-KV_SECRET_VULNERABILITY_SCAN_DB_API="radix-vulnerability-scan-db-api-$RADIX_ZONE-$RADIX_ENVIRONMENT"
+KV_SECRET_VULNERABILITY_SCAN_DB_WRITER="radix-vulnerability-scan-db-writer"
+KV_SECRET_VULNERABILITY_SCAN_DB_API="radix-vulnerability-scan-db-api"
 VULNERABILITY_SCAN_SQL_SERVER_NAME="sql-radix-vulnerability-scan-$RADIX_ZONE-$RADIX_ENVIRONMENT"
 VULNERABILITY_SCAN_SQL_SERVER_FQDN="$VULNERABILITY_SCAN_SQL_SERVER_NAME.database.windows.net"
 VULNERABILITY_SCAN_SQL_DATABASE_NAME=radix-vulnerability-scan
diff --git a/scripts/radix-zone/radix_zone_playground.env b/scripts/radix-zone/radix_zone_playground.env
index 17bd6dad7..2cdf7a94a 100644
--- a/scripts/radix-zone/radix_zone_playground.env
+++ b/scripts/radix-zone/radix_zone_playground.env
@@ -181,10 +181,10 @@ RADIX_API_REQUIRE_APP_AD_GROUPS=false
 ### Radix Vulnerability Scanner Environment
 ###
 
-AZ_RESOURCE_GROUP_VULNERABILITY_SCAN_SQL=vulnerability-scan
+AZ_RESOURCE_GROUP_VULNERABILITY_SCAN_SQL="vulnerability-scan-$RADIX_ZONE"
 KV_SECRET_VULNERABILITY_SCAN_SQL_ADMIN="radix-vulnerability-scan-db-admin-$RADIX_ZONE"
-KV_SECRET_VULNERABILITY_SCAN_DB_WRITER="radix-vulnerability-scan-db-writer-$RADIX_ZONE"
-KV_SECRET_VULNERABILITY_SCAN_DB_API="radix-vulnerability-scan-db-api-$RADIX_ZONE"
+KV_SECRET_VULNERABILITY_SCAN_DB_WRITER="radix-vulnerability-scan-db-writer"
+KV_SECRET_VULNERABILITY_SCAN_DB_API="radix-vulnerability-scan-db-api"
 VULNERABILITY_SCAN_SQL_SERVER_NAME="sql-radix-vulnerability-scan-$RADIX_ZONE"
 VULNERABILITY_SCAN_SQL_SERVER_FQDN="$VULNERABILITY_SCAN_SQL_SERVER_NAME.database.windows.net"
 VULNERABILITY_SCAN_SQL_DATABASE_NAME=radix-vulnerability-scan
diff --git a/scripts/radix-zone/radix_zone_prod.env b/scripts/radix-zone/radix_zone_prod.env
index d0f8ec98c..3e4afe96a 100644
--- a/scripts/radix-zone/radix_zone_prod.env
+++ b/scripts/radix-zone/radix_zone_prod.env
@@ -185,10 +185,10 @@ RADIX_API_REQUIRE_APP_AD_GROUPS=true
 ### Radix Vulnerability Scanner Environment
 ###
 
-AZ_RESOURCE_GROUP_VULNERABILITY_SCAN_SQL="vulnerability-scan"
+AZ_RESOURCE_GROUP_VULNERABILITY_SCAN_SQL="vulnerability-scan-platform"
 KV_SECRET_VULNERABILITY_SCAN_SQL_ADMIN="radix-vulnerability-scan-db-admin"
-KV_SECRET_VULNERABILITY_SCAN_DB_WRITER="radix-vulnerability-scan-db-writer-$RADIX_ZONE"
-KV_SECRET_VULNERABILITY_SCAN_DB_API="radix-vulnerability-scan-db-api-$RADIX_ZONE"
+KV_SECRET_VULNERABILITY_SCAN_DB_WRITER="radix-vulnerability-scan-db-writer"
+KV_SECRET_VULNERABILITY_SCAN_DB_API="radix-vulnerability-scan-db-api"
 VULNERABILITY_SCAN_SQL_SERVER_NAME="sql-radix-vulnerability-scan-$RADIX_ZONE"
 VULNERABILITY_SCAN_SQL_SERVER_FQDN="$VULNERABILITY_SCAN_SQL_SERVER_NAME.database.windows.net"
 VULNERABILITY_SCAN_SQL_DATABASE_NAME=radix-vulnerability-scan
diff --git a/scripts/rotate-secrets/lib_keyvault.sh b/scripts/rotate-secrets/lib_keyvault.sh
index e4d8e11b5..e08f0651e 100644
--- a/scripts/rotate-secrets/lib_keyvault.sh
+++ b/scripts/rotate-secrets/lib_keyvault.sh
@@ -58,5 +58,5 @@ keyvault_list_secrets() {
     fi;
 
     printf "${fmt}" "${NAME}" $color "${days}" $normal
-  done < <(az keyvault secret list --vault-name radix-keyv-dev | jq ".[] | [.name, .attributes.expires] | @tsv" -r)
+  done < <(az keyvault secret list --vault-name "${keyvault}" | jq ".[] | [.name, .attributes.expires] | @tsv" -r)
 }
diff --git a/scripts/rotate-secrets/rotate-secrets.sh b/scripts/rotate-secrets/rotate-secrets.sh
index 6af3c03f0..bdc5395b1 100755
--- a/scripts/rotate-secrets/rotate-secrets.sh
+++ b/scripts/rotate-secrets/rotate-secrets.sh
@@ -20,6 +20,7 @@ normal=$(tput sgr0)
 
 # Optional:
 # - UPDATE_SECRETS               : Rotate expired secrets. Defaults to false.
+# - FORCE_UPDATE                 : Force Rotate expired secrets. Defaults to false.
 # - USER_PROMPT                  : Is human interaction required to run script? true/false. Default is true.
 
 #######################################################################################
@@ -54,7 +55,8 @@ setup_cluster_access  "$AZ_RESOURCE_GROUP_CLUSTERS" "$CLUSTER_NAME" ||
 ###
 
 USER_PROMPT=${USER_PROMPT:=true}
-UPDATE_SECRETS=${UPDATE_SECRETS:=true}
+UPDATE_SECRETS=${UPDATE_SECRETS:=false}
+FORCE_UPDATE=${FORCE_UPDATE:=false}
 KEY_VAULT="radix-keyv-${RADIX_ZONE}"
 if [[ "${RADIX_ZONE}" == "prod" ]]; then
   KEY_VAULT="radix-keyv-platform"
@@ -77,6 +79,7 @@ echo -e ""
 echo -e "   > WHAT:"
 echo -e "   -------------------------------------------------------------------"
 echo -e "   -  UPDATE_SECRETS                   :  $UPDATE_SECRETS"
+echo -e "   -  FORCE_UPDATE                     :  $FORCE_UPDATE"
 echo -e ""
 echo -e "   > WHO:"
 echo -e "   -------------------------------------------------------------------"
@@ -111,7 +114,7 @@ do
 
   printf "%s► Execute %s%s\n" "${grn}" "$script" "${normal}"
 
-  (RADIX_ZONE_ENV=${RADIX_ZONE_ENV} CLUSTER_NAME=${CLUSTER_NAME} UPDATE_SECRETS=${UPDATE_SECRETS} KEY_VAULT=${KEY_VAULT} USER_PROMPT=false source $script)
+  (RADIX_ZONE_ENV="${RADIX_ZONE_ENV}" FORCE_UPDATE="${FORCE_UPDATE}" CLUSTER_NAME="${CLUSTER_NAME}" UPDATE_SECRETS="${UPDATE_SECRETS}" KEY_VAULT="${KEY_VAULT}" USER_PROMPT="false" source $script)
   status=$?
   if [ $status -ne 0 ]; then
     printf "%s💥 Exited with code: %d %s\n" ${red} $status ${normal}
diff --git a/scripts/rotate-secrets/services/vulnerability-scan-reader.sh b/scripts/rotate-secrets/services/vulnerability-scan-reader.sh
index 0bd310ac8..583796b1d 100755
--- a/scripts/rotate-secrets/services/vulnerability-scan-reader.sh
+++ b/scripts/rotate-secrets/services/vulnerability-scan-reader.sh
@@ -27,6 +27,7 @@ normal=$(tput sgr0)
 
 # Optional:
 # - UPDATE_SECRETS               : Rotate expired secrets. Defaults to false.
+# - FORCE_UPDATE                 : Force Rotate expired secrets. Defaults to false.
 # - USER_PROMPT                  : Is human interaction required to run script? true/false. Default is true.
 
 #######################################################################################
@@ -60,6 +61,7 @@ setup_cluster_access  "$AZ_RESOURCE_GROUP_CLUSTERS" "$CLUSTER_NAME" ||
 
 USER_PROMPT=${USER_PROMPT:=true}
 UPDATE_SECRETS=${UPDATE_SECRETS:=false}
+FORCE_UPDATE=${FORCE_UPDATE:=false}
 
 KEY_VAULT="radix-keyv-${RADIX_ZONE}"
 if [[ "${RADIX_ZONE}" == "prod" ]]; then
@@ -80,6 +82,7 @@ echo -e ""
 echo -e "   > WHAT:"
 echo -e "   ------------------------------------------------------------------"
 echo -e "   -  UPDATE_SECRETS                       :  $UPDATE_SECRETS"
+echo -e "   -  FORCE_UPDATE                         :  $FORCE_UPDATE"
 echo -e "   -  DB_USER                              :  $VULNERABILITY_SCAN_SQL_API_USER"
 echo -e "   -  SECRET                               :  $KV_SECRET_VULNERABILITY_SCAN_DB_API"
 echo -e ""
@@ -100,7 +103,7 @@ user_prompt_continue || exit 1
 
 secretShouldUpdate=false
 
-secretExists=$(keyvault_secret_exist ${KEY_VAULT} "${KV_SECRET_VULNERABILITY_SCAN_DB_API}test")
+secretExists=$(keyvault_secret_exist ${KEY_VAULT} "${KV_SECRET_VULNERABILITY_SCAN_DB_API}")
 
 if [ $secretExists -eq 1 ]; then
   secretShouldUpdate=true
@@ -116,15 +119,18 @@ else
   exit 2
 fi;
 
+if [ $FORCE_UPDATE != "true" ]; then
+  if [ $secretShouldUpdate == "false" ]; then
+    printf "No outdated secrets. Secret expires in %s%s%s days\n" $grn "${expiry}" $normal
+    exit 0
+  fi;
 
-if [ $secretShouldUpdate == "false" ]; then
-  printf "No outdated secrets. Secret expires in %s%s%s days\n" $grn "${expiry}" $normal
-  exit 0
-fi;
-
-if [ $UPDATE_SECRETS != "true" ]; then
-  printf "Secrets should be updated Run with UPDATE_SECRETS=true to update.\n"
-  exit 1
+  if [ $UPDATE_SECRETS != "true" ]; then
+    printf "Secrets should be updated Run with UPDATE_SECRETS=true to update.\n"
+    exit 1
+  fi;
+else
+  printf "%sForce update secret!%s\n" $yel $normal
 fi;
 
 printf "Generating password... "
diff --git a/scripts/rotate-secrets/services/vulnerability-scan-writer.sh b/scripts/rotate-secrets/services/vulnerability-scan-writer.sh
index a76e5d5d0..f265bb0fe 100755
--- a/scripts/rotate-secrets/services/vulnerability-scan-writer.sh
+++ b/scripts/rotate-secrets/services/vulnerability-scan-writer.sh
@@ -27,6 +27,7 @@ normal=$(tput sgr0)
 
 # Optional:
 # - UPDATE_SECRETS               : Rotate expired secrets. Defaults to false.
+# - FORCE_UPDATE                 : Force Rotate expired secrets. Defaults to false.
 # - USER_PROMPT                  : Is human interaction required to run script? true/false. Default is true.
 
 #######################################################################################
@@ -60,6 +61,7 @@ setup_cluster_access  "$AZ_RESOURCE_GROUP_CLUSTERS" "$CLUSTER_NAME" ||
 
 USER_PROMPT=${USER_PROMPT:=true}
 UPDATE_SECRETS=${UPDATE_SECRETS:=false}
+FORCE_UPDATE=${FORCE_UPDATE:=false}
 
 KEY_VAULT="radix-keyv-${RADIX_ZONE}"
 if [[ "${RADIX_ZONE}" == "prod" ]]; then
@@ -80,6 +82,7 @@ echo -e ""
 echo -e "   > WHAT:"
 echo -e "   ------------------------------------------------------------------"
 echo -e "   -  UPDATE_SECRETS                       :  $UPDATE_SECRETS"
+echo -e "   -  FORCE_UPDATE                         :  $FORCE_UPDATE"
 echo -e "   -  DB_USER                              :  $VULNERABILITY_SCAN_SQL_SCANNER_USER"
 echo -e "   -  SECRET                               :  $KV_SECRET_VULNERABILITY_SCAN_DB_WRITER"
 echo -e ""
@@ -117,14 +120,18 @@ else
 fi;
 
 
-if [ $secretShouldUpdate == "false" ]; then
-  printf "No outdated secrets. Secret expires in %s%s%s days\n" $grn "${expiry}" $normal
-  exit 0
-fi;
+if [ $FORCE_UPDATE != "true" ]; then
+  if [ $secretShouldUpdate == "false" ]; then
+    printf "No outdated secrets. Secret expires in %s%s%s days\n" $grn "${expiry}" $normal
+    exit 0
+  fi;
 
-if [ $UPDATE_SECRETS != "true" ]; then
-  printf "Secrets should be updated Run with UPDATE_SECRETS=true to update.\n"
-  exit 1
+  if [ $UPDATE_SECRETS != "true" ]; then
+    printf "Secrets should be updated Run with UPDATE_SECRETS=true to update.\n"
+    exit 1
+  fi;
+else
+  printf "%sForce update secret!%s\n" $yel $normal
 fi;
 
 printf "Generating password... "
@@ -166,7 +173,7 @@ printf "Done.\n"
 
 
 printf "Refresh secret in cluster... "
-kubectl annotate externalsecret --namespace=radix-vulnerability-scanner vulnerability-scanner-chart-values-test force-sync=$(date +%s) --overwrite > /dev/null || { echo "ERROR: Failed to trigger secret refresh" >&2; exit 1; }
+kubectl annotate externalsecret --namespace=radix-vulnerability-scanner vulnerability-scanner-chart-values force-sync=$(date +%s) --overwrite > /dev/null || { echo "ERROR: Failed to trigger secret refresh" >&2; exit 1; }
 sleep 1 # Lets give ESO some time to sync secret
 printf "Done.\n"