This PR is currently under "semi-active" development and is expected to be "ready for review" later this week. I’d prefer to keep it open in the meantime, and I warmly welcome any comments, suggestions, or feedback—your input is greatly appreciated. The reason it has remained in draft status for so long is due to a slight shift in priorities and some challenges with testing.

There should not be three commits like these, first doing one thing and then reverting it. Likely the correct thing to do is to combine them to one commit. In any case they should be reworked.

We can rework or squash. Either way is fine for me.

github action checks fail due to terraform formatting issues.
Fix the format by running: terraform fmt -recursive in nix devshell.
Also, you might want to make sure the nix flake check passes locally before pushing.

github action checks fail due to terraform formatting issues. Fix the format by running: terraform fmt -recursive in nix devshell. Also, you might want to make sure the nix flake check passes locally before pushing.

ACK. Will do. Thank you!

Two questions/comments after testing the changes from this PR:

(1) This PR adds the signing keyvault creation, but the added certificates are not used anywhere, right? What's the plan on actually using these certificates later on?

(2) After the changes from this PR, the infra can not be destroyed following the instructions from https://github.com/tiiuae/ghaf-infra/tree/main/terraform#destroying-ghaf-infra-environment or by using the -d option in the terraform-init.sh due to:

╷
│ Error: deleting Certificate "INT-Ghaf-Devenv-Image" (Key Vault "https://ghaf-sig-kv-henri.vault.azure.net/"):
 keyvault.BaseClient#DeleteCertificate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: 
Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 
'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=f0fc8f23-38a8-41a2-8188-eb037f0df2a0;numgroups=3;iss=https://sts.windows.net/26bb3a23-759b-4cff-91f4-eeec608e777f/' 
does not have certificates delete permission on key vault 'ghaf-sig-kv-henri;location=northeurope'. 
For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"ForbiddenByPolicy"}
│ 
│ 
╵
╷
│ Error: deleting Certificate "INT-Ghaf-Devenv-Provenance" (Key Vault "https://ghaf-sig-kv-henri.vault.azure.net/"):
 keyvault.BaseClient#DeleteCertificate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: 
Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 
'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=f0fc8f23-38a8-41a2-8188-eb037f0df2a0;numgroups=3;iss=https://sts.windows.net/26bb3a23-759b-4cff-91f4-eeec608e777f/' 
does not have certificates delete permission on key vault 'ghaf-sig-kv-henri;location=northeurope'. 
For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"ForbiddenByPolicy"}

I believe you want to add Delete (and Purge) permission, the same way we currently do with ssh remote builder keyvault. Also, you may need to disable the purge protection.

There should not be three commits like these, first doing one thing and then reverting it. Likely the correct thing to do is to
combine them to one commit. In any case they should be reworked.

I agree, please squash the commits.

Two questions/comments after testing the changes from this PR:

(1) This PR adds the signing keyvault creation, but the added certificates are not used anywhere, right? What's the plan on actually using these certificates later on?

(2) After the changes from this PR, the infra can not be destroyed following the instructions from https://github.com/tiiuae/ghaf-infra/tree/main/terraform#destroying-ghaf-infra-environment or by using the -d option in the terraform-init.sh due to:

╷
│ Error: deleting Certificate "INT-Ghaf-Devenv-Image" (Key Vault "https://ghaf-sig-kv-henri.vault.azure.net/"):
 keyvault.BaseClient#DeleteCertificate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: 
Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 
'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=f0fc8f23-38a8-41a2-8188-eb037f0df2a0;numgroups=3;iss=https://sts.windows.net/26bb3a23-759b-4cff-91f4-eeec608e777f/' 
does not have certificates delete permission on key vault 'ghaf-sig-kv-henri;location=northeurope'. 
For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"ForbiddenByPolicy"}
│ 
│ 
╵
╷
│ Error: deleting Certificate "INT-Ghaf-Devenv-Provenance" (Key Vault "https://ghaf-sig-kv-henri.vault.azure.net/"):
 keyvault.BaseClient#DeleteCertificate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: 
Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 
'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=f0fc8f23-38a8-41a2-8188-eb037f0df2a0;numgroups=3;iss=https://sts.windows.net/26bb3a23-759b-4cff-91f4-eeec608e777f/' 
does not have certificates delete permission on key vault 'ghaf-sig-kv-henri;location=northeurope'. 
For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"ForbiddenByPolicy"}

I believe you want to add Delete (and Purge) permission, the same way we currently do with ssh remote builder keyvault. Also, you may need to disable the purge protection.

Good point. Will fix & retest. Thanks!

There should not be three commits like these, first doing one thing and then reverting it. Likely the correct thing to do is to
combine them to one commit. In any case they should be reworked.

I agree, please squash the commits.

Just out of curiosity and "for quality and training purposes", what is the difference between manually squashing them now and squashing them before merge by "Squash and Merge"?

Just out of curiosity and "for quality and training purposes", what is the difference between manually squashing them now and squashing them before merge by "Squash and Merge"?

I've never used "Squash and Merge", but some people claim that it doesn't allow manual editing of the commit message, or at least one easily accidentally go by the commit message automatically combined from the squashed commits. Other than that, I'd prefer to see final commit already before hitting Merge for it.

Just out of curiosity and "for quality and training purposes", what is the difference between manually squashing them now and squashing them before merge by "Squash and Merge"?

I've never used "Squash and Merge", but some people claim that it doesn't allow manual editing of the commit message, or at least one easily accidentally go by the commit message automatically combined from the squashed commits. Other than that, I'd prefer to see final commit already before hitting Merge for it.

Ok. Sure. I will manually squash it then.