Skip to content

Commit

Permalink
Merge branch 'main' into marrobi/issue4099
Browse files Browse the repository at this point in the history
  • Loading branch information
marrobi authored Nov 11, 2024
2 parents 3c3cdfa + 35cd559 commit 77fafe8
Show file tree
Hide file tree
Showing 32 changed files with 111 additions and 160 deletions.
3 changes: 0 additions & 3 deletions .github/actions/devcontainer_run_command/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -186,9 +186,6 @@ runs:
-e TF_INPUT="0" \
-e TF_IN_AUTOMATION="1" \
-e USE_ENV_VARS_NOT_FILES="true" \
-e ARM_STORAGE_USE_AZUREAD="true" \
-e ARM_USE_AZUREAD="true" \
-e ARM_USE_OIDC="true" \
-e BUNDLE_TYPE="${{ inputs.BUNDLE_TYPE }}" \
-e WORKSPACE_SERVICE_NAME="${{ inputs.WORKSPACE_SERVICE_NAME }}" \
-e ARM_ENVIRONMENT="${{ env.ARM_ENVIRONMENT }}" \
Expand Down
3 changes: 2 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@
FEATURES:

ENHANCEMENTS:
* Split log entries with [Log chunk X of Y] for better readability. ([#3992](https://github.com/microsoft/AzureTRE/issues/3992))
* Key Vaults should use RBAC instead of access policies for access control ([#4000](https://github.com/microsoft/AzureTRE/issues/4000))
* Split log entries with [Log chunk X of Y] for better readability. ([[#3992](https://github.com/microsoft/AzureTRE/issues/3992)
* Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF ([#4111](https://github.com/microsoft/AzureTRE/pull/4111))
* Update Terraform to use Azure AD authentication rather than storage account keys ([#4103](https://github.com/microsoft/AzureTRE/issues/4103))
* Consolidate Terraform upgrade scripts ([#4099](https://github.com/microsoft/AzureTRE/issues/4099))
Expand Down
16 changes: 4 additions & 12 deletions core/terraform/appgateway/certificate.tf
Original file line number Diff line number Diff line change
@@ -1,15 +1,7 @@
resource "azurerm_key_vault_access_policy" "app_gw_managed_identity" {
key_vault_id = var.keyvault_id
tenant_id = azurerm_user_assigned_identity.agw_id.tenant_id
object_id = azurerm_user_assigned_identity.agw_id.principal_id

key_permissions = [
"Get",
]

secret_permissions = [
"Get",
]
resource "azurerm_role_assignment" "keyvault_appgw_role" {
scope = var.keyvault_id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_user_assigned_identity.agw_id.principal_id // id-agw-<TRE_ID>
}

resource "azurerm_key_vault_certificate" "tlscert" {
Expand Down
2 changes: 1 addition & 1 deletion core/terraform/cosmos_mongo.tf
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ resource "azurerm_key_vault_secret" "cosmos_mongo_connstr" {
key_vault_id = azurerm_key_vault.kv.id
tags = local.tre_core_tags
depends_on = [
azurerm_key_vault_access_policy.deployer
azurerm_role_assignment.keyvault_deployer_role
]

lifecycle { ignore_changes = [tags] }
Expand Down
50 changes: 21 additions & 29 deletions core/terraform/keyvault.tf
Original file line number Diff line number Diff line change
@@ -1,34 +1,26 @@
resource "azurerm_key_vault" "kv" {
name = "kv-${var.tre_id}"
tenant_id = data.azurerm_client_config.current.tenant_id
location = azurerm_resource_group.core.location
resource_group_name = azurerm_resource_group.core.name
sku_name = "standard"
purge_protection_enabled = var.kv_purge_protection_enabled
tags = local.tre_core_tags
name = "kv-${var.tre_id}"
tenant_id = data.azurerm_client_config.current.tenant_id
location = azurerm_resource_group.core.location
resource_group_name = azurerm_resource_group.core.name
sku_name = "standard"
enable_rbac_authorization = true
purge_protection_enabled = var.kv_purge_protection_enabled
tags = local.tre_core_tags

lifecycle { ignore_changes = [access_policy, tags] }
}

resource "azurerm_key_vault_access_policy" "deployer" {
key_vault_id = azurerm_key_vault.kv.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id

key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Recover"]
secret_permissions = ["Get", "List", "Set", "Delete", "Purge", "Recover"]
certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Purge", "Recover"]
storage_permissions = ["Get", "List", "Update", "Delete"]
resource "azurerm_role_assignment" "keyvault_deployer_role" {
scope = azurerm_key_vault.kv.id
role_definition_name = "Key Vault Administrator"
principal_id = data.azurerm_client_config.current.object_id // deployer - either CICD service principal or local user
}

resource "azurerm_key_vault_access_policy" "managed_identity" {
key_vault_id = azurerm_key_vault.kv.id
tenant_id = azurerm_user_assigned_identity.id.tenant_id
object_id = azurerm_user_assigned_identity.id.principal_id

key_permissions = ["Get", "List", ]
secret_permissions = ["Get", "List", ]
certificate_permissions = ["Get", "List", ]
resource "azurerm_role_assignment" "keyvault_apiidentity_role" {
scope = azurerm_key_vault.kv.id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_user_assigned_identity.id.principal_id // id-api-<TRE_ID>
}

data "azurerm_private_dns_zone" "vaultcore" {
Expand Down Expand Up @@ -68,7 +60,7 @@ resource "azurerm_key_vault_secret" "api_client_id" {
key_vault_id = azurerm_key_vault.kv.id
tags = local.tre_core_tags
depends_on = [
azurerm_key_vault_access_policy.deployer
azurerm_role_assignment.keyvault_deployer_role
]

lifecycle { ignore_changes = [tags] }
Expand All @@ -80,7 +72,7 @@ resource "azurerm_key_vault_secret" "api_client_secret" {
key_vault_id = azurerm_key_vault.kv.id
tags = local.tre_core_tags
depends_on = [
azurerm_key_vault_access_policy.deployer
azurerm_role_assignment.keyvault_deployer_role
]

lifecycle { ignore_changes = [tags] }
Expand All @@ -92,7 +84,7 @@ resource "azurerm_key_vault_secret" "auth_tenant_id" {
key_vault_id = azurerm_key_vault.kv.id
tags = local.tre_core_tags
depends_on = [
azurerm_key_vault_access_policy.deployer
azurerm_role_assignment.keyvault_deployer_role
]

lifecycle { ignore_changes = [tags] }
Expand All @@ -104,7 +96,7 @@ resource "azurerm_key_vault_secret" "application_admin_client_id" {
key_vault_id = azurerm_key_vault.kv.id
tags = local.tre_core_tags
depends_on = [
azurerm_key_vault_access_policy.deployer
azurerm_role_assignment.keyvault_deployer_role
]

lifecycle { ignore_changes = [tags] }
Expand All @@ -116,7 +108,7 @@ resource "azurerm_key_vault_secret" "application_admin_client_secret" {
key_vault_id = azurerm_key_vault.kv.id
tags = local.tre_core_tags
depends_on = [
azurerm_key_vault_access_policy.deployer
azurerm_role_assignment.keyvault_deployer_role
]

lifecycle { ignore_changes = [tags] }
Expand Down
4 changes: 2 additions & 2 deletions core/terraform/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ module "appgateway" {
depends_on = [
module.network,
azurerm_key_vault.kv,
azurerm_key_vault_access_policy.deployer,
azurerm_role_assignment.keyvault_deployer_role,
azurerm_private_endpoint.api_private_endpoint
]
}
Expand Down Expand Up @@ -175,7 +175,7 @@ module "resource_processor_vmss_porter" {
module.network,
module.azure_monitor,
azurerm_key_vault.kv,
azurerm_key_vault_access_policy.deployer
azurerm_role_assignment.keyvault_deployer_role
]
}

Expand Down
10 changes: 0 additions & 10 deletions core/terraform/modules_move_definitions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -148,16 +148,6 @@ moved {
to = azurerm_key_vault.kv
}

moved {
from = module.keyvault.azurerm_key_vault_access_policy.deployer
to = azurerm_key_vault_access_policy.deployer
}

moved {
from = module.keyvault.azurerm_key_vault_access_policy.managed_identity
to = azurerm_key_vault_access_policy.managed_identity
}

moved {
from = module.keyvault.azurerm_private_endpoint.kvpe
to = azurerm_private_endpoint.kvpe
Expand Down
11 changes: 4 additions & 7 deletions core/terraform/resource_processor/vmss_porter/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -189,13 +189,10 @@ resource "azurerm_role_assignment" "subscription_contributor" {
principal_id = azurerm_user_assigned_identity.vmss_msi.principal_id
}

resource "azurerm_key_vault_access_policy" "resource_processor" {
key_vault_id = var.key_vault_id
tenant_id = azurerm_user_assigned_identity.vmss_msi.tenant_id
object_id = azurerm_user_assigned_identity.vmss_msi.principal_id

secret_permissions = ["Get", "List", "Set", "Delete", "Purge", "Recover"]
certificate_permissions = ["Get", "Recover", "Import", "Delete", "Purge"]
resource "azurerm_role_assignment" "keyvault_vmss_role" {
scope = var.key_vault_id
role_definition_name = "Key Vault Administrator"
principal_id = azurerm_user_assigned_identity.vmss_msi.principal_id // id-vmss-<TRE_ID>
}

module "terraform_azurerm_environment_configuration" {
Expand Down
2 changes: 1 addition & 1 deletion core/version.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = "0.10.13"
__version__ = "0.11.1"
5 changes: 5 additions & 0 deletions devops/scripts/check_dependencies.sh
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,11 @@ export SUB_ID
TENANT_ID=$(az account show --query tenantId -o tsv)
export TENANT_ID

# Configure AzureRM provider and backend to use Azure AD to connect to storage accounts
export ARM_STORAGE_USE_AZUREAD=true
export ARM_USE_AZUREAD=true
export ARM_USE_OIDC=true

if [ -z "$SUB_NAME" ]; then
echo -e "\n\e[31m»»» ⚠️ You are not logged in to Azure!"
exit 1
Expand Down
5 changes: 0 additions & 5 deletions devops/scripts/load_and_validate_env.sh
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,6 @@ else

TRE_URL=$(construct_tre_url "${TRE_ID}" "${LOCATION}" "${AZURE_ENVIRONMENT}")
export TRE_URL

# Configure AzureRM provider and backend to use Azure AD to connect to storage accounts
export ARM_STORAGE_USE_AZUREAD=true
export ARM_USE_AZUREAD=true
export ARM_USE_OIDC=true
fi

# if local debugging is configured, then set vars required by ~/.porter/config.yaml
Expand Down
2 changes: 1 addition & 1 deletion devops/terraform/bootstrap.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \

# Grant user blob data contributor permissions
echo -e "\n\e[34m»»» 🔑 \e[96mGranting Storage Blob Data Contributor role to the current user\e[0m..."
if [ -n "$ARM_CLIENT_ID" ]; then
if [ -n "${ARM_CLIENT_ID:-}" ]; then
USER_OBJECT_ID=$(az ad sp show --id "$ARM_CLIENT_ID" --query id --output tsv)
else
USER_OBJECT_ID=$(az ad signed-in-user show --query id --output tsv)
Expand Down
2 changes: 1 addition & 1 deletion templates/shared_services/certs/porter.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
schemaVersion: 1.0.0
name: tre-shared-service-certs
version: 0.5.6
version: 0.6.0
description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt"
registry: azuretre
dockerfile: Dockerfile.tmpl
Expand Down
2 changes: 1 addition & 1 deletion templates/shared_services/certs/terraform/appgateway.tf
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,6 @@ resource "azurerm_application_gateway" "agw" {
}

depends_on = [
azurerm_key_vault_access_policy.app_gw_managed_identity,
azurerm_role_assignment.keyvault_appgwcerts_role,
]
}
11 changes: 4 additions & 7 deletions templates/shared_services/certs/terraform/certificate.tf
Original file line number Diff line number Diff line change
@@ -1,10 +1,7 @@
resource "azurerm_key_vault_access_policy" "app_gw_managed_identity" {
key_vault_id = data.azurerm_key_vault.key_vault.id
tenant_id = azurerm_user_assigned_identity.agw_id.tenant_id
object_id = azurerm_user_assigned_identity.agw_id.principal_id

key_permissions = ["Get"]
secret_permissions = ["Get"]
resource "azurerm_role_assignment" "keyvault_appgwcerts_role" {
scope = data.azurerm_key_vault.key_vault.id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_user_assigned_identity.agw_id.principal_id
}

resource "azurerm_key_vault_certificate" "tlscert" {
Expand Down
2 changes: 1 addition & 1 deletion templates/shared_services/gitea/porter.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
schemaVersion: 1.0.0
name: tre-shared-service-gitea
version: 1.0.6
version: 1.1.0
description: "A Gitea shared service"
dockerfile: Dockerfile.tmpl
registry: azuretre
Expand Down
12 changes: 5 additions & 7 deletions templates/shared_services/gitea/terraform/gitea-webapp.tf
Original file line number Diff line number Diff line change
Expand Up @@ -141,12 +141,10 @@ resource "azurerm_monitor_diagnostic_setting" "webapp_gitea" {
}
}

resource "azurerm_key_vault_access_policy" "gitea_policy" {
key_vault_id = data.azurerm_key_vault.keyvault.id
tenant_id = azurerm_user_assigned_identity.gitea_id.tenant_id
object_id = azurerm_user_assigned_identity.gitea_id.principal_id

secret_permissions = ["Get", "List", ]
resource "azurerm_role_assignment" "keyvault_gitea_role" {
scope = data.azurerm_key_vault.keyvault.id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_user_assigned_identity.gitea_id.principal_id
}

resource "azurerm_key_vault_secret" "gitea_password" {
Expand All @@ -156,7 +154,7 @@ resource "azurerm_key_vault_secret" "gitea_password" {
tags = local.tre_shared_service_tags

depends_on = [
azurerm_key_vault_access_policy.gitea_policy
azurerm_role_assignment.keyvault_gitea_role
]

lifecycle { ignore_changes = [tags] }
Expand Down
2 changes: 1 addition & 1 deletion templates/shared_services/gitea/terraform/mysql.tf
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ resource "azurerm_key_vault_secret" "db_password" {
tags = local.tre_shared_service_tags

depends_on = [
azurerm_key_vault_access_policy.gitea_policy
azurerm_role_assignment.keyvault_gitea_role
]

lifecycle { ignore_changes = [tags] }
Expand Down
2 changes: 1 addition & 1 deletion templates/shared_services/sonatype-nexus-vm/porter.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
schemaVersion: 1.0.0
name: tre-shared-service-sonatype-nexus
version: 3.0.4
version: 3.1.0
description: "A Sonatype Nexus shared service"
dockerfile: Dockerfile.tmpl
registry: azuretre
Expand Down
12 changes: 5 additions & 7 deletions templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
Original file line number Diff line number Diff line change
Expand Up @@ -87,12 +87,10 @@ resource "azurerm_user_assigned_identity" "nexus_msi" {
lifecycle { ignore_changes = [tags] }
}

resource "azurerm_key_vault_access_policy" "nexus_msi" {
key_vault_id = data.azurerm_key_vault.kv.id
tenant_id = azurerm_user_assigned_identity.nexus_msi.tenant_id
object_id = azurerm_user_assigned_identity.nexus_msi.principal_id

secret_permissions = ["Get", "List"]
resource "azurerm_role_assignment" "keyvault_nexus_role" {
scope = data.azurerm_key_vault.kv.id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_user_assigned_identity.nexus_msi.principal_id
}

resource "azurerm_linux_virtual_machine" "nexus" {
Expand Down Expand Up @@ -134,7 +132,7 @@ resource "azurerm_linux_virtual_machine" "nexus" {
}

depends_on = [
azurerm_key_vault_access_policy.nexus_msi
azurerm_role_assignment.keyvault_nexus_role
]

connection {
Expand Down
2 changes: 1 addition & 1 deletion templates/workspace_services/gitea/porter.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
schemaVersion: 1.0.0
name: tre-workspace-service-gitea
version: 1.0.8
version: 1.1.0
description: "A Gitea workspace service"
dockerfile: Dockerfile.tmpl
registry: azuretre
Expand Down
12 changes: 5 additions & 7 deletions templates/workspace_services/gitea/terraform/gitea-webapp.tf
Original file line number Diff line number Diff line change
Expand Up @@ -150,12 +150,10 @@ resource "azurerm_monitor_diagnostic_setting" "gitea" {
}
}

resource "azurerm_key_vault_access_policy" "gitea_policy" {
key_vault_id = data.azurerm_key_vault.ws.id
tenant_id = azurerm_user_assigned_identity.gitea_id.tenant_id
object_id = azurerm_user_assigned_identity.gitea_id.principal_id

secret_permissions = ["Get", "List", ]
resource "azurerm_role_assignment" "keyvault_gitea_ws_role" {
scope = data.azurerm_key_vault.ws.id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_user_assigned_identity.gitea_id.principal_id
}

resource "azurerm_key_vault_secret" "gitea_password" {
Expand All @@ -165,7 +163,7 @@ resource "azurerm_key_vault_secret" "gitea_password" {
tags = local.workspace_service_tags

depends_on = [
azurerm_key_vault_access_policy.gitea_policy
azurerm_role_assignment.keyvault_gitea_ws_role
]

lifecycle { ignore_changes = [tags] }
Expand Down
2 changes: 1 addition & 1 deletion templates/workspace_services/gitea/terraform/mysql.tf
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ resource "azurerm_key_vault_secret" "db_password" {
tags = local.workspace_service_tags

depends_on = [
azurerm_key_vault_access_policy.gitea_policy
azurerm_role_assignment.keyvault_gitea_ws_role
]

lifecycle { ignore_changes = [tags] }
Expand Down
2 changes: 1 addition & 1 deletion templates/workspace_services/guacamole/porter.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
schemaVersion: 1.0.0
name: tre-service-guacamole
version: 0.10.12
version: 0.11.0
description: "An Azure TRE service for Guacamole"
dockerfile: Dockerfile.tmpl
registry: azuretre
Expand Down
Loading

0 comments on commit 77fafe8

Please sign in to comment.