From 07173fee547bb489763bf52d4f3af3c5d42f06b3 Mon Sep 17 00:00:00 2001 From: Jonny Rylands Date: Fri, 8 Nov 2024 14:23:40 +0000 Subject: [PATCH 1/4] Change Key Vault to use RBAC instead of Access Policies (#4115) --- CHANGELOG.md | 1 + core/terraform/appgateway/certificate.tf | 16 ++---- core/terraform/cosmos_mongo.tf | 2 +- core/terraform/keyvault.tf | 50 ++++++++----------- core/terraform/main.tf | 4 +- core/terraform/modules_move_definitions.tf | 10 ---- .../resource_processor/vmss_porter/main.tf | 11 ++-- core/version.txt | 2 +- templates/shared_services/certs/porter.yaml | 2 +- .../certs/terraform/appgateway.tf | 2 +- .../certs/terraform/certificate.tf | 11 ++-- templates/shared_services/gitea/porter.yaml | 2 +- .../gitea/terraform/gitea-webapp.tf | 12 ++--- .../shared_services/gitea/terraform/mysql.tf | 2 +- .../sonatype-nexus-vm/porter.yaml | 2 +- .../sonatype-nexus-vm/terraform/vm.tf | 12 ++--- .../workspace_services/gitea/porter.yaml | 2 +- .../gitea/terraform/gitea-webapp.tf | 12 ++--- .../gitea/terraform/mysql.tf | 2 +- .../workspace_services/guacamole/porter.yaml | 2 +- .../guacamole/terraform/web_app.tf | 12 ++--- .../workspace_services/mlflow/porter.yaml | 2 +- .../mlflow/terraform/web_app.tf | 12 ++--- .../workspace_services/ohdsi/porter.yaml | 2 +- .../ohdsi/terraform/ohdsi_web_api.tf | 12 ++--- templates/workspaces/base/porter.yaml | 2 +- .../workspaces/base/terraform/keyvault.tf | 49 +++++++++--------- .../workspaces/base/terraform/workspace.tf | 4 +- 28 files changed, 104 insertions(+), 150 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4898f1f5ee..236f0e2055 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ FEATURES: ENHANCEMENTS: +* Key Vaults should use RBAC instead of access policies for access control ([#4000](https://github.com/microsoft/AzureTRE/issues/4000)) * Split log entries with [Log chunk X of Y] for better readability. ([[#3992](https://github.com/microsoft/AzureTRE/issues/3992) * Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF ([#4111](https://github.com/microsoft/AzureTRE/pull/4111)) * Update Terraform to use Azure AD authentication rather than storage account keys ([#4103](https://github.com/microsoft/AzureTRE/issues/4103)) diff --git a/core/terraform/appgateway/certificate.tf b/core/terraform/appgateway/certificate.tf index b2b289ee97..c4f22db149 100644 --- a/core/terraform/appgateway/certificate.tf +++ b/core/terraform/appgateway/certificate.tf @@ -1,15 +1,7 @@ -resource "azurerm_key_vault_access_policy" "app_gw_managed_identity" { - key_vault_id = var.keyvault_id - tenant_id = azurerm_user_assigned_identity.agw_id.tenant_id - object_id = azurerm_user_assigned_identity.agw_id.principal_id - - key_permissions = [ - "Get", - ] - - secret_permissions = [ - "Get", - ] +resource "azurerm_role_assignment" "keyvault_appgw_role" { + scope = var.keyvault_id + role_definition_name = "Key Vault Secrets User" + principal_id = azurerm_user_assigned_identity.agw_id.principal_id // id-agw- } resource "azurerm_key_vault_certificate" "tlscert" { diff --git a/core/terraform/cosmos_mongo.tf b/core/terraform/cosmos_mongo.tf index fdb90fbf17..6b4f386d09 100644 --- a/core/terraform/cosmos_mongo.tf +++ b/core/terraform/cosmos_mongo.tf @@ -97,7 +97,7 @@ resource "azurerm_key_vault_secret" "cosmos_mongo_connstr" { key_vault_id = azurerm_key_vault.kv.id tags = local.tre_core_tags depends_on = [ - azurerm_key_vault_access_policy.deployer + azurerm_role_assignment.keyvault_deployer_role ] lifecycle { ignore_changes = [tags] } diff --git a/core/terraform/keyvault.tf b/core/terraform/keyvault.tf index 659017dfb0..5d75ae9176 100644 --- a/core/terraform/keyvault.tf +++ b/core/terraform/keyvault.tf @@ -1,34 +1,26 @@ resource "azurerm_key_vault" "kv" { - name = "kv-${var.tre_id}" - tenant_id = data.azurerm_client_config.current.tenant_id - location = azurerm_resource_group.core.location - resource_group_name = azurerm_resource_group.core.name - sku_name = "standard" - purge_protection_enabled = var.kv_purge_protection_enabled - tags = local.tre_core_tags + name = "kv-${var.tre_id}" + tenant_id = data.azurerm_client_config.current.tenant_id + location = azurerm_resource_group.core.location + resource_group_name = azurerm_resource_group.core.name + sku_name = "standard" + enable_rbac_authorization = true + purge_protection_enabled = var.kv_purge_protection_enabled + tags = local.tre_core_tags lifecycle { ignore_changes = [access_policy, tags] } } -resource "azurerm_key_vault_access_policy" "deployer" { - key_vault_id = azurerm_key_vault.kv.id - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azurerm_client_config.current.object_id - - key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Recover"] - secret_permissions = ["Get", "List", "Set", "Delete", "Purge", "Recover"] - certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Purge", "Recover"] - storage_permissions = ["Get", "List", "Update", "Delete"] +resource "azurerm_role_assignment" "keyvault_deployer_role" { + scope = azurerm_key_vault.kv.id + role_definition_name = "Key Vault Administrator" + principal_id = data.azurerm_client_config.current.object_id // deployer - either CICD service principal or local user } -resource "azurerm_key_vault_access_policy" "managed_identity" { - key_vault_id = azurerm_key_vault.kv.id - tenant_id = azurerm_user_assigned_identity.id.tenant_id - object_id = azurerm_user_assigned_identity.id.principal_id - - key_permissions = ["Get", "List", ] - secret_permissions = ["Get", "List", ] - certificate_permissions = ["Get", "List", ] +resource "azurerm_role_assignment" "keyvault_apiidentity_role" { + scope = azurerm_key_vault.kv.id + role_definition_name = "Key Vault Secrets User" + principal_id = azurerm_user_assigned_identity.id.principal_id // id-api- } data "azurerm_private_dns_zone" "vaultcore" { @@ -68,7 +60,7 @@ resource "azurerm_key_vault_secret" "api_client_id" { key_vault_id = azurerm_key_vault.kv.id tags = local.tre_core_tags depends_on = [ - azurerm_key_vault_access_policy.deployer + azurerm_role_assignment.keyvault_deployer_role ] lifecycle { ignore_changes = [tags] } @@ -80,7 +72,7 @@ resource "azurerm_key_vault_secret" "api_client_secret" { key_vault_id = azurerm_key_vault.kv.id tags = local.tre_core_tags depends_on = [ - azurerm_key_vault_access_policy.deployer + azurerm_role_assignment.keyvault_deployer_role ] lifecycle { ignore_changes = [tags] } @@ -92,7 +84,7 @@ resource "azurerm_key_vault_secret" "auth_tenant_id" { key_vault_id = azurerm_key_vault.kv.id tags = local.tre_core_tags depends_on = [ - azurerm_key_vault_access_policy.deployer + azurerm_role_assignment.keyvault_deployer_role ] lifecycle { ignore_changes = [tags] } @@ -104,7 +96,7 @@ resource "azurerm_key_vault_secret" "application_admin_client_id" { key_vault_id = azurerm_key_vault.kv.id tags = local.tre_core_tags depends_on = [ - azurerm_key_vault_access_policy.deployer + azurerm_role_assignment.keyvault_deployer_role ] lifecycle { ignore_changes = [tags] } @@ -116,7 +108,7 @@ resource "azurerm_key_vault_secret" "application_admin_client_secret" { key_vault_id = azurerm_key_vault.kv.id tags = local.tre_core_tags depends_on = [ - azurerm_key_vault_access_policy.deployer + azurerm_role_assignment.keyvault_deployer_role ] lifecycle { ignore_changes = [tags] } diff --git a/core/terraform/main.tf b/core/terraform/main.tf index 239e83143a..8eebea1109 100644 --- a/core/terraform/main.tf +++ b/core/terraform/main.tf @@ -104,7 +104,7 @@ module "appgateway" { depends_on = [ module.network, azurerm_key_vault.kv, - azurerm_key_vault_access_policy.deployer, + azurerm_role_assignment.keyvault_deployer_role, azurerm_private_endpoint.api_private_endpoint ] } @@ -175,7 +175,7 @@ module "resource_processor_vmss_porter" { module.network, module.azure_monitor, azurerm_key_vault.kv, - azurerm_key_vault_access_policy.deployer + azurerm_role_assignment.keyvault_deployer_role ] } diff --git a/core/terraform/modules_move_definitions.tf b/core/terraform/modules_move_definitions.tf index 3634549e2c..e0ffe47e3e 100644 --- a/core/terraform/modules_move_definitions.tf +++ b/core/terraform/modules_move_definitions.tf @@ -148,16 +148,6 @@ moved { to = azurerm_key_vault.kv } -moved { - from = module.keyvault.azurerm_key_vault_access_policy.deployer - to = azurerm_key_vault_access_policy.deployer -} - -moved { - from = module.keyvault.azurerm_key_vault_access_policy.managed_identity - to = azurerm_key_vault_access_policy.managed_identity -} - moved { from = module.keyvault.azurerm_private_endpoint.kvpe to = azurerm_private_endpoint.kvpe diff --git a/core/terraform/resource_processor/vmss_porter/main.tf b/core/terraform/resource_processor/vmss_porter/main.tf index 3229239ba3..0f2840f361 100644 --- a/core/terraform/resource_processor/vmss_porter/main.tf +++ b/core/terraform/resource_processor/vmss_porter/main.tf @@ -189,13 +189,10 @@ resource "azurerm_role_assignment" "subscription_contributor" { principal_id = azurerm_user_assigned_identity.vmss_msi.principal_id } -resource "azurerm_key_vault_access_policy" "resource_processor" { - key_vault_id = var.key_vault_id - tenant_id = azurerm_user_assigned_identity.vmss_msi.tenant_id - object_id = azurerm_user_assigned_identity.vmss_msi.principal_id - - secret_permissions = ["Get", "List", "Set", "Delete", "Purge", "Recover"] - certificate_permissions = ["Get", "Recover", "Import", "Delete", "Purge"] +resource "azurerm_role_assignment" "keyvault_vmss_role" { + scope = var.key_vault_id + role_definition_name = "Key Vault Administrator" + principal_id = azurerm_user_assigned_identity.vmss_msi.principal_id // id-vmss- } module "terraform_azurerm_environment_configuration" { diff --git a/core/version.txt b/core/version.txt index a37fec72b0..a4219a8e55 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.10.12" +__version__ = "0.11.0" \ No newline at end of file diff --git a/templates/shared_services/certs/porter.yaml b/templates/shared_services/certs/porter.yaml index d1c8e6db48..b54343e88b 100755 --- a/templates/shared_services/certs/porter.yaml +++ b/templates/shared_services/certs/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-certs -version: 0.5.6 +version: 0.6.0 description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/shared_services/certs/terraform/appgateway.tf b/templates/shared_services/certs/terraform/appgateway.tf index 730eddf08e..909b3cb784 100644 --- a/templates/shared_services/certs/terraform/appgateway.tf +++ b/templates/shared_services/certs/terraform/appgateway.tf @@ -162,6 +162,6 @@ resource "azurerm_application_gateway" "agw" { } depends_on = [ - azurerm_key_vault_access_policy.app_gw_managed_identity, + azurerm_role_assignment.keyvault_appgwcerts_role, ] } diff --git a/templates/shared_services/certs/terraform/certificate.tf b/templates/shared_services/certs/terraform/certificate.tf index 664bbe61d6..0a825c491d 100644 --- a/templates/shared_services/certs/terraform/certificate.tf +++ b/templates/shared_services/certs/terraform/certificate.tf @@ -1,10 +1,7 @@ -resource "azurerm_key_vault_access_policy" "app_gw_managed_identity" { - key_vault_id = data.azurerm_key_vault.key_vault.id - tenant_id = azurerm_user_assigned_identity.agw_id.tenant_id - object_id = azurerm_user_assigned_identity.agw_id.principal_id - - key_permissions = ["Get"] - secret_permissions = ["Get"] +resource "azurerm_role_assignment" "keyvault_appgwcerts_role" { + scope = data.azurerm_key_vault.key_vault.id + role_definition_name = "Key Vault Secrets User" + principal_id = azurerm_user_assigned_identity.agw_id.principal_id } resource "azurerm_key_vault_certificate" "tlscert" { diff --git a/templates/shared_services/gitea/porter.yaml b/templates/shared_services/gitea/porter.yaml index b6fc527c60..8cc0d66a76 100644 --- a/templates/shared_services/gitea/porter.yaml +++ b/templates/shared_services/gitea/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-gitea -version: 1.0.6 +version: 1.1.0 description: "A Gitea shared service" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/shared_services/gitea/terraform/gitea-webapp.tf b/templates/shared_services/gitea/terraform/gitea-webapp.tf index 0fb5918777..26d8a62527 100644 --- a/templates/shared_services/gitea/terraform/gitea-webapp.tf +++ b/templates/shared_services/gitea/terraform/gitea-webapp.tf @@ -141,12 +141,10 @@ resource "azurerm_monitor_diagnostic_setting" "webapp_gitea" { } } -resource "azurerm_key_vault_access_policy" "gitea_policy" { - key_vault_id = data.azurerm_key_vault.keyvault.id - tenant_id = azurerm_user_assigned_identity.gitea_id.tenant_id - object_id = azurerm_user_assigned_identity.gitea_id.principal_id - - secret_permissions = ["Get", "List", ] +resource "azurerm_role_assignment" "keyvault_gitea_role" { + scope = data.azurerm_key_vault.keyvault.id + role_definition_name = "Key Vault Secrets User" + principal_id = azurerm_user_assigned_identity.gitea_id.principal_id } resource "azurerm_key_vault_secret" "gitea_password" { @@ -156,7 +154,7 @@ resource "azurerm_key_vault_secret" "gitea_password" { tags = local.tre_shared_service_tags depends_on = [ - azurerm_key_vault_access_policy.gitea_policy + azurerm_role_assignment.keyvault_gitea_role ] lifecycle { ignore_changes = [tags] } diff --git a/templates/shared_services/gitea/terraform/mysql.tf b/templates/shared_services/gitea/terraform/mysql.tf index 61fe2af169..3a1b9425c5 100644 --- a/templates/shared_services/gitea/terraform/mysql.tf +++ b/templates/shared_services/gitea/terraform/mysql.tf @@ -65,7 +65,7 @@ resource "azurerm_key_vault_secret" "db_password" { tags = local.tre_shared_service_tags depends_on = [ - azurerm_key_vault_access_policy.gitea_policy + azurerm_role_assignment.keyvault_gitea_role ] lifecycle { ignore_changes = [tags] } diff --git a/templates/shared_services/sonatype-nexus-vm/porter.yaml b/templates/shared_services/sonatype-nexus-vm/porter.yaml index 85ce7315cf..ee9701b05f 100644 --- a/templates/shared_services/sonatype-nexus-vm/porter.yaml +++ b/templates/shared_services/sonatype-nexus-vm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-sonatype-nexus -version: 3.0.4 +version: 3.1.0 description: "A Sonatype Nexus shared service" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf index 79dfa04472..e9633eda5a 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf @@ -87,12 +87,10 @@ resource "azurerm_user_assigned_identity" "nexus_msi" { lifecycle { ignore_changes = [tags] } } -resource "azurerm_key_vault_access_policy" "nexus_msi" { - key_vault_id = data.azurerm_key_vault.kv.id - tenant_id = azurerm_user_assigned_identity.nexus_msi.tenant_id - object_id = azurerm_user_assigned_identity.nexus_msi.principal_id - - secret_permissions = ["Get", "List"] +resource "azurerm_role_assignment" "keyvault_nexus_role" { + scope = data.azurerm_key_vault.kv.id + role_definition_name = "Key Vault Secrets User" + principal_id = azurerm_user_assigned_identity.nexus_msi.principal_id } resource "azurerm_linux_virtual_machine" "nexus" { @@ -134,7 +132,7 @@ resource "azurerm_linux_virtual_machine" "nexus" { } depends_on = [ - azurerm_key_vault_access_policy.nexus_msi + azurerm_role_assignment.keyvault_nexus_role ] connection { diff --git a/templates/workspace_services/gitea/porter.yaml b/templates/workspace_services/gitea/porter.yaml index d282810297..e78cb4a03f 100644 --- a/templates/workspace_services/gitea/porter.yaml +++ b/templates/workspace_services/gitea/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-service-gitea -version: 1.0.8 +version: 1.1.0 description: "A Gitea workspace service" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspace_services/gitea/terraform/gitea-webapp.tf b/templates/workspace_services/gitea/terraform/gitea-webapp.tf index c354a0ac84..0e25df6c41 100644 --- a/templates/workspace_services/gitea/terraform/gitea-webapp.tf +++ b/templates/workspace_services/gitea/terraform/gitea-webapp.tf @@ -150,12 +150,10 @@ resource "azurerm_monitor_diagnostic_setting" "gitea" { } } -resource "azurerm_key_vault_access_policy" "gitea_policy" { - key_vault_id = data.azurerm_key_vault.ws.id - tenant_id = azurerm_user_assigned_identity.gitea_id.tenant_id - object_id = azurerm_user_assigned_identity.gitea_id.principal_id - - secret_permissions = ["Get", "List", ] +resource "azurerm_role_assignment" "keyvault_gitea_ws_role" { + scope = data.azurerm_key_vault.ws.id + role_definition_name = "Key Vault Secrets User" + principal_id = azurerm_user_assigned_identity.gitea_id.principal_id } resource "azurerm_key_vault_secret" "gitea_password" { @@ -165,7 +163,7 @@ resource "azurerm_key_vault_secret" "gitea_password" { tags = local.workspace_service_tags depends_on = [ - azurerm_key_vault_access_policy.gitea_policy + azurerm_role_assignment.keyvault_gitea_ws_role ] lifecycle { ignore_changes = [tags] } diff --git a/templates/workspace_services/gitea/terraform/mysql.tf b/templates/workspace_services/gitea/terraform/mysql.tf index 7608827310..bd823448c7 100644 --- a/templates/workspace_services/gitea/terraform/mysql.tf +++ b/templates/workspace_services/gitea/terraform/mysql.tf @@ -65,7 +65,7 @@ resource "azurerm_key_vault_secret" "db_password" { tags = local.workspace_service_tags depends_on = [ - azurerm_key_vault_access_policy.gitea_policy + azurerm_role_assignment.keyvault_gitea_ws_role ] lifecycle { ignore_changes = [tags] } diff --git a/templates/workspace_services/guacamole/porter.yaml b/templates/workspace_services/guacamole/porter.yaml index b7dece024c..4f2bce5f88 100644 --- a/templates/workspace_services/guacamole/porter.yaml +++ b/templates/workspace_services/guacamole/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-guacamole -version: 0.10.12 +version: 0.11.0 description: "An Azure TRE service for Guacamole" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspace_services/guacamole/terraform/web_app.tf b/templates/workspace_services/guacamole/terraform/web_app.tf index 53d998cb05..5cd938a256 100644 --- a/templates/workspace_services/guacamole/terraform/web_app.tf +++ b/templates/workspace_services/guacamole/terraform/web_app.tf @@ -91,7 +91,7 @@ resource "azurerm_linux_web_app" "guacamole" { depends_on = [ azurerm_role_assignment.guac_acr_pull, - azurerm_key_vault_access_policy.guacamole_policy + azurerm_role_assignment.keyvault_guacamole_ws_role ] } @@ -143,10 +143,8 @@ resource "azurerm_private_endpoint" "guacamole" { lifecycle { ignore_changes = [tags] } } -resource "azurerm_key_vault_access_policy" "guacamole_policy" { - key_vault_id = data.azurerm_key_vault.ws.id - tenant_id = azurerm_user_assigned_identity.guacamole_id.tenant_id - object_id = azurerm_user_assigned_identity.guacamole_id.principal_id - - secret_permissions = ["Get", "List", ] +resource "azurerm_role_assignment" "keyvault_guacamole_ws_role" { + scope = data.azurerm_key_vault.ws.id + role_definition_name = "Key Vault Secrets User" + principal_id = azurerm_user_assigned_identity.guacamole_id.principal_id } diff --git a/templates/workspace_services/mlflow/porter.yaml b/templates/workspace_services/mlflow/porter.yaml index 0ba7ee7589..5ed3a26e58 100644 --- a/templates/workspace_services/mlflow/porter.yaml +++ b/templates/workspace_services/mlflow/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-mlflow -version: 0.7.12 +version: 0.8.0 description: "An Azure TRE service for MLflow machine learning lifecycle" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspace_services/mlflow/terraform/web_app.tf b/templates/workspace_services/mlflow/terraform/web_app.tf index f9aa1b2fe4..b2a88acbc5 100644 --- a/templates/workspace_services/mlflow/terraform/web_app.tf +++ b/templates/workspace_services/mlflow/terraform/web_app.tf @@ -82,7 +82,7 @@ resource "azurerm_linux_web_app" "mlflow" { depends_on = [ azurerm_role_assignment.mlflow_acr_pull, - azurerm_key_vault_access_policy.mlflow, + azurerm_role_assignment.keyvault_mlflow_ws_role, ] } @@ -131,12 +131,10 @@ resource "azurerm_private_endpoint" "mlflow" { lifecycle { ignore_changes = [tags] } } -resource "azurerm_key_vault_access_policy" "mlflow" { - key_vault_id = data.azurerm_key_vault.ws.id - tenant_id = azurerm_user_assigned_identity.mlflow.tenant_id - object_id = azurerm_user_assigned_identity.mlflow.principal_id - - secret_permissions = ["Get", "List", ] +resource "azurerm_role_assignment" "keyvault_mlflow_ws_role" { + scope = data.azurerm_key_vault.ws.id + role_definition_name = "Key Vault Secrets User" + principal_id = azurerm_user_assigned_identity.mlflow.principal_id } resource "azurerm_user_assigned_identity" "mlflow" { diff --git a/templates/workspace_services/ohdsi/porter.yaml b/templates/workspace_services/ohdsi/porter.yaml index ddb7a6d26a..20aba5ef87 100644 --- a/templates/workspace_services/ohdsi/porter.yaml +++ b/templates/workspace_services/ohdsi/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-service-ohdsi -version: 0.2.8 +version: 0.3.0 description: "An OHDSI workspace service" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/workspace_services/ohdsi/terraform/ohdsi_web_api.tf b/templates/workspace_services/ohdsi/terraform/ohdsi_web_api.tf index cb0b7a9700..a3640d4676 100644 --- a/templates/workspace_services/ohdsi/terraform/ohdsi_web_api.tf +++ b/templates/workspace_services/ohdsi/terraform/ohdsi_web_api.tf @@ -16,14 +16,10 @@ resource "azurerm_user_assigned_identity" "ohdsi_webapi_id" { lifecycle { ignore_changes = [tags] } } -resource "azurerm_key_vault_access_policy" "ohdsi_webapi" { - key_vault_id = data.azurerm_key_vault.ws.id - tenant_id = azurerm_user_assigned_identity.ohdsi_webapi_id.tenant_id - object_id = azurerm_user_assigned_identity.ohdsi_webapi_id.principal_id - - secret_permissions = [ - "Get", "List" - ] +resource "azurerm_role_assignment" "keyvault_ohdsi_ws_role" { + scope = data.azurerm_key_vault.ws.id + role_definition_name = "Key Vault Secrets User" + principal_id = azurerm_user_assigned_identity.ohdsi_webapi_id.principal_id } resource "azurerm_linux_web_app" "ohdsi_webapi" { diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index c500272640..bc99b4a9b6 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-base -version: 1.5.13 +version: 1.6.0 description: "A base Azure TRE workspace" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspaces/base/terraform/keyvault.tf b/templates/workspaces/base/terraform/keyvault.tf index acfe387cd4..e8cba49f10 100644 --- a/templates/workspaces/base/terraform/keyvault.tf +++ b/templates/workspaces/base/terraform/keyvault.tf @@ -1,13 +1,14 @@ data "azurerm_client_config" "current" {} resource "azurerm_key_vault" "kv" { - name = local.keyvault_name - location = azurerm_resource_group.ws.location - resource_group_name = azurerm_resource_group.ws.name - sku_name = "standard" - purge_protection_enabled = true - tenant_id = data.azurerm_client_config.current.tenant_id - tags = local.tre_workspace_tags + name = local.keyvault_name + location = azurerm_resource_group.ws.location + resource_group_name = azurerm_resource_group.ws.name + sku_name = "standard" + enable_rbac_authorization = true + purge_protection_enabled = true + tenant_id = data.azurerm_client_config.current.tenant_id + tags = local.tre_workspace_tags network_acls { bypass = "AzureServices" @@ -66,22 +67,20 @@ data "azurerm_user_assigned_identity" "resource_processor_vmss_id" { resource_group_name = "rg-${var.tre_id}" } -resource "azurerm_key_vault_access_policy" "resource_processor" { - key_vault_id = azurerm_key_vault.kv.id - tenant_id = data.azurerm_user_assigned_identity.resource_processor_vmss_id.tenant_id - object_id = data.azurerm_user_assigned_identity.resource_processor_vmss_id.principal_id +resource "azurerm_role_assignment" "keyvault_resourceprocessor_ws_role" { + scope = azurerm_key_vault.kv.id + role_definition_name = "Key Vault Administrator" + principal_id = data.azurerm_user_assigned_identity.resource_processor_vmss_id.principal_id + - secret_permissions = ["Get", "List", "Set", "Delete", "Purge", "Recover"] } # If running the terraform locally -resource "azurerm_key_vault_access_policy" "deployer" { - count = var.enable_local_debugging ? 1 : 0 - key_vault_id = azurerm_key_vault.kv.id - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azurerm_client_config.current.object_id - - secret_permissions = ["Get", "List", "Set", "Delete", "Purge", "Recover"] +resource "azurerm_role_assignment" "keyvault_deployer_ws_role" { + count = var.enable_local_debugging ? 1 : 0 + scope = azurerm_key_vault.kv.id + role_definition_name = "Key Vault Administrator" + principal_id = data.azurerm_client_config.current.object_id } resource "terraform_data" "wait_for_dns_vault" { @@ -104,8 +103,8 @@ resource "azurerm_key_vault_secret" "aad_tenant_id" { key_vault_id = azurerm_key_vault.kv.id tags = local.tre_workspace_tags depends_on = [ - azurerm_key_vault_access_policy.deployer, - azurerm_key_vault_access_policy.resource_processor, + azurerm_role_assignment.keyvault_deployer_ws_role, + azurerm_role_assignment.keyvault_resourceprocessor_ws_role, terraform_data.wait_for_dns_vault ] @@ -121,8 +120,8 @@ resource "azurerm_key_vault_secret" "client_id" { count = var.register_aad_application ? 0 : 1 tags = local.tre_workspace_tags depends_on = [ - azurerm_key_vault_access_policy.deployer, - azurerm_key_vault_access_policy.resource_processor, + azurerm_role_assignment.keyvault_deployer_ws_role, + azurerm_role_assignment.keyvault_resourceprocessor_ws_role, terraform_data.wait_for_dns_vault ] @@ -144,8 +143,8 @@ resource "azurerm_key_vault_secret" "client_secret" { count = var.register_aad_application ? 0 : 1 tags = local.tre_workspace_tags depends_on = [ - azurerm_key_vault_access_policy.deployer, - azurerm_key_vault_access_policy.resource_processor, + azurerm_role_assignment.keyvault_deployer_ws_role, + azurerm_role_assignment.keyvault_resourceprocessor_ws_role, terraform_data.wait_for_dns_vault ] diff --git a/templates/workspaces/base/terraform/workspace.tf b/templates/workspaces/base/terraform/workspace.tf index bc93f4e344..14f4786e07 100644 --- a/templates/workspaces/base/terraform/workspace.tf +++ b/templates/workspaces/base/terraform/workspace.tf @@ -38,8 +38,8 @@ module "aad" { create_aad_groups = var.create_aad_groups depends_on = [ - azurerm_key_vault_access_policy.deployer, - azurerm_key_vault_access_policy.resource_processor, + azurerm_role_assignment.keyvault_deployer_ws_role, + azurerm_role_assignment.keyvault_resourceprocessor_ws_role, terraform_data.wait_for_dns_vault ] } From 35cd559369e7ea02829b255f618586bc442ca928 Mon Sep 17 00:00:00 2001 From: Yuval Yaron <43217306+yuvalyaron@users.noreply.github.com> Date: Mon, 11 Nov 2024 11:38:28 +0200 Subject: [PATCH 2/4] Move AZ AD Environment Variables to check_dependencies (#4131) set azure ad environment variables in check_dependencies rather than in load_and_validate_env --- .github/actions/devcontainer_run_command/action.yml | 3 --- devops/scripts/check_dependencies.sh | 5 +++++ devops/scripts/load_and_validate_env.sh | 5 ----- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml index 25fbe43975..55157e1716 100644 --- a/.github/actions/devcontainer_run_command/action.yml +++ b/.github/actions/devcontainer_run_command/action.yml @@ -186,9 +186,6 @@ runs: -e TF_INPUT="0" \ -e TF_IN_AUTOMATION="1" \ -e USE_ENV_VARS_NOT_FILES="true" \ - -e ARM_STORAGE_USE_AZUREAD="true" \ - -e ARM_USE_AZUREAD="true" \ - -e ARM_USE_OIDC="true" \ -e BUNDLE_TYPE="${{ inputs.BUNDLE_TYPE }}" \ -e WORKSPACE_SERVICE_NAME="${{ inputs.WORKSPACE_SERVICE_NAME }}" \ -e ARM_ENVIRONMENT="${{ env.ARM_ENVIRONMENT }}" \ diff --git a/devops/scripts/check_dependencies.sh b/devops/scripts/check_dependencies.sh index dfdb68a28c..40f622f866 100755 --- a/devops/scripts/check_dependencies.sh +++ b/devops/scripts/check_dependencies.sh @@ -72,6 +72,11 @@ export SUB_ID TENANT_ID=$(az account show --query tenantId -o tsv) export TENANT_ID +# Configure AzureRM provider and backend to use Azure AD to connect to storage accounts +export ARM_STORAGE_USE_AZUREAD=true +export ARM_USE_AZUREAD=true +export ARM_USE_OIDC=true + if [ -z "$SUB_NAME" ]; then echo -e "\n\e[31m»»» ⚠️ You are not logged in to Azure!" exit 1 diff --git a/devops/scripts/load_and_validate_env.sh b/devops/scripts/load_and_validate_env.sh index d82617c7d7..c4d771ab91 100755 --- a/devops/scripts/load_and_validate_env.sh +++ b/devops/scripts/load_and_validate_env.sh @@ -83,11 +83,6 @@ else TRE_URL=$(construct_tre_url "${TRE_ID}" "${LOCATION}" "${AZURE_ENVIRONMENT}") export TRE_URL - - # Configure AzureRM provider and backend to use Azure AD to connect to storage accounts - export ARM_STORAGE_USE_AZUREAD=true - export ARM_USE_AZUREAD=true - export ARM_USE_OIDC=true fi # if local debugging is configured, then set vars required by ~/.porter/config.yaml From 897f1b1067bcab2b586a444e31c3416ff74f5ea4 Mon Sep 17 00:00:00 2001 From: Tim Allen Date: Tue, 12 Nov 2024 11:39:24 +0000 Subject: [PATCH 3/4] Update local debugging for RBAC key vaults (#4133) * update * update core version --------- Co-authored-by: Tim Allen --- core/terraform/json-to-env.sh | 4 ++++ core/terraform/outputs.tf | 4 ++++ core/version.txt | 2 +- devops/scripts/setup_local_debugging.sh | 11 +++++------ 4 files changed, 14 insertions(+), 7 deletions(-) diff --git a/core/terraform/json-to-env.sh b/core/terraform/json-to-env.sh index b6c17f534f..cf307d9827 100755 --- a/core/terraform/json-to-env.sh +++ b/core/terraform/json-to-env.sh @@ -29,6 +29,10 @@ jq -r ' "path": "keyvault_uri", "env_var": "KEYVAULT_URI" }, + { + "path": "keyvault_resource_id", + "env_var": "KEYVAULT_RESOURCE_ID" + }, { "path": "azure_tre_fqdn", "env_var": "FQDN" diff --git a/core/terraform/outputs.tf b/core/terraform/outputs.tf index 7e02c66aa5..1e2850a8a3 100644 --- a/core/terraform/outputs.tf +++ b/core/terraform/outputs.tf @@ -30,6 +30,10 @@ output "keyvault_uri" { value = azurerm_key_vault.kv.vault_uri } +output "keyvault_resource_id" { + value = azurerm_key_vault.kv.id +} + output "service_bus_resource_id" { value = azurerm_servicebus_namespace.sb.id } diff --git a/core/version.txt b/core/version.txt index a4219a8e55..cb73775c4b 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.0" \ No newline at end of file +__version__ = "0.11.1" \ No newline at end of file diff --git a/devops/scripts/setup_local_debugging.sh b/devops/scripts/setup_local_debugging.sh index 704910bb51..4cb2dbdb55 100755 --- a/devops/scripts/setup_local_debugging.sh +++ b/devops/scripts/setup_local_debugging.sh @@ -15,6 +15,7 @@ private_env_path="./core/private.env" : "${EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_RESOURCE_ID?"Check EVENT_GRID_AIRLOCK_NOTIFICATION_TOPIC_RESOURCE_ID is defined in ${private_env_path}"}" : "${KEYVAULT_URI?"Check KEYVAULT_URI is defined in ${private_env_path}"}" : "${KEYVAULT?"Check KEYVAULT is defined in ${private_env_path}"}" +: "${KEYVAULT_RESOURCE_ID?"Check KEYVAULT_RESOURCE_ID is defined in ${private_env_path}"}" set -o pipefail set -o nounset @@ -135,13 +136,11 @@ az role assignment create \ --assignee "${RP_TESTING_SP_APP_ID}" \ --scope "${SERVICE_BUS_RESOURCE_ID}" - # Assign get permissions on the keyvault -az keyvault set-policy \ - --name "${KEYVAULT}" \ - --spn "${RP_TESTING_SP_APP_ID}" \ - --secret-permissions get - +az role assignment create \ + --role "Key Vault Secrets User" \ + --assignee "${RP_TESTING_SP_APP_ID}" \ + --scope "${KEYVAULT_RESOURCE_ID}" # Write the appId and secret to the private.env file which is used for RP debugging # First check if the env vars are there already and delete them From 158dce1804b45eacaaca3317463d53df64796686 Mon Sep 17 00:00:00 2001 From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com> Date: Thu, 14 Nov 2024 00:50:16 +0200 Subject: [PATCH 4/4] Update obsolete TF properties (#4136) update obsolete TF properties Co-authored-by: Tamir Kamara --- Makefile | 2 +- core/terraform/.terraform.lock.hcl | 3 +- core/terraform/airlock/service_bus.tf | 10 +++---- core/terraform/api-webapp.tf | 4 +-- core/terraform/cosmos_mongo.tf | 18 ++++++------ core/terraform/network/network.tf | 28 +++++++++---------- core/terraform/outputs.tf | 2 +- core/terraform/servicebus.tf | 8 +++--- core/terraform/statestore.tf | 16 +++++------ core/version.txt | 2 +- .../airlock_notifier/porter.yaml | 2 +- .../terraform/airlock_notifier.tf | 2 +- .../shared_services/firewall/porter.yaml | 2 +- .../firewall/terraform/routetable.tf | 2 +- .../workspace_services/azureml/porter.yaml | 2 +- .../azureml/terraform/network.tf | 2 +- .../workspace_services/databricks/porter.yaml | 2 +- .../databricks/terraform/network.tf | 2 +- 18 files changed, 55 insertions(+), 54 deletions(-) diff --git a/Makefile b/Makefile index 4053dc3f9a..4c0b32bafa 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: bootstrap-init mgmt-deploy mgmt-destroy build-api-image push-api-image deploy-tre destroy-tre letsencrypt +.PHONY: bootstrap-init mgmt-deploy mgmt-destroy build-api-image push-api-image tre-deploy tre-destroy letsencrypt .DEFAULT_GOAL := help SHELL:=/bin/bash diff --git a/core/terraform/.terraform.lock.hcl b/core/terraform/.terraform.lock.hcl index 0539020952..bc7c2d0508 100644 --- a/core/terraform/.terraform.lock.hcl +++ b/core/terraform/.terraform.lock.hcl @@ -3,8 +3,9 @@ provider "registry.terraform.io/azure/azapi" { version = "1.15.0" - constraints = "1.15.0" + constraints = ">= 1.15.0, ~> 1.15.0" hashes = [ + "h1:Y7ruMuPh8UJRTRl4rm+cdpGtmURx2taqiuqfYaH3o48=", "h1:gIOgxVmFSxHrR+XOzgUEA+ybOmp8kxZlZH3eYeB/eFI=", "zh:0627a8bc77254debc25dc0c7b62e055138217c97b03221e593c3c56dc7550671", "zh:2fe045f07070ef75d0bec4b0595a74c14394daa838ddb964e2fd23cc98c40c34", diff --git a/core/terraform/airlock/service_bus.tf b/core/terraform/airlock/service_bus.tf index 82e34e86a1..250e3ba159 100644 --- a/core/terraform/airlock/service_bus.tf +++ b/core/terraform/airlock/service_bus.tf @@ -3,35 +3,35 @@ resource "azurerm_servicebus_queue" "step_result" { name = local.step_result_queue_name namespace_id = var.airlock_servicebus.id - enable_partitioning = false + partitioning_enabled = false } resource "azurerm_servicebus_queue" "status_changed" { name = local.status_changed_queue_name namespace_id = var.airlock_servicebus.id - enable_partitioning = false + partitioning_enabled = false } resource "azurerm_servicebus_queue" "scan_result" { name = local.scan_result_queue_name namespace_id = var.airlock_servicebus.id - enable_partitioning = false + partitioning_enabled = false } resource "azurerm_servicebus_queue" "data_deletion" { name = local.data_deletion_queue_name namespace_id = var.airlock_servicebus.id - enable_partitioning = false + partitioning_enabled = false } resource "azurerm_servicebus_topic" "blob_created" { name = local.blob_created_topic_name namespace_id = var.airlock_servicebus.id - enable_partitioning = false + partitioning_enabled = false } resource "azurerm_servicebus_subscription" "airlock_processor" { diff --git a/core/terraform/api-webapp.tf b/core/terraform/api-webapp.tf index b07577f40a..eabbf728bb 100644 --- a/core/terraform/api-webapp.tf +++ b/core/terraform/api-webapp.tf @@ -85,8 +85,8 @@ resource "azurerm_linux_web_app" "api" { ftps_state = "Disabled" application_stack { - docker_image = "${local.docker_registry_server}/${var.api_image_repository}" - docker_image_tag = local.version + docker_registry_url = "https://${local.docker_registry_server}" + docker_image_name = "${var.api_image_repository}:${local.version}" } cors { diff --git a/core/terraform/cosmos_mongo.tf b/core/terraform/cosmos_mongo.tf index 6b4f386d09..904424ccaf 100644 --- a/core/terraform/cosmos_mongo.tf +++ b/core/terraform/cosmos_mongo.tf @@ -1,12 +1,12 @@ resource "azurerm_cosmosdb_account" "mongo" { - name = "cosmos-mongo-${var.tre_id}" - location = azurerm_resource_group.core.location - resource_group_name = azurerm_resource_group.core.name - offer_type = "Standard" - kind = "MongoDB" - enable_automatic_failover = false - mongo_server_version = 4.2 - ip_range_filter = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}" + name = "cosmos-mongo-${var.tre_id}" + location = azurerm_resource_group.core.location + resource_group_name = azurerm_resource_group.core.name + offer_type = "Standard" + kind = "MongoDB" + automatic_failover_enabled = false + mongo_server_version = 4.2 + ip_range_filter = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}" capabilities { name = "EnableServerless" @@ -93,7 +93,7 @@ resource "azurerm_private_endpoint" "mongo" { resource "azurerm_key_vault_secret" "cosmos_mongo_connstr" { name = "porter-db-connection-string" - value = azurerm_cosmosdb_account.mongo.connection_strings[0] + value = azurerm_cosmosdb_account.mongo.primary_mongodb_connection_string key_vault_id = azurerm_key_vault.kv.id tags = local.tre_core_tags depends_on = [ diff --git a/core/terraform/network/network.tf b/core/terraform/network/network.tf index c57b673dce..db71fe554f 100644 --- a/core/terraform/network/network.tf +++ b/core/terraform/network/network.tf @@ -27,7 +27,7 @@ resource "azurerm_subnet" "app_gw" { virtual_network_name = azurerm_virtual_network.core.name resource_group_name = var.resource_group_name address_prefixes = [local.app_gw_subnet_address_prefix] - private_endpoint_network_policies_enabled = false + private_endpoint_network_policies = "Disabled" private_link_service_network_policies_enabled = true depends_on = [azurerm_subnet.azure_firewall] } @@ -37,7 +37,7 @@ resource "azurerm_subnet" "web_app" { virtual_network_name = azurerm_virtual_network.core.name resource_group_name = var.resource_group_name address_prefixes = [local.web_app_subnet_address_prefix] - private_endpoint_network_policies_enabled = false + private_endpoint_network_policies = "Disabled" private_link_service_network_policies_enabled = true depends_on = [azurerm_subnet.app_gw] @@ -57,8 +57,8 @@ resource "azurerm_subnet" "shared" { resource_group_name = var.resource_group_name address_prefixes = [local.shared_services_subnet_address_prefix] # notice that private endpoints do not adhere to NSG rules - private_endpoint_network_policies_enabled = false - depends_on = [azurerm_subnet.web_app] + private_endpoint_network_policies = "Disabled" + depends_on = [azurerm_subnet.web_app] } resource "azurerm_subnet" "resource_processor" { @@ -67,8 +67,8 @@ resource "azurerm_subnet" "resource_processor" { resource_group_name = var.resource_group_name address_prefixes = [local.resource_processor_subnet_address_prefix] # notice that private endpoints do not adhere to NSG rules - private_endpoint_network_policies_enabled = false - depends_on = [azurerm_subnet.shared] + private_endpoint_network_policies = "Disabled" + depends_on = [azurerm_subnet.shared] } resource "azurerm_subnet" "airlock_processor" { @@ -77,8 +77,8 @@ resource "azurerm_subnet" "airlock_processor" { resource_group_name = var.resource_group_name address_prefixes = [local.airlock_processor_subnet_address_prefix] # notice that private endpoints do not adhere to NSG rules - private_endpoint_network_policies_enabled = false - depends_on = [azurerm_subnet.resource_processor] + private_endpoint_network_policies = "Disabled" + depends_on = [azurerm_subnet.resource_processor] delegation { name = "delegation" @@ -100,8 +100,8 @@ resource "azurerm_subnet" "airlock_notification" { resource_group_name = var.resource_group_name address_prefixes = [local.airlock_notifications_subnet_address_prefix] # notice that private endpoints do not adhere to NSG rules - private_endpoint_network_policies_enabled = false - depends_on = [azurerm_subnet.airlock_processor] + private_endpoint_network_policies = "Disabled" + depends_on = [azurerm_subnet.airlock_processor] delegation { name = "delegation" @@ -120,8 +120,8 @@ resource "azurerm_subnet" "airlock_storage" { resource_group_name = var.resource_group_name address_prefixes = [local.airlock_storage_subnet_address_prefix] # notice that private endpoints do not adhere to NSG rules - private_endpoint_network_policies_enabled = false - depends_on = [azurerm_subnet.airlock_notification] + private_endpoint_network_policies = "Disabled" + depends_on = [azurerm_subnet.airlock_notification] } resource "azurerm_subnet" "airlock_events" { @@ -130,8 +130,8 @@ resource "azurerm_subnet" "airlock_events" { resource_group_name = var.resource_group_name address_prefixes = [local.airlock_events_subnet_address_prefix] # notice that private endpoints do not adhere to NSG rules - private_endpoint_network_policies_enabled = false - depends_on = [azurerm_subnet.airlock_storage] + private_endpoint_network_policies = "Disabled" + depends_on = [azurerm_subnet.airlock_storage] # Eventgrid CAN'T send messages over private endpoints, hence we need to allow service endpoints to the service bus # We are using service endpoints + managed identity to send these messaages diff --git a/core/terraform/outputs.tf b/core/terraform/outputs.tf index 1e2850a8a3..e4e22f97eb 100644 --- a/core/terraform/outputs.tf +++ b/core/terraform/outputs.tf @@ -63,7 +63,7 @@ output "state_store_endpoint" { } output "cosmosdb_mongo_endpoint" { - value = azurerm_cosmosdb_account.mongo.connection_strings[0] + value = azurerm_cosmosdb_account.mongo.primary_sql_connection_string sensitive = true } diff --git a/core/terraform/servicebus.tf b/core/terraform/servicebus.tf index c357046dbb..3a056017ba 100644 --- a/core/terraform/servicebus.tf +++ b/core/terraform/servicebus.tf @@ -36,8 +36,8 @@ resource "azurerm_servicebus_queue" "workspacequeue" { name = "workspacequeue" namespace_id = azurerm_servicebus_namespace.sb.id - enable_partitioning = false - requires_session = true # use sessions here to make sure updates to each resource happen in serial, in order + partitioning_enabled = false + requires_session = true # use sessions here to make sure updates to each resource happen in serial, in order } resource "azurerm_servicebus_queue" "service_bus_deployment_status_update_queue" { @@ -48,8 +48,8 @@ resource "azurerm_servicebus_queue" "service_bus_deployment_status_update_queue" # Cosmos is the final destination of the messages where 2048 is the limit. max_message_size_in_kilobytes = 2048 # default=1024 - enable_partitioning = false - requires_session = true + partitioning_enabled = false + requires_session = true } resource "azurerm_private_dns_zone" "servicebus" { diff --git a/core/terraform/statestore.tf b/core/terraform/statestore.tf index 4fc50f2c20..fa7a9eca9f 100644 --- a/core/terraform/statestore.tf +++ b/core/terraform/statestore.tf @@ -1,12 +1,12 @@ resource "azurerm_cosmosdb_account" "tre_db_account" { - name = "cosmos-${var.tre_id}" - location = azurerm_resource_group.core.location - resource_group_name = azurerm_resource_group.core.name - offer_type = "Standard" - kind = "GlobalDocumentDB" - enable_automatic_failover = false - ip_range_filter = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}" - tags = local.tre_core_tags + name = "cosmos-${var.tre_id}" + location = azurerm_resource_group.core.location + resource_group_name = azurerm_resource_group.core.name + offer_type = "Standard" + kind = "GlobalDocumentDB" + automatic_failover_enabled = false + ip_range_filter = "${local.azure_portal_cosmos_ips}${var.enable_local_debugging ? ",${local.myip}" : ""}" + tags = local.tre_core_tags dynamic "capabilities" { # We can't change an existing cosmos diff --git a/core/version.txt b/core/version.txt index cb73775c4b..fee46bd8ce 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.1" \ No newline at end of file +__version__ = "0.11.1" diff --git a/templates/shared_services/airlock_notifier/porter.yaml b/templates/shared_services/airlock_notifier/porter.yaml index 830421a575..bf9386ff09 100644 --- a/templates/shared_services/airlock_notifier/porter.yaml +++ b/templates/shared_services/airlock_notifier/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-airlock-notifier -version: 1.0.5 +version: 1.0.6 description: "A shared service notifying on Airlock Operations" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/shared_services/airlock_notifier/terraform/airlock_notifier.tf b/templates/shared_services/airlock_notifier/terraform/airlock_notifier.tf index b17a9a06b2..7680d67562 100644 --- a/templates/shared_services/airlock_notifier/terraform/airlock_notifier.tf +++ b/templates/shared_services/airlock_notifier/terraform/airlock_notifier.tf @@ -14,7 +14,7 @@ resource "azurerm_servicebus_queue" "notifications_queue" { name = "notifications" namespace_id = data.azurerm_servicebus_namespace.core.id - enable_partitioning = false + partitioning_enabled = false } /* The notification queue needs to be subscribed to the notification event-grid */ diff --git a/templates/shared_services/firewall/porter.yaml b/templates/shared_services/firewall/porter.yaml index b60a7aa40b..b4cbed7ed9 100644 --- a/templates/shared_services/firewall/porter.yaml +++ b/templates/shared_services/firewall/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-firewall -version: 1.2.4 +version: 1.2.6 description: "An Azure TRE Firewall shared service" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/shared_services/firewall/terraform/routetable.tf b/templates/shared_services/firewall/terraform/routetable.tf index 77aa64e15e..f0e4388d9b 100644 --- a/templates/shared_services/firewall/terraform/routetable.tf +++ b/templates/shared_services/firewall/terraform/routetable.tf @@ -2,7 +2,7 @@ resource "azurerm_route_table" "rt" { name = "rt-${var.tre_id}" resource_group_name = local.core_resource_group_name location = data.azurerm_resource_group.rg.location - disable_bgp_route_propagation = false + bgp_route_propagation_enabled = true tags = local.tre_shared_service_tags lifecycle { ignore_changes = [tags] } diff --git a/templates/workspace_services/azureml/porter.yaml b/templates/workspace_services/azureml/porter.yaml index d97cef3cb0..ab04640b47 100644 --- a/templates/workspace_services/azureml/porter.yaml +++ b/templates/workspace_services/azureml/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-azureml -version: 0.8.14 +version: 0.8.15 description: "An Azure TRE service for Azure Machine Learning" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/workspace_services/azureml/terraform/network.tf b/templates/workspace_services/azureml/terraform/network.tf index 9c11677381..edc2529942 100644 --- a/templates/workspace_services/azureml/terraform/network.tf +++ b/templates/workspace_services/azureml/terraform/network.tf @@ -275,7 +275,7 @@ resource "azurerm_route_table" "aml" { name = "rt-aml-${var.tre_id}-${local.short_service_id}" resource_group_name = data.azurerm_resource_group.ws.name location = data.azurerm_resource_group.ws.location - disable_bgp_route_propagation = false + bgp_route_propagation_enabled = true tags = local.tre_workspace_service_tags lifecycle { ignore_changes = [tags] } diff --git a/templates/workspace_services/databricks/porter.yaml b/templates/workspace_services/databricks/porter.yaml index 622475862d..5c6ac9b030 100644 --- a/templates/workspace_services/databricks/porter.yaml +++ b/templates/workspace_services/databricks/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-databricks -version: 1.0.7 +version: 1.0.8 description: "An Azure TRE service for Azure Databricks." registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/workspace_services/databricks/terraform/network.tf b/templates/workspace_services/databricks/terraform/network.tf index c9d9dadc72..97961c2bbf 100644 --- a/templates/workspace_services/databricks/terraform/network.tf +++ b/templates/workspace_services/databricks/terraform/network.tf @@ -131,7 +131,7 @@ resource "azurerm_route_table" "rt" { name = local.route_table_name location = data.azurerm_resource_group.ws.location resource_group_name = data.azurerm_resource_group.ws.name - disable_bgp_route_propagation = false + bgp_route_propagation_enabled = true tags = local.tre_workspace_service_tags lifecycle { ignore_changes = [tags] }