From 51ec9f67dc3f644abf071b97fd3500f6fd85a469 Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Wed, 16 Apr 2025 10:32:32 +0000
Subject: [PATCH] Release 0.22.0

---
 .devcontainer/devcontainer.json               |  2 +-
 .../devcontainer_run_command/action.yml       | 22 ++++++++++++++++---
 .github/workflows/deploy_tre.yml              |  2 ++
 .github/workflows/deploy_tre_branch.yml       |  2 ++
 .github/workflows/deploy_tre_reusable.yml     | 20 ++++++++++++-----
 config.sample.yaml                            |  3 +++
 6 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 45b458a..6586651 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -18,7 +18,7 @@
       "DOCKER_GROUP_ID": "${localEnv:DOCKER_GROUP_ID}",
       "INTERACTIVE": "true",
       "UPSTREAM_REPO": "microsoft/AzureTRE",
-      "UPSTREAM_REPO_VERSION": "v0.21.0",
+      "UPSTREAM_REPO_VERSION": "v0.22.0",
       "GITHUB_TOKEN": ""
     }
   },
diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml
index ce083c1..48827ca 100644
--- a/.github/actions/devcontainer_run_command/action.yml
+++ b/.github/actions/devcontainer_run_command/action.yml
@@ -118,6 +118,18 @@ inputs:
     description: "Application Gateway SKU"
     required: false
     default: ""
+  ENABLE_CMK_ENCRYPTION:
+    description: "A boolean indicating if we should enable CMK on supported resources"
+    required: false
+    default: "false"
+  ENCRYPTION_KV_NAME:
+    description: ""
+    required: false
+    default: "The name of the keyvault that will be created for CMK"
+  EXTERNAL_KEY_STORE_ID:
+    description: "The Azure Resource ID for an external key store to use for CMK"
+    required: false
+    default: ""
 
 runs:
   using: composite
@@ -130,14 +142,14 @@ runs:
 
     - name: Azure Login
       uses: azure/login@v2
-      if: contains(inputs.COMMAND, 'bootstrap') != true
+      if: contains(inputs.COMMAND, 'make bootstrap') != true
       with:
         creds: ${{ inputs.AZURE_CREDENTIALS }}
         environment: "${{ env.AZURE_ENVIRONMENT }}"
 
     - name: ACR Login
       shell: bash
-      if: contains(inputs.COMMAND, 'bootstrap') != true
+      if: contains(inputs.COMMAND, 'make bootstrap') != true
       run: |
         az acr login --name "${{ inputs.CI_CACHE_ACR_NAME }}"
 
@@ -164,7 +176,7 @@ runs:
       shell: bash
       run: |
         # Write command to a command.sh script file
-        cat <<EOF >> ./command.sh
+        cat <<EOF > ./command.sh
         #!/bin/bash
         set -x
         ${{ inputs.COMMAND }}
@@ -234,6 +246,10 @@ runs:
             && inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE) || 5 }}" \
           -e TF_VAR_firewall_sku=${{ inputs.FIREWALL_SKU }} \
           -e TF_VAR_app_gateway_sku=${{ inputs.APP_GATEWAY_SKU }} \
+          -e TF_VAR_enable_cmk_encryption="${{ (inputs.ENABLE_CMK_ENCRYPTION != ''
+            && inputs.ENABLE_CMK_ENCRYPTION) || 'false' }}" \
+          -e TF_VAR_encryption_kv_name="${{ inputs.ENCRYPTION_KV_NAME }}" \
+          -e TF_VAR_external_key_store_id="${{ inputs.EXTERNAL_KEY_STORE_ID }}" \
           -e E2E_TESTS_NUMBER_PROCESSES="${{ inputs.E2E_TESTS_NUMBER_PROCESSES }}" \
           '${{ inputs.CI_CACHE_ACR_NAME }}${{ env.ACR_DOMAIN_SUFFIX }}/tredev:${{ inputs.DEVCONTAINER_TAG }}' \
         bash -c -x "./command.sh"
diff --git a/.github/workflows/deploy_tre.yml b/.github/workflows/deploy_tre.yml
index b32722d..0ce366f 100644
--- a/.github/workflows/deploy_tre.yml
+++ b/.github/workflows/deploy_tre.yml
@@ -51,3 +51,5 @@ jobs:
       SWAGGER_UI_CLIENT_ID: ${{ secrets.SWAGGER_UI_CLIENT_ID }}
       TRE_ID: ${{ secrets.TRE_ID }}
       CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}
+      ENCRYPTION_KV_NAME: ${{ secrets.ENCRYPTION_KV_NAME }}
+      EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }}
diff --git a/.github/workflows/deploy_tre_branch.yml b/.github/workflows/deploy_tre_branch.yml
index 8596882..c06e6b6 100644
--- a/.github/workflows/deploy_tre_branch.yml
+++ b/.github/workflows/deploy_tre_branch.yml
@@ -82,3 +82,5 @@ jobs:
       SWAGGER_UI_CLIENT_ID: ${{ secrets.SWAGGER_UI_CLIENT_ID }}
       TRE_ID: ${{ format('tre{0}', needs.prepare-not-main.outputs.refid) }}
       CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}
+      ENCRYPTION_KV_NAME: ${{ format('tre{0}mgmt', needs.prepare-not-main.outputs.refid) }}
+      EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }}
diff --git a/.github/workflows/deploy_tre_reusable.yml b/.github/workflows/deploy_tre_reusable.yml
index 11d9f1e..85c2ea3 100644
--- a/.github/workflows/deploy_tre_reusable.yml
+++ b/.github/workflows/deploy_tre_reusable.yml
@@ -72,6 +72,12 @@ on:  # yamllint disable-line rule:truthy
       AZURE_CREDENTIALS:
         description: ""
         required: true
+      ENCRYPTION_KV_NAME:
+        description: ""
+        required: false
+      EXTERNAL_KEY_STORE_ID:
+        description: ""
+        required: false
 
 # This will prevent multiple runs of this entire workflow.
 # We should NOT cancel in progress runs as that can destabilize the environment.
@@ -203,6 +209,9 @@ jobs:
           TERRAFORM_STATE_CONTAINER_NAME: ${{ vars.TERRAFORM_STATE_CONTAINER_NAME }}
           MGMT_RESOURCE_GROUP_NAME: ${{ secrets.MGMT_RESOURCE_GROUP_NAME }}
           MGMT_STORAGE_ACCOUNT_NAME: ${{ secrets.MGMT_STORAGE_ACCOUNT_NAME }}
+          ENABLE_CMK_ENCRYPTION: ${{ vars.ENABLE_CMK_ENCRYPTION }}
+          ENCRYPTION_KV_NAME: ${{ secrets.ENCRYPTION_KV_NAME }}
+          EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }}
 
       - name: ACR Login
         # failure in the first attempt indicates a new ACR, so we need to try again after it's been created
@@ -316,6 +325,9 @@ jobs:
           RP_BUNDLE_VALUES: ${{ vars.RP_BUNDLE_VALUES }}
           FIREWALL_SKU: ${{ vars.FIREWALL_SKU}}
           APP_GATEWAY_SKU: ${{ vars.APP_GATEWAY_SKU }}
+          ENABLE_CMK_ENCRYPTION: ${{ vars.ENABLE_CMK_ENCRYPTION }}
+          ENCRYPTION_KV_NAME: ${{ secrets.ENCRYPTION_KV_NAME }}
+          EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }}
 
       - name: API Healthcheck
         uses: ./.github/actions/devcontainer_run_command
@@ -347,8 +359,6 @@ jobs:
              BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/azureml"}
           - {BUNDLE_TYPE: "workspace_service",
              BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/gitea"}
-          - {BUNDLE_TYPE: "workspace_service",
-             BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/mlflow"}
           - {BUNDLE_TYPE: "workspace_service",
              BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/mysql"}
           - {BUNDLE_TYPE: "workspace_service",
@@ -359,6 +369,8 @@ jobs:
              BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/ohdsi"}
           - {BUNDLE_TYPE: "workspace_service",
              BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/azuresql"}
+          - {BUNDLE_TYPE: "workspace_service",
+             BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/openai"}
           - {BUNDLE_TYPE: "user_resource",
              BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm"}
           - {BUNDLE_TYPE: "user_resource",
@@ -436,7 +448,7 @@ jobs:
           COMMAND: |
             # Loop to retry the make command up to 3 times
             for i in {1..3}; do
-            make bundle-build bundle-publish DIR=${{ matrix.BUNDLE_DIR }} && ec=0 && break || ec=\$? && sleep 30;
+              make bundle-build bundle-publish DIR=${{ matrix.BUNDLE_DIR }} && ec=0 && break || ec=\$? && sleep 30;
             done
 
             # Exit with the last status code
@@ -521,8 +533,6 @@ jobs:
              BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/azureml"}
           - {BUNDLE_TYPE: "workspace_service",
              BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/gitea"}
-          - {BUNDLE_TYPE: "workspace_service",
-             BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/mlflow"}
           - {BUNDLE_TYPE: "workspace_service",
              BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/mysql"}
           - {BUNDLE_TYPE: "workspace_service",
diff --git a/config.sample.yaml b/config.sample.yaml
index 009f017..8fc4b03 100644
--- a/config.sample.yaml
+++ b/config.sample.yaml
@@ -50,6 +50,9 @@ tre:
   firewall_sku: Standard
   app_gateway_sku: Standard_v2
 
+  # Set to true if TreAdmins should be able to assign and de-assign users to workspaces via the UI
+  user_management_enabled: false
+
   # Uncomment to deploy to a custom domain
   # custom_domain: __CHANGE_ME__
 authentication: