From da1471c72a5faa040299724c6cffae699cb7ed3c Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Tue, 10 Jun 2025 15:16:16 +0000 Subject: [PATCH 1/3] Update to release v0.23.0 Fixes #138 --- .devcontainer/devcontainer.json | 2 +- .devcontainer/scripts/construct_tre_url.sh | 15 +++++++++ .../scripts/convert_azure_env_to_arm_env.sh | 10 ++++++ .../devcontainer_run_command/action.yml | 27 ++++++++++++++++ .github/workflows/deploy_tre.yml | 3 +- .github/workflows/deploy_tre_branch.yml | 1 + .github/workflows/deploy_tre_reusable.yml | 31 ++++++++++++++++--- config.sample.yaml | 25 +++++++++++++++ 8 files changed, 108 insertions(+), 6 deletions(-) create mode 100755 .devcontainer/scripts/construct_tre_url.sh create mode 100755 .devcontainer/scripts/convert_azure_env_to_arm_env.sh diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 6586651..43a8640 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -18,7 +18,7 @@ "DOCKER_GROUP_ID": "${localEnv:DOCKER_GROUP_ID}", "INTERACTIVE": "true", "UPSTREAM_REPO": "microsoft/AzureTRE", - "UPSTREAM_REPO_VERSION": "v0.22.0", + "UPSTREAM_REPO_VERSION": "v0.23.0", "GITHUB_TOKEN": "" } }, diff --git a/.devcontainer/scripts/construct_tre_url.sh b/.devcontainer/scripts/construct_tre_url.sh new file mode 100755 index 0000000..15ae3fe --- /dev/null +++ b/.devcontainer/scripts/construct_tre_url.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +# This script is designed to be `source`d to create reusable helper functions + +function construct_tre_url() +{ + tre_id=$1 + location=$2 + azure_environment=$3 + + declare -A cloudapp_endpoint_suffixes=( ["AzureCloud"]="cloudapp.azure.com" ["AzureUSGovernment"]="cloudapp.usgovcloudapi.net" ) + domain=${cloudapp_endpoint_suffixes[${azure_environment}]} + + echo https://"${tre_id}"."${location}"."${domain}" +} diff --git a/.devcontainer/scripts/convert_azure_env_to_arm_env.sh b/.devcontainer/scripts/convert_azure_env_to_arm_env.sh new file mode 100755 index 0000000..a77bef5 --- /dev/null +++ b/.devcontainer/scripts/convert_azure_env_to_arm_env.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# This script is designed to be `source`d to create reusable helper functions + +function convert_azure_env_to_arm_env() +{ + azure_environment=$1 + declare -A arm_envs=( ["AzureCloud"]="public" ["AzureUSGovernment"]="usgovernment") + echo "${arm_envs[${azure_environment}]}" +} diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml index 48827ca..5352df8 100644 --- a/.github/actions/devcontainer_run_command/action.yml +++ b/.github/actions/devcontainer_run_command/action.yml @@ -130,6 +130,26 @@ inputs: description: "The Azure Resource ID for an external key store to use for CMK" required: false default: "" + USER_MANAGEMENT_ENABLED: + description: "If set to true TRE Admins are able to assign and de-assign users to workspaces via the UI" + required: false + default: "false" + PRIVATE_AGENT_SUBNET_ID: + description: Enables vnet exception for the subnet to access private resources + required: false + default: "" + UI_SITE_NAME: + description: "Product name shown in top left corner of TRE portal" + required: false + default: "Azure TRE" + UI_FOOTER_TEXT: + description: "Text shown in bottom left corner of TRE portal" + required: false + default: "Azure Trusted Research Environment" + AUTO_GRANT_WORKSPACE_CONSENT: + description: "When set to true removes the need for users to manually grant consent when creating new workspaces" + required: false + default: "false" runs: using: composite @@ -242,6 +262,8 @@ runs: && inputs.WORKSPACE_APP_SERVICE_PLAN_SKU) || 'P1v2' }}" \ -e TF_VAR_rp_bundle_values='${{ (toJson(inputs.RP_BUNDLE_VALUES) != '""' && inputs.RP_BUNDLE_VALUES) || '{}' }}' \ + -e UI_SITE_NAME="${{ inputs.UI_SITE_NAME }}" \ + -e UI_FOOTER_TEXT="${{ inputs.UI_FOOTER_TEXT }}" \ -e TF_VAR_resource_processor_number_processes_per_instance="${{ (inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE != '' && inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE) || 5 }}" \ -e TF_VAR_firewall_sku=${{ inputs.FIREWALL_SKU }} \ @@ -250,6 +272,11 @@ runs: && inputs.ENABLE_CMK_ENCRYPTION) || 'false' }}" \ -e TF_VAR_encryption_kv_name="${{ inputs.ENCRYPTION_KV_NAME }}" \ -e TF_VAR_external_key_store_id="${{ inputs.EXTERNAL_KEY_STORE_ID }}" \ + -e TF_VAR_user_management_enabled="${{ (inputs.USER_MANAGEMENT_ENABLED != '' && inputs.USER_MANAGEMENT_ENABLED) || 'false' }}" \ + -e USER_MANAGEMENT_ENABLED="${{ inputs.USER_MANAGEMENT_ENABLED }}" \ + -e PRIVATE_AGENT_SUBNET_ID=${{ inputs.PRIVATE_AGENT_SUBNET_ID }} \ + -e TF_VAR_private_agent_subnet_id=${{ inputs.PRIVATE_AGENT_SUBNET_ID }} \ + -e TF_VAR_auto_grant_workspace_consent="${{ (inputs.AUTO_GRANT_WORKSPACE_CONSENT != '' && inputs.AUTO_GRANT_WORKSPACE_CONSENT) || 'false' }}" \ -e E2E_TESTS_NUMBER_PROCESSES="${{ inputs.E2E_TESTS_NUMBER_PROCESSES }}" \ '${{ inputs.CI_CACHE_ACR_NAME }}${{ env.ACR_DOMAIN_SUFFIX }}/tredev:${{ inputs.DEVCONTAINER_TAG }}' \ bash -c -x "./command.sh" diff --git a/.github/workflows/deploy_tre.yml b/.github/workflows/deploy_tre.yml index 0ce366f..2d5eb7b 100644 --- a/.github/workflows/deploy_tre.yml +++ b/.github/workflows/deploy_tre.yml @@ -37,7 +37,7 @@ jobs: || 'extended or extended_aad or shared_services or airlock' }} environmentName: ${{ github.event.inputs.environment || 'CICD' }} E2E_TESTS_NUMBER_PROCESSES: 1 - DEVCONTAINER_TAG: 'latest' + DEVCONTAINER_TAG: "latest" secrets: AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }} ACR_NAME: ${{ secrets.ACR_NAME }} @@ -53,3 +53,4 @@ jobs: CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }} ENCRYPTION_KV_NAME: ${{ secrets.ENCRYPTION_KV_NAME }} EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }} + PRIVATE_AGENT_SUBNET_ID: ${{ secrets.PRIVATE_AGENT_SUBNET_ID }} diff --git a/.github/workflows/deploy_tre_branch.yml b/.github/workflows/deploy_tre_branch.yml index c06e6b6..580cf34 100644 --- a/.github/workflows/deploy_tre_branch.yml +++ b/.github/workflows/deploy_tre_branch.yml @@ -84,3 +84,4 @@ jobs: CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }} ENCRYPTION_KV_NAME: ${{ format('tre{0}mgmt', needs.prepare-not-main.outputs.refid) }} EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }} + PRIVATE_AGENT_SUBNET_ID: ${{ secrets.PRIVATE_AGENT_SUBNET_ID }} diff --git a/.github/workflows/deploy_tre_reusable.yml b/.github/workflows/deploy_tre_reusable.yml index 85c2ea3..f00ae03 100644 --- a/.github/workflows/deploy_tre_reusable.yml +++ b/.github/workflows/deploy_tre_reusable.yml @@ -1,7 +1,7 @@ --- name: Deploy Azure TRE Reusable -on: # yamllint disable-line rule:truthy +on: # yamllint disable-line rule:truthy workflow_call: inputs: prRef: @@ -35,6 +35,16 @@ on: # yamllint disable-line rule:truthy description: "" type: string required: true + UI_SITE_NAME: + description: Change the header text in the TRE portal + type: string + default: "" + required: false + UI_FOOTER_TEXT: + description: Change the footer text in the TRE portal + type: string + default: "" + required: false secrets: AAD_TENANT_ID: description: "" @@ -78,6 +88,9 @@ on: # yamllint disable-line rule:truthy EXTERNAL_KEY_STORE_ID: description: "" required: false + PRIVATE_AGENT_SUBNET_ID: + description: "" + required: false # This will prevent multiple runs of this entire workflow. # We should NOT cancel in progress runs as that can destabilize the environment. @@ -165,7 +178,7 @@ jobs: environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }} - name: ACR Login - id: ci_cache_cr_login + id: ci_cache_acr_login # will fail if this is a new env which is expected continue-on-error: true run: az acr login --name "${{ secrets.CI_CACHE_ACR_NAME }}" @@ -183,7 +196,7 @@ jobs: echo "CI_CACHE_ACR_URI=$CI_CACHE_ACR_URI" >> "$GITHUB_ENV" docker_cache=() - if [ "${{ steps.ci_cache_cr_login.outcome }}" = "success" ]; then + if [ "${{ steps.ci_cache_acr_login.outcome }}" = "success" ]; then docker_cache+=(--cache-from "$CI_CACHE_ACR_URI/tredev:${{ inputs.DEVCONTAINER_TAG }}") docker_cache+=(--cache-from "$CI_CACHE_ACR_URI/tredev:latest") fi @@ -212,15 +225,19 @@ jobs: ENABLE_CMK_ENCRYPTION: ${{ vars.ENABLE_CMK_ENCRYPTION }} ENCRYPTION_KV_NAME: ${{ secrets.ENCRYPTION_KV_NAME }} EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }} + PRIVATE_AGENT_SUBNET_ID: ${{ secrets.PRIVATE_AGENT_SUBNET_ID }} - name: ACR Login # failure in the first attempt indicates a new ACR, so we need to try again after it's been created - if: steps.ci_cache_cr_login.outcome != 'success' + if: steps.ci_cache_acr_login.outcome != 'success' run: | # shellcheck disable=SC2034,SC2015,SC2125 for i in {1..3}; do az acr login --name "${{ secrets.CI_CACHE_ACR_NAME }}" && ec=0 && break || ec="$?" && sleep 10 done + if [ "$ec" != 0 ]; then + echo "::error::Failed to login to ACR after 3 attempts. Make sure to run the pipleline on the main branch first." + fi # shellcheck disable=SC2242 (exit "$ec") @@ -328,6 +345,9 @@ jobs: ENABLE_CMK_ENCRYPTION: ${{ vars.ENABLE_CMK_ENCRYPTION }} ENCRYPTION_KV_NAME: ${{ secrets.ENCRYPTION_KV_NAME }} EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }} + USER_MANAGEMENT_ENABLED: ${{ vars.USER_MANAGEMENT_ENABLED }} + PRIVATE_AGENT_SUBNET_ID: ${{ secrets.PRIVATE_AGENT_SUBNET_ID }} + AUTO_GRANT_WORKSPACE_CONSENT: ${{ vars.AUTO_GRANT_WORKSPACE_CONSENT }} - name: API Healthcheck uses: ./.github/actions/devcontainer_run_command @@ -701,3 +721,6 @@ jobs: MGMT_RESOURCE_GROUP_NAME: ${{ secrets.MGMT_RESOURCE_GROUP_NAME }} MGMT_STORAGE_ACCOUNT_NAME: ${{ secrets.MGMT_STORAGE_ACCOUNT_NAME }} SWAGGER_UI_CLIENT_ID: "${{ secrets.SWAGGER_UI_CLIENT_ID }}" + USER_MANAGEMENT_ENABLED: ${{ vars.USER_MANAGEMENT_ENABLED }} + UI_SITE_NAME: "${{ inputs.UI_SITE_NAME || vars.UI_SITE_NAME }}" + UI_FOOTER_TEXT: "${{ inputs.UI_FOOTER_TEXT || vars.UI_FOOTER_TEXT }}" diff --git a/config.sample.yaml b/config.sample.yaml index 8fc4b03..1d27f4a 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -8,6 +8,8 @@ management: mgmt_storage_account_name: __CHANGE_ME__ terraform_state_container_name: tfstate acr_name: __CHANGE_ME__ + # Set this to true if you want to disable public access to mgmt acr + disable_acr_public_access: true # ID of external Key Vault to store CMKs in (only required if enable_cmk_encryption is true) # external_key_store_id: __CHANGE_ME__ # Name of Key Vault for encryption, required if enable_cmk_encryption is true and external_key_store_id is not set @@ -49,12 +51,26 @@ tre: # firewall_force_tunnel_ip: __CHANGE_ME__ firewall_sku: Standard app_gateway_sku: Standard_v2 + deploy_bastion: true + # See https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku + # Set to Basic if wish to connect to VMs in workspaces. + bastion_sku: Basic # Set to true if TreAdmins should be able to assign and de-assign users to workspaces via the UI user_management_enabled: false + # Uncomment to enable DNS Security policy on the system, and add any known DNS names that you need to allow + # DNS queries on, in addition to those in the core list in core/terraform/allowed-dns.json + # Note, these need to be fully qualified, i.e. they end in a dot(.) + # enable_dns_policy: true + # allowed_dns: + # - mydomain.com. + # Uncomment to deploy to a custom domain # custom_domain: __CHANGE_ME__ + + # Uncomment to enable vnet exception for the subnet to access private resources like TRE key vault and management storage account. + # private_agent_subnet_id: __CHANGE_ME__ authentication: aad_tenant_id: __CHANGE_ME__ # Setting AUTO_WORKSPACE_APP_REGISTRATION to false will: @@ -66,6 +82,9 @@ authentication: auto_workspace_app_registration: true # Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Group.ReadWrite.All` auto_workspace_group_creation: false + # Setting this to true will remove the need for users to manually grant consent when creating new workspaces. + # The identity will be granted Application.ReadWrite.All and DelegatedPermissionGrant.ReadWrite.All permissions. + auto_grant_workspace_consent: false resource_processor: # The number of processes to start in the resource processor VMSS image @@ -77,6 +96,12 @@ resource_processor: # yamllint disable-line rule:line-length # rp_bundle_values: '{"custom_key_1":"custom_value_1","image_gallery_id":"/subscriptions//resourceGroups//providers/Microsoft.Compute/galleries/"}' +ui_config: + # Product name shown in the top left hand corner of the TRE portal + ui_site_name: "Azure TRE" + # Footer text shown in the bottom left hand corner of the TRE portal + ui_footer_text: "Azure Trusted Research Environment" + developer_settings: # Locks will not be added to stateful resources so they can be easily removed # stateful_resources_locked: false From 4d35b85bda8c9333737b58c3e6303f9d601a765c Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Tue, 10 Jun 2025 15:25:05 +0000 Subject: [PATCH 2/3] Fix script location. --- .devcontainer/scripts/construct_tre_url.sh | 15 --------------- .../scripts/convert_azure_env_to_arm_env.sh | 10 ---------- .github/scripts/construct_tre_url.sh | 0 .github/scripts/convert_azure_env_to_arm_env.sh | 0 4 files changed, 25 deletions(-) delete mode 100755 .devcontainer/scripts/construct_tre_url.sh delete mode 100755 .devcontainer/scripts/convert_azure_env_to_arm_env.sh mode change 100644 => 100755 .github/scripts/construct_tre_url.sh mode change 100644 => 100755 .github/scripts/convert_azure_env_to_arm_env.sh diff --git a/.devcontainer/scripts/construct_tre_url.sh b/.devcontainer/scripts/construct_tre_url.sh deleted file mode 100755 index 15ae3fe..0000000 --- a/.devcontainer/scripts/construct_tre_url.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -# This script is designed to be `source`d to create reusable helper functions - -function construct_tre_url() -{ - tre_id=$1 - location=$2 - azure_environment=$3 - - declare -A cloudapp_endpoint_suffixes=( ["AzureCloud"]="cloudapp.azure.com" ["AzureUSGovernment"]="cloudapp.usgovcloudapi.net" ) - domain=${cloudapp_endpoint_suffixes[${azure_environment}]} - - echo https://"${tre_id}"."${location}"."${domain}" -} diff --git a/.devcontainer/scripts/convert_azure_env_to_arm_env.sh b/.devcontainer/scripts/convert_azure_env_to_arm_env.sh deleted file mode 100755 index a77bef5..0000000 --- a/.devcontainer/scripts/convert_azure_env_to_arm_env.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -# This script is designed to be `source`d to create reusable helper functions - -function convert_azure_env_to_arm_env() -{ - azure_environment=$1 - declare -A arm_envs=( ["AzureCloud"]="public" ["AzureUSGovernment"]="usgovernment") - echo "${arm_envs[${azure_environment}]}" -} diff --git a/.github/scripts/construct_tre_url.sh b/.github/scripts/construct_tre_url.sh old mode 100644 new mode 100755 diff --git a/.github/scripts/convert_azure_env_to_arm_env.sh b/.github/scripts/convert_azure_env_to_arm_env.sh old mode 100644 new mode 100755 From 878e957e201f70e0bc43f7c75efaa1b36e00a080 Mon Sep 17 00:00:00 2001 From: Marcus Robinson Date: Tue, 10 Jun 2025 15:27:19 +0000 Subject: [PATCH 3/3] revert scripts --- .github/scripts/construct_tre_url.sh | 0 .github/scripts/convert_azure_env_to_arm_env.sh | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 .github/scripts/construct_tre_url.sh mode change 100755 => 100644 .github/scripts/convert_azure_env_to_arm_env.sh diff --git a/.github/scripts/construct_tre_url.sh b/.github/scripts/construct_tre_url.sh old mode 100755 new mode 100644 diff --git a/.github/scripts/convert_azure_env_to_arm_env.sh b/.github/scripts/convert_azure_env_to_arm_env.sh old mode 100755 new mode 100644