microsoft · marrobi · Jun 11, 2025 · Jun 10, 2025 · Jun 10, 2025 · Jun 10, 2025
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -18,7 +18,7 @@
       "DOCKER_GROUP_ID": "${localEnv:DOCKER_GROUP_ID}",
       "INTERACTIVE": "true",
       "UPSTREAM_REPO": "microsoft/AzureTRE",
-      "UPSTREAM_REPO_VERSION": "v0.22.0",
+      "UPSTREAM_REPO_VERSION": "v0.23.0",
       "GITHUB_TOKEN": ""
     }
   },

diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml
@@ -130,6 +130,26 @@ inputs:
     description: "The Azure Resource ID for an external key store to use for CMK"
     required: false
     default: ""
+  USER_MANAGEMENT_ENABLED:
+    description: "If set to true TRE Admins are able to assign and de-assign users to workspaces via the UI"
+    required: false
+    default: "false"
+  PRIVATE_AGENT_SUBNET_ID:
+    description: Enables vnet exception for the subnet to access private resources
+    required: false
+    default: ""
+  UI_SITE_NAME:
+    description: "Product name shown in top left corner of TRE portal"
+    required: false
+    default: "Azure TRE"
+  UI_FOOTER_TEXT:
+    description: "Text shown in bottom left corner of TRE portal"
+    required: false
+    default: "Azure Trusted Research Environment"
+  AUTO_GRANT_WORKSPACE_CONSENT:
+    description: "When set to true removes the need for users to manually grant consent when creating new workspaces"
+    required: false
+    default: "false"
 
 runs:
   using: composite
@@ -242,6 +262,8 @@ runs:
             && inputs.WORKSPACE_APP_SERVICE_PLAN_SKU) || 'P1v2' }}" \
           -e TF_VAR_rp_bundle_values='${{ (toJson(inputs.RP_BUNDLE_VALUES) != '""'
             && inputs.RP_BUNDLE_VALUES) || '{}' }}' \
+          -e UI_SITE_NAME="${{ inputs.UI_SITE_NAME }}" \
+          -e UI_FOOTER_TEXT="${{ inputs.UI_FOOTER_TEXT }}" \
           -e TF_VAR_resource_processor_number_processes_per_instance="${{ (inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE != ''
             && inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE) || 5 }}" \
           -e TF_VAR_firewall_sku=${{ inputs.FIREWALL_SKU }} \
@@ -250,6 +272,11 @@ runs:
             && inputs.ENABLE_CMK_ENCRYPTION) || 'false' }}" \
           -e TF_VAR_encryption_kv_name="${{ inputs.ENCRYPTION_KV_NAME }}" \
           -e TF_VAR_external_key_store_id="${{ inputs.EXTERNAL_KEY_STORE_ID }}" \
+          -e TF_VAR_user_management_enabled="${{ (inputs.USER_MANAGEMENT_ENABLED != '' && inputs.USER_MANAGEMENT_ENABLED) || 'false' }}" \
+          -e USER_MANAGEMENT_ENABLED="${{ inputs.USER_MANAGEMENT_ENABLED }}" \
+          -e PRIVATE_AGENT_SUBNET_ID=${{ inputs.PRIVATE_AGENT_SUBNET_ID }} \
+          -e TF_VAR_private_agent_subnet_id=${{ inputs.PRIVATE_AGENT_SUBNET_ID }} \
+          -e TF_VAR_auto_grant_workspace_consent="${{ (inputs.AUTO_GRANT_WORKSPACE_CONSENT != '' && inputs.AUTO_GRANT_WORKSPACE_CONSENT) || 'false' }}" \
           -e E2E_TESTS_NUMBER_PROCESSES="${{ inputs.E2E_TESTS_NUMBER_PROCESSES }}" \
           '${{ inputs.CI_CACHE_ACR_NAME }}${{ env.ACR_DOMAIN_SUFFIX }}/tredev:${{ inputs.DEVCONTAINER_TAG }}' \
         bash -c -x "./command.sh"

diff --git a/.github/workflows/deploy_tre.yml b/.github/workflows/deploy_tre.yml
@@ -37,7 +37,7 @@ jobs:
         || 'extended or extended_aad or shared_services or airlock' }}
       environmentName: ${{ github.event.inputs.environment || 'CICD' }}
       E2E_TESTS_NUMBER_PROCESSES: 1
-      DEVCONTAINER_TAG: 'latest'
+      DEVCONTAINER_TAG: "latest"
     secrets:
       AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }}
       ACR_NAME: ${{ secrets.ACR_NAME }}
@@ -53,3 +53,4 @@ jobs:
       CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}
       ENCRYPTION_KV_NAME: ${{ secrets.ENCRYPTION_KV_NAME }}
       EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }}
+      PRIVATE_AGENT_SUBNET_ID: ${{ secrets.PRIVATE_AGENT_SUBNET_ID }}
diff --git a/.github/workflows/deploy_tre_branch.yml b/.github/workflows/deploy_tre_branch.yml
@@ -84,3 +84,4 @@ jobs:
       CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}
       ENCRYPTION_KV_NAME: ${{ format('tre{0}mgmt', needs.prepare-not-main.outputs.refid) }}
       EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }}
+      PRIVATE_AGENT_SUBNET_ID: ${{ secrets.PRIVATE_AGENT_SUBNET_ID }}
diff --git a/.github/workflows/deploy_tre_reusable.yml b/.github/workflows/deploy_tre_reusable.yml
@@ -1,7 +1,7 @@
 ---
 name: Deploy Azure TRE Reusable
 
-on:  # yamllint disable-line rule:truthy
+on: # yamllint disable-line rule:truthy
   workflow_call:
     inputs:
       prRef:
@@ -35,6 +35,16 @@ on:  # yamllint disable-line rule:truthy
         description: ""
         type: string
         required: true
+      UI_SITE_NAME:
+        description: Change the header text in the TRE portal
+        type: string
+        default: ""
+        required: false
+      UI_FOOTER_TEXT:
+        description: Change the footer text in the TRE portal
+        type: string
+        default: ""
+        required: false
     secrets:
       AAD_TENANT_ID:
         description: ""
@@ -78,6 +88,9 @@ on:  # yamllint disable-line rule:truthy
       EXTERNAL_KEY_STORE_ID:
         description: ""
         required: false
+      PRIVATE_AGENT_SUBNET_ID:
+        description: ""
+        required: false
 
 # This will prevent multiple runs of this entire workflow.
 # We should NOT cancel in progress runs as that can destabilize the environment.
@@ -165,7 +178,7 @@ jobs:
           environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }}
 
       - name: ACR Login
-        id: ci_cache_cr_login
+        id: ci_cache_acr_login
         # will fail if this is a new env which is expected
         continue-on-error: true
         run: az acr login --name "${{ secrets.CI_CACHE_ACR_NAME }}"
@@ -183,7 +196,7 @@ jobs:
           echo "CI_CACHE_ACR_URI=$CI_CACHE_ACR_URI" >> "$GITHUB_ENV"
 
           docker_cache=()
-          if [ "${{ steps.ci_cache_cr_login.outcome }}" = "success" ]; then
+          if [ "${{ steps.ci_cache_acr_login.outcome }}" = "success" ]; then
             docker_cache+=(--cache-from "$CI_CACHE_ACR_URI/tredev:${{ inputs.DEVCONTAINER_TAG }}")
             docker_cache+=(--cache-from "$CI_CACHE_ACR_URI/tredev:latest")
           fi
@@ -212,15 +225,19 @@ jobs:
           ENABLE_CMK_ENCRYPTION: ${{ vars.ENABLE_CMK_ENCRYPTION }}
           ENCRYPTION_KV_NAME: ${{ secrets.ENCRYPTION_KV_NAME }}
           EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }}
+          PRIVATE_AGENT_SUBNET_ID: ${{ secrets.PRIVATE_AGENT_SUBNET_ID }}
 
       - name: ACR Login
         # failure in the first attempt indicates a new ACR, so we need to try again after it's been created
-        if: steps.ci_cache_cr_login.outcome != 'success'
+        if: steps.ci_cache_acr_login.outcome != 'success'
         run: |
           # shellcheck disable=SC2034,SC2015,SC2125
           for i in {1..3}; do
             az acr login --name "${{ secrets.CI_CACHE_ACR_NAME }}" && ec=0 && break || ec="$?" && sleep 10
           done
+          if [ "$ec" != 0 ]; then
+            echo "::error::Failed to login to ACR after 3 attempts. Make sure to run the pipleline on the main branch first."
+          fi
           # shellcheck disable=SC2242
           (exit "$ec")
 
@@ -328,6 +345,9 @@ jobs:
           ENABLE_CMK_ENCRYPTION: ${{ vars.ENABLE_CMK_ENCRYPTION }}
           ENCRYPTION_KV_NAME: ${{ secrets.ENCRYPTION_KV_NAME }}
           EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }}
+          USER_MANAGEMENT_ENABLED: ${{ vars.USER_MANAGEMENT_ENABLED }}
+          PRIVATE_AGENT_SUBNET_ID: ${{ secrets.PRIVATE_AGENT_SUBNET_ID }}
+          AUTO_GRANT_WORKSPACE_CONSENT: ${{ vars.AUTO_GRANT_WORKSPACE_CONSENT }}
 
       - name: API Healthcheck
         uses: ./.github/actions/devcontainer_run_command
@@ -701,3 +721,6 @@ jobs:
           MGMT_RESOURCE_GROUP_NAME: ${{ secrets.MGMT_RESOURCE_GROUP_NAME }}
           MGMT_STORAGE_ACCOUNT_NAME: ${{ secrets.MGMT_STORAGE_ACCOUNT_NAME }}
           SWAGGER_UI_CLIENT_ID: "${{ secrets.SWAGGER_UI_CLIENT_ID }}"
+          USER_MANAGEMENT_ENABLED: ${{ vars.USER_MANAGEMENT_ENABLED }}
+          UI_SITE_NAME: "${{ inputs.UI_SITE_NAME || vars.UI_SITE_NAME }}"
+          UI_FOOTER_TEXT: "${{ inputs.UI_FOOTER_TEXT || vars.UI_FOOTER_TEXT }}"
diff --git a/config.sample.yaml b/config.sample.yaml
@@ -8,6 +8,8 @@ management:
   mgmt_storage_account_name: __CHANGE_ME__
   terraform_state_container_name: tfstate
   acr_name: __CHANGE_ME__
+  # Set this to true if you want to disable public access to mgmt acr
+  disable_acr_public_access: true
   # ID of external Key Vault to store CMKs in (only required if enable_cmk_encryption is true)
   # external_key_store_id: __CHANGE_ME__
   # Name of Key Vault for encryption, required if enable_cmk_encryption is true and external_key_store_id is not set
@@ -49,12 +51,26 @@ tre:
   # firewall_force_tunnel_ip: __CHANGE_ME__
   firewall_sku: Standard
   app_gateway_sku: Standard_v2
+  deploy_bastion: true
+  # See https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku
+  # Set to Basic if wish to connect to VMs in workspaces.
+  bastion_sku: Basic
 
   # Set to true if TreAdmins should be able to assign and de-assign users to workspaces via the UI
   user_management_enabled: false
 
+  # Uncomment to enable DNS Security policy on the system, and add any known DNS names that you need to allow
+  # DNS queries on, in addition to those in the core list in core/terraform/allowed-dns.json
+  # Note, these need to be fully qualified, i.e. they end in a dot(.)
+  # enable_dns_policy: true
+  # allowed_dns:
+  #   - mydomain.com.
+
   # Uncomment to deploy to a custom domain
   # custom_domain: __CHANGE_ME__
+
+  # Uncomment to enable vnet exception for the subnet to access private resources like TRE key vault and management storage account.
+  # private_agent_subnet_id: __CHANGE_ME__
 authentication:
   aad_tenant_id: __CHANGE_ME__
   # Setting AUTO_WORKSPACE_APP_REGISTRATION to false will:
@@ -66,6 +82,9 @@ authentication:
   auto_workspace_app_registration: true
   # Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Group.ReadWrite.All`
   auto_workspace_group_creation: false
+  # Setting this to true will remove the need for users to manually grant consent when creating new workspaces.
+  # The identity will be granted Application.ReadWrite.All and DelegatedPermissionGrant.ReadWrite.All permissions.
+  auto_grant_workspace_consent: false
 
 resource_processor:
   # The number of processes to start in the resource processor VMSS image
@@ -77,6 +96,12 @@ resource_processor:
 # yamllint disable-line rule:line-length
 #  rp_bundle_values: '{"custom_key_1":"custom_value_1","image_gallery_id":"/subscriptions/<subscription-id>/resourceGroups/<your-rg>/providers/Microsoft.Compute/galleries/<your-gallery-name>"}'
 
+ui_config:
+  # Product name shown in the top left hand corner of the TRE portal
+  ui_site_name: "Azure TRE"
+  # Footer text shown in the bottom left hand corner of the TRE portal
+  ui_footer_text: "Azure Trusted Research Environment"
+
 developer_settings:
 # Locks will not be added to stateful resources so they can be easily removed
 # stateful_resources_locked: false