microsoft · marrobi · Jul 20, 2025 · Jul 18, 2025 · Jul 18, 2025 · Jul 18, 2025
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -18,7 +18,7 @@
       "DOCKER_GROUP_ID": "${localEnv:DOCKER_GROUP_ID}",
       "INTERACTIVE": "true",
       "UPSTREAM_REPO": "microsoft/AzureTRE",
-      "UPSTREAM_REPO_VERSION": "v0.24.0",
+      "UPSTREAM_REPO_VERSION": "v0.25.0",
       "GITHUB_TOKEN": ""
     }
   },

diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml
@@ -1,6 +1,7 @@
 ---
 name: "run_command"
 description: "Run a command in a devcontainer"
+# yamllint disable rule:line-length
 inputs:
   COMMAND:
     description: "The command you want to run in the Devcontainer."
@@ -150,6 +151,14 @@ inputs:
     description: "When set to true removes the need for users to manually grant consent when creating new workspaces"
     required: false
     default: "false"
+  ENABLE_DNS_POLICY:
+    description: "Enable the DNS security policy"
+    required: false
+    default: "false"
+  ALLOWED_DNS:
+    description: "Add allowed domain name to the DNS security policy"
+    required: false
+    default: "[]"
 
 runs:
   using: composite
@@ -277,6 +286,8 @@ runs:
           -e PRIVATE_AGENT_SUBNET_ID=${{ inputs.PRIVATE_AGENT_SUBNET_ID }} \
           -e TF_VAR_private_agent_subnet_id=${{ inputs.PRIVATE_AGENT_SUBNET_ID }} \
           -e TF_VAR_auto_grant_workspace_consent="${{ (inputs.AUTO_GRANT_WORKSPACE_CONSENT != '' && inputs.AUTO_GRANT_WORKSPACE_CONSENT) || 'false' }}" \
+          -e TF_VAR_enable_dns_policy="${{ (inputs.ENABLE_DNS_POLICY != '' && inputs.ENABLE_DNS_POLICY) || 'false' }}" \
+          -e TF_VAR_allowed_dns='${{ (toJson(inputs.ALLOWED_DNS) != '""' && inputs.ALLOWED_DNS) || '[]' }}' \
           -e E2E_TESTS_NUMBER_PROCESSES="${{ inputs.E2E_TESTS_NUMBER_PROCESSES }}" \
           '${{ inputs.CI_CACHE_ACR_NAME }}${{ env.ACR_DOMAIN_SUFFIX }}/tredev:${{ inputs.DEVCONTAINER_TAG }}' \
         bash -c -x "./command.sh"

diff --git a/.github/workflows/deploy_tre_reusable.yml b/.github/workflows/deploy_tre_reusable.yml
@@ -1,5 +1,6 @@
 ---
 name: Deploy Azure TRE Reusable
+# yamllint disable rule:line-length rule:comments-indentation
 
 on: # yamllint disable-line rule:truthy
   workflow_call:
@@ -236,7 +237,8 @@ jobs:
             az acr login --name "${{ secrets.CI_CACHE_ACR_NAME }}" && ec=0 && break || ec="$?" && sleep 10
           done
           if [ "$ec" != 0 ]; then
-            echo "::error::Failed to login to ACR after 3 attempts. Make sure to run the pipleline on the main branch first."
+            echo "::error::Failed to login to ACR after 3 attempts. Make sure to run the" \
+                 "pipleline on the main branch first."
           fi
           # shellcheck disable=SC2242
           (exit "$ec")
@@ -348,6 +350,8 @@ jobs:
           USER_MANAGEMENT_ENABLED: ${{ vars.USER_MANAGEMENT_ENABLED }}
           PRIVATE_AGENT_SUBNET_ID: ${{ secrets.PRIVATE_AGENT_SUBNET_ID }}
           AUTO_GRANT_WORKSPACE_CONSENT: ${{ vars.AUTO_GRANT_WORKSPACE_CONSENT }}
+          ENABLE_DNS_POLICY: ${{ vars.ENABLE_DNS_POLICY }}
+          ALLOWED_DNS: ${{ vars.ALLOWED_DNS }}
 
       - name: API Healthcheck
         uses: ./.github/actions/devcontainer_run_command
@@ -399,7 +403,7 @@ jobs:
              BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm"}
           - {BUNDLE_TYPE: "user_resource",
              BUNDLE_DIR: "\\${AZURETRE_HOME}/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm"}
-          # Add your custom Bundles below this
+            # Add your custom Bundles below this
     environment: ${{ inputs.environmentName }}
     steps:
       - name: Checkout