Merge branch 'main' into jr/upstream-main/142-certs-kv-error

microsoft · Feb 5, 2025 · b16d975 · b16d975
2 parents b8ace48 + 7ecd184
commit b16d975
Show file tree

Hide file tree

Showing 25 changed files with 58 additions and 53 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -29,7 +29,7 @@
     // Mount docker socket for docker builds
     "type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock",
     // Mounts the github cli login details from the host machine to the container (~/.config/gh/hosts.yml)
-    "type=bind,source=${env:HOME}${env:USERPROFILE}/.config,target=/home/vscode/.config",
+    "type=bind,source=${env:HOME}${env:USERPROFILE}/.config,target=/home/vscode/.config"
   ],
   "remoteUser": "vscode",
   "containerEnv": {
@@ -277,6 +277,8 @@
         "ms-python.pylance",
         "hashicorp.terraform",
         "github.vscode-pull-request-github",
+        "gitHub.copilot",
+        "github.copilot-chat",
         "getporter.porter-vscode",
         "davidanson.vscode-markdownlint",
         "editorconfig.editorconfig",
@@ -291,5 +293,6 @@
     8000
   ],
   // Run commands after the container is created.
-  "postCreateCommand": "./.devcontainer/scripts/post-create.sh"
+  "postCreateCommand": "./.devcontainer/scripts/post-create.sh",
+  "initializeCommand": "mkdir -p $HOME/.azure $HOME/.config || true"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -37,6 +37,8 @@ ENHANCEMENTS:
 * Allow enablement of Secure Boot and vTPM for Guacamole VMs ([#4235](https://github.com/microsoft/AzureTRE/issues/4235))
 * Surface the server-layout parameter of Guacamole [server-layout](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings) ([#4234](https://github.com/microsoft/AzureTRE/issues/4234))
 * Add encryption at host for VMs ([#4263](https://github.com/microsoft/AzureTRE/pull/4263))
+* Downgrade certs shared service App Gateway to Basic SKU ([#4300](https://github.com/microsoft/AzureTRE/issues/4300))
+* Airlock function host storage to use the user-assigned managed identity ([#4276](https://github.com/microsoft/AzureTRE/issues/4276))
 
 BUG FIXES:
 * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))
@@ -55,6 +57,7 @@ BUG FIXES:
 * Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)])
 * Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)])
 * Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state ([#4294](https://github.com/microsoft/AzureTRE/issues/4294)])
+* Recreate tre_output.json if empty. ([[#4292](https://github.com/microsoft/AzureTRE/issues/4292)])
 
 COMPONENTS:
 

diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
@@ -21,9 +21,8 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
   local_user_enabled               = false
-  # Function Host Storage doesn't seem to be able to use a User Managed ID, which is why we continue to use a key.
-  shared_access_key_enabled = true
-  tags                      = var.tre_core_tags
+  shared_access_key_enabled        = false
+  tags                             = var.tre_core_tags
 
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
@@ -57,9 +56,7 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
   ftp_publish_basic_authentication_enabled       = false
   webdeploy_publish_basic_authentication_enabled = false
   storage_account_name                           = azurerm_storage_account.sa_airlock_processor_func_app.name
-
-  # Function Host Storage doesn't seem to be able to use a User Managed ID, which is why we continue to use a key.
-  storage_account_access_key = azurerm_storage_account.sa_airlock_processor_func_app.primary_access_key
+  storage_uses_managed_identity                  = true
 
   tags = var.tre_core_tags
 
@@ -86,6 +83,8 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
     "TRE_ID"                                     = var.tre_id
     "WEBSITE_CONTENTOVERVNET"                    = 1
     "STORAGE_ENDPOINT_SUFFIX"                    = module.terraform_azurerm_environment_configuration.storage_suffix
+    "AzureWebJobsStorage__clientId"              = azurerm_user_assigned_identity.airlock_id.client_id
+    "AzureWebJobsStorage__credential"            = "managedidentity"
   }
 
   site_config {

diff --git a/core/terraform/airlock/identity.tf b/core/terraform/airlock/identity.tf
@@ -52,3 +52,11 @@ resource "azurerm_role_assignment" "api_sa_data_contributor" {
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = var.api_principal_id
 }
+
+# Permissions needed for the Function Host to work correctly.
+resource "azurerm_role_assignment" "function_host_storage" {
+  for_each             = toset(["Storage Account Contributor", "Storage Blob Data Owner", "Storage Queue Data Contributor"])
+  scope                = azurerm_storage_account.sa_airlock_processor_func_app.id
+  role_definition_name = each.value
+  principal_id         = azurerm_user_assigned_identity.airlock_id.principal_id
+}
diff --git a/core/terraform/outputs.sh b/core/terraform/outputs.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 set -e
 
-if [ ! -f ../tre_output.json ]; then
+if [ ! -f ../tre_output.json ] || [ ! -s ../tre_output.json ]; then
   # Connect to the remote backend of Terraform
   export TF_LOG=""
   # shellcheck disable=SC2154

diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.11.19"
+__version__ = "0.11.21"
diff --git a/e2e_tests/config.py b/e2e_tests/config.py
@@ -1,11 +1,9 @@
+import warnings
 from starlette.config import Config
 
+warnings.filterwarnings("ignore", message="Config file '.env' not found.")
 
-try:
-    config = Config('.env')
-# Workaround needed until FastAPI uses Starlette >= 3.7.1
-except FileNotFoundError:
-    config = Config()
+config = Config('.env')
 
 # Resource Info
 RESOURCE_LOCATION: str = config("RESOURCE_LOCATION", default="")

diff --git a/e2e_tests/conftest.py b/e2e_tests/conftest.py
@@ -12,23 +12,13 @@
 
 
 LOGGER = logging.getLogger(__name__)
-pytestmark = pytest.mark.asyncio
+pytestmark = pytest.mark.asyncio(loop_scope="session")
 
 
 def pytest_addoption(parser):
     parser.addoption("--verify", action="store", default="true")
 
 
-@pytest.fixture(scope="session")
-def event_loop():
-    try:
-        loop = asyncio.get_running_loop()
-    except RuntimeError:
-        loop = asyncio.new_event_loop()
-    yield loop
-    loop.close()
-
-
 @pytest.fixture(scope="session")
 def verify(pytestconfig):
     if pytestconfig.getoption("verify").lower() == "true":

diff --git a/e2e_tests/pytest.ini b/e2e_tests/pytest.ini
@@ -10,6 +10,7 @@ markers =
     workspace_services
 
 asyncio_mode = auto
+asyncio_default_fixture_loop_scope = session
 
 log_cli = 1
 log_cli_level = INFO

diff --git a/e2e_tests/test_airlock.py b/e2e_tests/test_airlock.py
@@ -14,7 +14,7 @@
 from helpers import get_admin_token
 
 
-pytestmark = pytest.mark.asyncio
+pytestmark = pytest.mark.asyncio(loop_scope="session")
 LOGGER = logging.getLogger(__name__)
 BLOB_FILE_PATH = "./test_airlock_sample.txt"
 BLOB_NAME = os.path.basename(BLOB_FILE_PATH)

diff --git a/e2e_tests/test_performance.py b/e2e_tests/test_performance.py
@@ -8,7 +8,7 @@
 
 from helpers import get_admin_token
 
-pytestmark = pytest.mark.asyncio
+pytestmark = pytest.mark.asyncio(loop_scope="session")
 
 
 @pytest.mark.performance

diff --git a/e2e_tests/test_provisioned_health_api.py b/e2e_tests/test_provisioned_health_api.py
@@ -5,7 +5,7 @@
 from resources import strings
 
 
-pytestmark = pytest.mark.asyncio
+pytestmark = pytest.mark.asyncio(loop_scope="session")
 
 
 @pytest.mark.smoke

diff --git a/e2e_tests/test_ui.py b/e2e_tests/test_ui.py
@@ -4,7 +4,7 @@
 import config
 
 
-pytestmark = pytest.mark.asyncio
+pytestmark = pytest.mark.asyncio(loop_scope="session")
 
 
 @pytest.mark.smoke

diff --git a/e2e_tests/test_workspace_service_templates.py b/e2e_tests/test_workspace_service_templates.py
@@ -8,7 +8,7 @@
 from resources import strings
 from helpers import get_admin_token
 
-pytestmark = pytest.mark.asyncio
+pytestmark = pytest.mark.asyncio(loop_scope="session")
 
 workspace_service_templates = [
     (strings.AZUREML_SERVICE),

diff --git a/e2e_tests/test_workspace_services.py b/e2e_tests/test_workspace_services.py
@@ -5,7 +5,7 @@
 from resources.resource import get_resource, post_resource
 from resources import strings
 
-pytestmark = pytest.mark.asyncio
+pytestmark = pytest.mark.asyncio(loop_scope="session")
 
 workspace_services = [
     strings.AZUREML_SERVICE,

diff --git a/e2e_tests/test_workspace_templates.py b/e2e_tests/test_workspace_templates.py
@@ -11,7 +11,7 @@
 from helpers import get_admin_token
 
 
-pytestmark = pytest.mark.asyncio
+pytestmark = pytest.mark.asyncio(loop_scope="session")
 
 
 workspace_templates = [

diff --git a/templates/shared_services/certs/terraform/.terraform.lock.hcl b/templates/shared_services/certs/terraform/.terraform.lock.hcl
diff --git a/templates/shared_services/certs/terraform/appgateway.tf b/templates/shared_services/certs/terraform/appgateway.tf
@@ -26,8 +26,8 @@ resource "azurerm_application_gateway" "agw" {
   tags                = local.tre_shared_service_tags
 
   sku {
-    name     = "Standard_v2"
-    tier     = "Standard_v2"
+    name     = "Basic"
+    tier     = "Basic"
     capacity = 1
   }
 

diff --git a/templates/shared_services/certs/terraform/main.tf b/templates/shared_services/certs/terraform/main.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "=3.117.0"
+      version = "=4.17.0"
     }
   }
 

diff --git a/templates/workspaces/airlock-import-review/porter.yaml b/templates/workspaces/airlock-import-review/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-airlock-import-review
-version: 0.14.1
+version: 0.14.2
 description: "A workspace to do Airlock Data Import Reviews for Azure TRE"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

diff --git a/templates/workspaces/airlock-import-review/template_schema.json b/templates/workspaces/airlock-import-review/template_schema.json
@@ -16,6 +16,7 @@
       "description": "The SKU that will be used when deploying an Azure App Service Plan.",
       "default": "P1v3",
       "enum": [
+        "P0v3",
         "P1v3",
         "P1v2",
         "S1"

diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-base
-version: 1.9.1
+version: 1.9.2
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

diff --git a/templates/workspaces/base/template_schema.json b/templates/workspaces/base/template_schema.json
@@ -28,6 +28,7 @@
       "description": "The SKU that will be used when deploying an Azure App Service Plan.",
       "default": "P1v3",
       "enum": [
+        "P0v3",
         "P1v3",
         "P1v2",
         "S1"

diff --git a/templates/workspaces/unrestricted/porter.yaml b/templates/workspaces/unrestricted/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-unrestricted
-version: 0.13.1
+version: 0.13.2
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

diff --git a/templates/workspaces/unrestricted/template_schema.json b/templates/workspaces/unrestricted/template_schema.json
@@ -28,6 +28,7 @@
       "description": "The SKU that will be used when deploying an Azure App Service Plan.",
       "default": "P1v3",
       "enum": [
+        "P0v3",
         "P1v3",
         "P1v2",
         "S1"
-Original file line number
+Diff line change
@@ Expand Up / @@ -16,6 +16,7 @@ @@
           "description": "The SKU that will be used when deploying an Azure App Service Plan.",
           "default": "P1v3",
           "enum": [
+            "P0v3",
             "P1v3",
             "P1v2",
             "S1"
@@ Expand Down @@