diff --git a/CHANGELOG.md b/CHANGELOG.md index df675c090e..786703db7f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,7 @@ ENHANCEMENTS: * Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258)) * Surface the server-layout parameter of Guacamole [server-layout](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings) ([#4234](https://github.com/microsoft/AzureTRE/issues/4234)) * Airlock function host storage to use the user-assigned managed identity ([#4276](https://github.com/microsoft/AzureTRE/issues/4276)) +* Disable local authentication in EventGrid ([[#4254](https://github.com/microsoft/AzureTRE/issues/4254)]) BUG FIXES: * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112)) diff --git a/airlock_processor/StatusChangedQueueTrigger/function.json b/airlock_processor/StatusChangedQueueTrigger/function.json index c5e7be3356..f686eca80a 100644 --- a/airlock_processor/StatusChangedQueueTrigger/function.json +++ b/airlock_processor/StatusChangedQueueTrigger/function.json @@ -11,15 +11,13 @@ { "type": "eventGrid", "name": "stepResultEvent", - "topicEndpointUri": "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING", - "topicKeySetting": "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING", + "connection": "EVENT_GRID_STEP_RESULT_CONNECTION", "direction": "out" }, { "type": "eventGrid", "name": "dataDeletionEvent", - "topicEndpointUri": "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING", - "topicKeySetting": "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING", + "connection": "EVENT_GRID_DATA_DELETION_CONNECTION", "direction": "out" } ] diff --git a/airlock_processor/_version.py b/airlock_processor/_version.py index 777f190df0..732155f8df 100644 --- a/airlock_processor/_version.py +++ b/airlock_processor/_version.py @@ -1 +1 @@ -__version__ = "0.8.0" +__version__ = "0.8.3" diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf index a95bf54eaa..ab51047218 100644 --- a/core/terraform/airlock/airlock_processor.tf +++ b/core/terraform/airlock/airlock_processor.tf @@ -69,10 +69,6 @@ resource "azurerm_linux_function_app" "airlock_function_app" { "SB_CONNECTION_STRING" = var.airlock_servicebus.default_primary_connection_string "BLOB_CREATED_TOPIC_NAME" = azurerm_servicebus_topic.blob_created.name "TOPIC_SUBSCRIPTION_NAME" = azurerm_servicebus_subscription.airlock_processor.name - "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.step_result.endpoint - "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.step_result.primary_access_key - "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.data_deletion.endpoint - "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.data_deletion.primary_access_key "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = false "AIRLOCK_STATUS_CHANGED_QUEUE_NAME" = local.status_changed_queue_name "AIRLOCK_SCAN_RESULT_QUEUE_NAME" = local.scan_result_queue_name @@ -85,6 +81,16 @@ resource "azurerm_linux_function_app" "airlock_function_app" { "STORAGE_ENDPOINT_SUFFIX" = module.terraform_azurerm_environment_configuration.storage_suffix "AzureWebJobsStorage__clientId" = azurerm_user_assigned_identity.airlock_id.client_id "AzureWebJobsStorage__credential" = "managedidentity" + + "EVENT_GRID_STEP_RESULT_CONNECTION" = local.step_result_eventgrid_connection + "${local.step_result_eventgrid_connection}__topicEndpointUri" = azurerm_eventgrid_topic.step_result.endpoint + "${local.step_result_eventgrid_connection}__credential" = "managedidentity" + "${local.step_result_eventgrid_connection}__clientId" = azurerm_user_assigned_identity.airlock_id.client_id + + "EVENT_GRID_DATA_DELETION_CONNECTION" = local.data_deletion_eventgrid_connection + "${local.data_deletion_eventgrid_connection}__topicEndpointUri" = azurerm_eventgrid_topic.data_deletion.endpoint + "${local.data_deletion_eventgrid_connection}__credential" = "managedidentity" + "${local.data_deletion_eventgrid_connection}__clientId" = azurerm_user_assigned_identity.airlock_id.client_id } site_config { diff --git a/core/terraform/airlock/eventgrid_topics.tf b/core/terraform/airlock/eventgrid_topics.tf index 2b967a6b79..d9faaef013 100644 --- a/core/terraform/airlock/eventgrid_topics.tf +++ b/core/terraform/airlock/eventgrid_topics.tf @@ -6,6 +6,7 @@ resource "azurerm_eventgrid_topic" "step_result" { location = var.location resource_group_name = var.resource_group_name public_network_access_enabled = var.enable_local_debugging + local_auth_enabled = false identity { type = "SystemAssigned" @@ -60,6 +61,7 @@ resource "azurerm_eventgrid_topic" "status_changed" { location = var.location resource_group_name = var.resource_group_name public_network_access_enabled = var.enable_local_debugging + local_auth_enabled = false identity { type = "SystemAssigned" @@ -113,6 +115,7 @@ resource "azurerm_eventgrid_topic" "data_deletion" { location = var.location resource_group_name = var.resource_group_name public_network_access_enabled = var.enable_local_debugging + local_auth_enabled = false identity { type = "SystemAssigned" @@ -163,6 +166,7 @@ resource "azurerm_eventgrid_topic" "scan_result" { resource_group_name = var.resource_group_name # This is mandatory for the scan result to be published since private networks are not supported yet public_network_access_enabled = true + local_auth_enabled = false identity { type = "SystemAssigned" @@ -323,6 +327,7 @@ resource "azurerm_eventgrid_topic" "airlock_notification" { location = var.location resource_group_name = var.resource_group_name public_network_access_enabled = var.enable_local_debugging + local_auth_enabled = false identity { type = "SystemAssigned" diff --git a/core/terraform/airlock/identity.tf b/core/terraform/airlock/identity.tf index 7f452ebdbb..a21a26f562 100644 --- a/core/terraform/airlock/identity.tf +++ b/core/terraform/airlock/identity.tf @@ -25,7 +25,7 @@ resource "azurerm_role_assignment" "servicebus_receiver" { principal_id = azurerm_user_assigned_identity.airlock_id.principal_id } -resource "azurerm_role_assignment" "eventgrid_data_sender" { +resource "azurerm_role_assignment" "eventgrid_data_sender_status_changed" { scope = azurerm_eventgrid_topic.status_changed.id role_definition_name = "EventGrid Data Sender" principal_id = var.api_principal_id @@ -37,6 +37,18 @@ resource "azurerm_role_assignment" "eventgrid_data_sender_notification" { principal_id = var.api_principal_id } +resource "azurerm_role_assignment" "eventgrid_data_sender_step_result" { + scope = azurerm_eventgrid_topic.step_result.id + role_definition_name = "EventGrid Data Sender" + principal_id = azurerm_user_assigned_identity.airlock_id.principal_id +} + +resource "azurerm_role_assignment" "eventgrid_data_sender_data_deletion" { + scope = azurerm_eventgrid_topic.data_deletion.id + role_definition_name = "EventGrid Data Sender" + principal_id = azurerm_user_assigned_identity.airlock_id.principal_id +} + resource "azurerm_role_assignment" "airlock_blob_data_contributor" { count = length(local.airlock_sa_blob_data_contributor) scope = local.airlock_sa_blob_data_contributor[count.index] diff --git a/core/terraform/airlock/locals.tf b/core/terraform/airlock/locals.tf index 3bc09392b6..1af13a3be6 100644 --- a/core/terraform/airlock/locals.tf +++ b/core/terraform/airlock/locals.tf @@ -60,4 +60,7 @@ locals { azurerm_storage_account.sa_import_in_progress.id, azurerm_storage_account.sa_export_approved.id ] + + step_result_eventgrid_connection = "EVENT_GRID_STEP_RESULT_CONNECTION" + data_deletion_eventgrid_connection = "EVENT_GRID_DATA_DELETION_CONNECTION" } diff --git a/core/version.txt b/core/version.txt index b663def5a3..318bf6c824 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.18" +__version__ = "0.11.19"