From 408e3638da65bbce03391554d931fad6259bbe43 Mon Sep 17 00:00:00 2001 From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com> Date: Sun, 19 Jan 2025 14:37:28 +0000 Subject: [PATCH 1/2] disbale eventgrid local auth --- CHANGELOG.md | 2 + .../BlobCreatedTrigger/function.json | 6 +-- .../ScanResultTrigger/function.json | 3 +- .../StatusChangedQueueTrigger/function.json | 6 +-- airlock_processor/_version.py | 2 +- core/terraform/airlock/airlock_processor.tf | 44 +++++++++++-------- core/terraform/airlock/eventgrid_topics.tf | 5 +++ core/terraform/airlock/identity.tf | 22 +++++++++- core/terraform/airlock/locals.tf | 3 ++ core/version.txt | 2 +- 10 files changed, 63 insertions(+), 32 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 72a55a77b0..786703db7f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,8 @@ ENHANCEMENTS: * Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237)) * Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258)) * Surface the server-layout parameter of Guacamole [server-layout](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings) ([#4234](https://github.com/microsoft/AzureTRE/issues/4234)) +* Airlock function host storage to use the user-assigned managed identity ([#4276](https://github.com/microsoft/AzureTRE/issues/4276)) +* Disable local authentication in EventGrid ([[#4254](https://github.com/microsoft/AzureTRE/issues/4254)]) BUG FIXES: * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112)) diff --git a/airlock_processor/BlobCreatedTrigger/function.json b/airlock_processor/BlobCreatedTrigger/function.json index 5bde252c39..5a652a8eff 100644 --- a/airlock_processor/BlobCreatedTrigger/function.json +++ b/airlock_processor/BlobCreatedTrigger/function.json @@ -13,15 +13,13 @@ { "type": "eventGrid", "name": "stepResultEvent", - "topicEndpointUri": "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING", - "topicKeySetting": "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING", + "connection": "EVENT_GRID_STEP_RESULT_CONNECTION", "direction": "out" }, { "type": "eventGrid", "name": "dataDeletionEvent", - "topicEndpointUri": "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING", - "topicKeySetting": "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING", + "connection": "EVENT_GRID_DATA_DELETION_CONNECTION", "direction": "out" } ] diff --git a/airlock_processor/ScanResultTrigger/function.json b/airlock_processor/ScanResultTrigger/function.json index 4dee63e389..32758cea1c 100644 --- a/airlock_processor/ScanResultTrigger/function.json +++ b/airlock_processor/ScanResultTrigger/function.json @@ -12,8 +12,7 @@ { "type": "eventGrid", "name": "outputEvent", - "topicEndpointUri": "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING", - "topicKeySetting": "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING", + "connection": "EVENT_GRID_STEP_RESULT_CONNECTION", "direction": "out" } ] diff --git a/airlock_processor/StatusChangedQueueTrigger/function.json b/airlock_processor/StatusChangedQueueTrigger/function.json index c5e7be3356..f686eca80a 100644 --- a/airlock_processor/StatusChangedQueueTrigger/function.json +++ b/airlock_processor/StatusChangedQueueTrigger/function.json @@ -11,15 +11,13 @@ { "type": "eventGrid", "name": "stepResultEvent", - "topicEndpointUri": "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING", - "topicKeySetting": "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING", + "connection": "EVENT_GRID_STEP_RESULT_CONNECTION", "direction": "out" }, { "type": "eventGrid", "name": "dataDeletionEvent", - "topicEndpointUri": "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING", - "topicKeySetting": "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING", + "connection": "EVENT_GRID_DATA_DELETION_CONNECTION", "direction": "out" } ] diff --git a/airlock_processor/_version.py b/airlock_processor/_version.py index 777f190df0..8088f75131 100644 --- a/airlock_processor/_version.py +++ b/airlock_processor/_version.py @@ -1 +1 @@ -__version__ = "0.8.0" +__version__ = "0.8.1" diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf index a95bf54eaa..ccb36b81bb 100644 --- a/core/terraform/airlock/airlock_processor.tf +++ b/core/terraform/airlock/airlock_processor.tf @@ -66,25 +66,31 @@ resource "azurerm_linux_function_app" "airlock_function_app" { } app_settings = { - "SB_CONNECTION_STRING" = var.airlock_servicebus.default_primary_connection_string - "BLOB_CREATED_TOPIC_NAME" = azurerm_servicebus_topic.blob_created.name - "TOPIC_SUBSCRIPTION_NAME" = azurerm_servicebus_subscription.airlock_processor.name - "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.step_result.endpoint - "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.step_result.primary_access_key - "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.data_deletion.endpoint - "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.data_deletion.primary_access_key - "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = false - "AIRLOCK_STATUS_CHANGED_QUEUE_NAME" = local.status_changed_queue_name - "AIRLOCK_SCAN_RESULT_QUEUE_NAME" = local.scan_result_queue_name - "AIRLOCK_DATA_DELETION_QUEUE_NAME" = local.data_deletion_queue_name - "ENABLE_MALWARE_SCANNING" = var.enable_malware_scanning - "ARM_ENVIRONMENT" = var.arm_environment - "MANAGED_IDENTITY_CLIENT_ID" = azurerm_user_assigned_identity.airlock_id.client_id - "TRE_ID" = var.tre_id - "WEBSITE_CONTENTOVERVNET" = 1 - "STORAGE_ENDPOINT_SUFFIX" = module.terraform_azurerm_environment_configuration.storage_suffix - "AzureWebJobsStorage__clientId" = azurerm_user_assigned_identity.airlock_id.client_id - "AzureWebJobsStorage__credential" = "managedidentity" + "SB_CONNECTION_STRING" = var.airlock_servicebus.default_primary_connection_string + "BLOB_CREATED_TOPIC_NAME" = azurerm_servicebus_topic.blob_created.name + "TOPIC_SUBSCRIPTION_NAME" = azurerm_servicebus_subscription.airlock_processor.name + "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = false + "AIRLOCK_STATUS_CHANGED_QUEUE_NAME" = local.status_changed_queue_name + "AIRLOCK_SCAN_RESULT_QUEUE_NAME" = local.scan_result_queue_name + "AIRLOCK_DATA_DELETION_QUEUE_NAME" = local.data_deletion_queue_name + "ENABLE_MALWARE_SCANNING" = var.enable_malware_scanning + "ARM_ENVIRONMENT" = var.arm_environment + "MANAGED_IDENTITY_CLIENT_ID" = azurerm_user_assigned_identity.airlock_id.client_id + "TRE_ID" = var.tre_id + "WEBSITE_CONTENTOVERVNET" = 1 + "STORAGE_ENDPOINT_SUFFIX" = module.terraform_azurerm_environment_configuration.storage_suffix + "AzureWebJobsStorage__clientId" = azurerm_user_assigned_identity.airlock_id.client_id + "AzureWebJobsStorage__credential" = "managedidentity" + + "EVENT_GRID_STEP_RESULT_CONNECTION" = local.step_result_eventgrid_connection + "${local.step_result_eventgrid_connection}__topicEndpointUri" = azurerm_eventgrid_topic.step_result.endpoint + "${local.step_result_eventgrid_connection}__credential" = "managedidentity" + "${local.step_result_eventgrid_connection}__clientId" = azurerm_user_assigned_identity.airlock_id.client_id + + "EVENT_GRID_DATA_DELETION_CONNECTION" = local.data_deletion_eventgrid_connection + "${local.data_deletion_eventgrid_connection}__topicEndpointUri" = azurerm_eventgrid_topic.data_deletion.endpoint + "${local.data_deletion_eventgrid_connection}__credential" = "managedidentity" + "${local.data_deletion_eventgrid_connection}__clientId" = azurerm_user_assigned_identity.airlock_id.client_id } site_config { diff --git a/core/terraform/airlock/eventgrid_topics.tf b/core/terraform/airlock/eventgrid_topics.tf index 2b967a6b79..d9faaef013 100644 --- a/core/terraform/airlock/eventgrid_topics.tf +++ b/core/terraform/airlock/eventgrid_topics.tf @@ -6,6 +6,7 @@ resource "azurerm_eventgrid_topic" "step_result" { location = var.location resource_group_name = var.resource_group_name public_network_access_enabled = var.enable_local_debugging + local_auth_enabled = false identity { type = "SystemAssigned" @@ -60,6 +61,7 @@ resource "azurerm_eventgrid_topic" "status_changed" { location = var.location resource_group_name = var.resource_group_name public_network_access_enabled = var.enable_local_debugging + local_auth_enabled = false identity { type = "SystemAssigned" @@ -113,6 +115,7 @@ resource "azurerm_eventgrid_topic" "data_deletion" { location = var.location resource_group_name = var.resource_group_name public_network_access_enabled = var.enable_local_debugging + local_auth_enabled = false identity { type = "SystemAssigned" @@ -163,6 +166,7 @@ resource "azurerm_eventgrid_topic" "scan_result" { resource_group_name = var.resource_group_name # This is mandatory for the scan result to be published since private networks are not supported yet public_network_access_enabled = true + local_auth_enabled = false identity { type = "SystemAssigned" @@ -323,6 +327,7 @@ resource "azurerm_eventgrid_topic" "airlock_notification" { location = var.location resource_group_name = var.resource_group_name public_network_access_enabled = var.enable_local_debugging + local_auth_enabled = false identity { type = "SystemAssigned" diff --git a/core/terraform/airlock/identity.tf b/core/terraform/airlock/identity.tf index 9711f19ab6..a21a26f562 100644 --- a/core/terraform/airlock/identity.tf +++ b/core/terraform/airlock/identity.tf @@ -25,7 +25,7 @@ resource "azurerm_role_assignment" "servicebus_receiver" { principal_id = azurerm_user_assigned_identity.airlock_id.principal_id } -resource "azurerm_role_assignment" "eventgrid_data_sender" { +resource "azurerm_role_assignment" "eventgrid_data_sender_status_changed" { scope = azurerm_eventgrid_topic.status_changed.id role_definition_name = "EventGrid Data Sender" principal_id = var.api_principal_id @@ -37,6 +37,18 @@ resource "azurerm_role_assignment" "eventgrid_data_sender_notification" { principal_id = var.api_principal_id } +resource "azurerm_role_assignment" "eventgrid_data_sender_step_result" { + scope = azurerm_eventgrid_topic.step_result.id + role_definition_name = "EventGrid Data Sender" + principal_id = azurerm_user_assigned_identity.airlock_id.principal_id +} + +resource "azurerm_role_assignment" "eventgrid_data_sender_data_deletion" { + scope = azurerm_eventgrid_topic.data_deletion.id + role_definition_name = "EventGrid Data Sender" + principal_id = azurerm_user_assigned_identity.airlock_id.principal_id +} + resource "azurerm_role_assignment" "airlock_blob_data_contributor" { count = length(local.airlock_sa_blob_data_contributor) scope = local.airlock_sa_blob_data_contributor[count.index] @@ -52,3 +64,11 @@ resource "azurerm_role_assignment" "api_sa_data_contributor" { role_definition_name = "Storage Blob Data Contributor" principal_id = var.api_principal_id } + +# Permissions needed for the Function Host to work correctly. +resource "azurerm_role_assignment" "function_host_storage" { + for_each = toset(["Storage Account Contributor", "Storage Blob Data Owner", "Storage Queue Data Contributor"]) + scope = azurerm_storage_account.sa_airlock_processor_func_app.id + role_definition_name = each.value + principal_id = azurerm_user_assigned_identity.airlock_id.principal_id +} diff --git a/core/terraform/airlock/locals.tf b/core/terraform/airlock/locals.tf index 3bc09392b6..8ed6805e0e 100644 --- a/core/terraform/airlock/locals.tf +++ b/core/terraform/airlock/locals.tf @@ -60,4 +60,7 @@ locals { azurerm_storage_account.sa_import_in_progress.id, azurerm_storage_account.sa_export_approved.id ] + + step_result_eventgrid_connection = "EVENT_GRID_STEP_RESULT_CONNECTION" + data_deletion_eventgrid_connection = "EVENT_GRID_DATA_DELETION_CONNECTION" } diff --git a/core/version.txt b/core/version.txt index d0f18418d1..b663def5a3 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.17" +__version__ = "0.11.18" From 07fc62b24d84c3262776dc661e3edc8d162becb3 Mon Sep 17 00:00:00 2001 From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com> Date: Mon, 20 Jan 2025 12:05:32 +0200 Subject: [PATCH 2/2] Update CHANGELOG.md Co-authored-by: Guy Bertental --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 786703db7f..2266410ac2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,7 +36,7 @@ ENHANCEMENTS: * Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258)) * Surface the server-layout parameter of Guacamole [server-layout](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings) ([#4234](https://github.com/microsoft/AzureTRE/issues/4234)) * Airlock function host storage to use the user-assigned managed identity ([#4276](https://github.com/microsoft/AzureTRE/issues/4276)) -* Disable local authentication in EventGrid ([[#4254](https://github.com/microsoft/AzureTRE/issues/4254)]) +* Disable local authentication in EventGrid ([#4254](https://github.com/microsoft/AzureTRE/issues/4254)) BUG FIXES: * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))