Merge branch 'main' of https://github.com/microsoft/AzureTRE into 423…

…7-support-firewall-force-tunnel

.devcontainer/Dockerfile

@@ -52,6 +52,7 @@ RUN if [ "${INTERACTIVE}" = "true" ]; then \
     && /opt/certbot/bin/pip install --no-cache-dir certbot \
     && apt-get clean -y && rm -rf /var/lib/apt/lists/* ; fi
 
+# Install Porter, updates should be propagated to the RP.
 ARG PORTER_HOME_V1=/home/$USERNAME/.porter/
 ARG PORTER_VERSION=v1.2.1
 ARG PORTER_TERRAFORM_MIXIN_VERSION=v1.0.5

CHANGELOG.md

@@ -3,7 +3,7 @@
 
 **BREAKING CHANGES & MIGRATIONS**:
 * InnerEye and MLFlow bundles depreciated and removed from main. If you wish to update and deploy these worksapce services they can be retrieved from release 0.19.1. ([#4127](https://github.com/microsoft/AzureTRE/issues/4127))
-* Upgrade Python version from 3.8 to 3.12 ([#3949](https://github.com/microsoft/AzureTRE/issues/3949))
+* This released removed support for Porter v0.*. If you're upgrading from a much earlier verion you can't go directly to this one. ([#4228](https://github.com/microsoft/AzureTRE/issues/4228))
 
 FEATURES:
 * Add support for customer-managed keys encryption. Core support ([#4141](https://github.com/microsoft/AzureTRE/issues/4142), [#4144](https://github.com/microsoft/AzureTRE/issues/4144)), Base workspace ([#4161](https://github.com/microsoft/AzureTRE/pull/4161)), other templates ([#4145](https://github.com/microsoft/AzureTRE/issues/4145))
@@ -27,7 +27,10 @@ ENHANCEMENTS:
 * Enhance DPI of Linux display ([[#4200](https://github.com/microsoft/AzureTRE/issues/4200)])
 * Update Admin VM versions ([[#4217](https://github.com/microsoft/AzureTRE/issues/4217)])
 * Update devcontainer/RP/API package versions: base image, docker, az cli, YQ ([#4225](https://github.com/microsoft/AzureTRE/pull/4225))
+* Purge container repos individually in when using `make tre-destroy` ([#4230](https://github.com/microsoft/AzureTRE/pull/4230))
+* Upgrade Python version from 3.8 to 3.12 ([#3949](https://github.com/microsoft/AzureTRE/issues/3949))Upgrade Python version from 3.8 to 3.12 (#3949)
 * Disable storage account key usage ([[#4227](https://github.com/microsoft/AzureTRE/issues/4227)])
+* Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)])
 
 BUG FIXES:
 * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))
@@ -43,6 +46,8 @@ BUG FIXES:
 * Bump terraform version in windows VM template ([#4212](https://github.com/microsoft/AzureTRE/issues/4212))
 * Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitiagte storage account deployment issue ([#4004](https://github.com/microsoft/AzureTRE/issues/4004))
 * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222))
+* Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)])
+* Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)])
 * Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237))
 
 COMPONENTS:

core/terraform/airlock/airlock_processor.tf

@@ -44,15 +44,15 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
   # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
   infrastructure_encryption_enabled = true
 
-  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
-}
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
 
-resource "azurerm_storage_account_customer_managed_key" "sa_airlock_processor_func_app_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.sa_airlock_processor_func_app.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_linux_function_app" "airlock_function_app" {

core/terraform/airlock/storage_accounts.tf

@@ -30,6 +30,14 @@ resource "azurerm_storage_account" "sa_import_external" {
     }
   }
 
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;import;external"
   })
@@ -59,14 +67,6 @@ resource "azurerm_private_endpoint" "stg_import_external_pe" {
   }
 }
 
-resource "azurerm_storage_account_customer_managed_key" "sa_import_external_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.sa_import_external.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
-}
-
 # 'Approved' export
 resource "azurerm_storage_account" "sa_export_approved" {
   name                             = local.export_approved_storage_name
@@ -98,6 +98,14 @@ resource "azurerm_storage_account" "sa_export_approved" {
     }
   }
 
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;export;approved"
   })
@@ -127,14 +135,6 @@ resource "azurerm_private_endpoint" "stg_export_approved_pe" {
   }
 }
 
-resource "azurerm_storage_account_customer_managed_key" "sa_export_approved_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.sa_export_approved.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
-}
-
 # 'In-Progress' storage account
 resource "azurerm_storage_account" "sa_import_in_progress" {
   name                             = local.import_in_progress_storage_name
@@ -164,6 +164,14 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
     }
   }
 
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;import;in-progress"
   })
@@ -176,15 +184,6 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
   lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
-resource "azurerm_storage_account_customer_managed_key" "sa_import_in_progress_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.sa_import_in_progress.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
-}
-
-
 # Enable Airlock Malware Scanning on Core TRE
 resource "azapi_resource_action" "enable_defender_for_storage" {
   count       = var.enable_malware_scanning ? 1 : 0
@@ -262,6 +261,14 @@ resource "azurerm_storage_account" "sa_import_rejected" {
     }
   }
 
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;import;rejected"
   })
@@ -297,14 +304,6 @@ resource "azurerm_private_endpoint" "stg_import_rejected_pe" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "azurerm_storage_account_customer_managed_key" "sa_import_rejected_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.sa_import_rejected.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
-}
-
 # 'Blocked' storage account
 resource "azurerm_storage_account" "sa_import_blocked" {
   name                             = local.import_blocked_storage_name
@@ -334,6 +333,14 @@ resource "azurerm_storage_account" "sa_import_blocked" {
     }
   }
 
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;import;blocked"
   })
@@ -369,10 +376,3 @@ resource "azurerm_private_endpoint" "stg_import_blocked_pe" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "azurerm_storage_account_customer_managed_key" "sa_import_blocked_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.sa_import_blocked.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
-}

core/terraform/airlock/variables.tf

@@ -102,13 +102,7 @@ variable "enable_cmk_encryption" {
   description = "A boolean indicating if customer managed keys will be used for encryption of supporting resources"
 }
 
-variable "key_store_id" {
+variable "encryption_key_versionless_id" {
   type        = string
-  description = "ID of the Key Vault to store CMKs in (only used if enable_cmk_encryption is true)"
-  default     = null
-}
-
-variable "kv_encryption_key_name" {
-  type        = string
-  description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)"
+  description = "Versionless ID of the encryption key in the key vault"
 }

core/terraform/api-identity.tf

@@ -57,6 +57,4 @@ resource "azurerm_cosmosdb_sql_role_assignment" "tre_db_contributor" {
   role_definition_id  = data.azurerm_cosmosdb_sql_role_definition.cosmosdb_db_contributor.id
   principal_id        = azurerm_user_assigned_identity.id.principal_id
   scope               = azurerm_cosmosdb_account.tre_db_account.id
-
-  depends_on = [null_resource.tre_db_account_enable_cmk]
 }

core/terraform/appgateway/staticweb.tf

@@ -8,7 +8,7 @@ resource "azurerm_storage_account" "staticweb" {
   account_replication_type         = "LRS"
   table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
-  enable_https_traffic_only        = true
+  https_traffic_only_enabled       = true
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
   shared_access_key_enabled        = false
@@ -37,14 +37,14 @@ resource "azurerm_storage_account" "staticweb" {
       identity_ids = [var.encryption_identity_id]
     }
   }
-}
 
-resource "azurerm_storage_account_customer_managed_key" "staticweb_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.staticweb.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
 }
 
 # Assign the "Storage Blob Data Contributor" role needed for uploading certificates to the storage account

core/terraform/appgateway/variables.tf

@@ -29,21 +29,12 @@ variable "log_analytics_workspace_id" {
 variable "app_gateway_sku" {
   type = string
 }
-
 variable "encryption_identity_id" {
-  type        = string
-  description = "User Managed Identity with permissions to get encryption keys from key vault"
+  type = string
 }
 variable "enable_cmk_encryption" {
-  type        = bool
-  description = "A boolean indicating if customer managed keys will be used for encryption of supporting resources"
+  type = bool
 }
-variable "key_store_id" {
-  type        = string
-  description = "ID of the Key Vault to store CMKs in (only used if enable_cmk_encryption is true)"
-  default     = null
-}
-variable "kv_encryption_key_name" {
-  type        = string
-  description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)"
+variable "encryption_key_versionless_id" {
+  type = string
 }

core/terraform/azure-monitor/azure-monitor.tf

@@ -46,15 +46,15 @@ resource "azurerm_storage_account" "az_monitor" {
     }
   }
 
-  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
-}
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
 
-resource "azurerm_storage_account_customer_managed_key" "az_monitor_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.az_monitor.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_log_analytics_linked_storage_account" "workspace_storage_ingestion" {

core/terraform/azure-monitor/variables.tf

@@ -33,19 +33,11 @@ variable "enable_local_debugging" {
 }
 
 variable "encryption_identity_id" {
-  type        = string
-  description = "User Managed Identity with permissions to get encryption keys from key vault"
+  type = string
 }
 variable "enable_cmk_encryption" {
-  type        = bool
-  description = "A boolean indicating if customer managed keys will be used for encryption of supporting resources"
-}
-variable "key_store_id" {
-  type        = string
-  description = "ID of the Key Vault to store CMKs in (only used if enable_cmk_encryption is true)"
-  default     = null
+  type = bool
 }
-variable "kv_encryption_key_name" {
-  type        = string
-  description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)"
+variable "encryption_key_versionless_id" {
+  type = string
 }

core/terraform/cosmos_mongo.tf

@@ -43,30 +43,14 @@ resource "azurerm_cosmosdb_account" "mongo" {
     }
   }
 
+  key_vault_key_id      = var.enable_cmk_encryption ? azurerm_key_vault_key.tre_encryption[0].versionless_id : null
   default_identity_type = var.enable_cmk_encryption ? "UserAssignedIdentity=${azurerm_user_assigned_identity.encryption[0].id}" : null
 
   tags = local.tre_core_tags
 
-  # since key_vault_key_id is created by the 'mongo_enable_cmk' null_resource, terraform forces re-creation of the resource
-  lifecycle { ignore_changes = [tags, key_vault_key_id] }
-}
-
-# Using the az CLI command since terraform forces a re-creation of the resource
-# https://github.com/hashicorp/terraform-provider-azurerm/issues/24781
-resource "null_resource" "mongo_enable_cmk" {
-  count = var.enable_cmk_encryption ? 1 : 0
-
-  provisioner "local-exec" {
-    command = "az cosmosdb update --name ${azurerm_cosmosdb_account.mongo.name} --resource-group ${azurerm_cosmosdb_account.mongo.resource_group_name} --key-uri ${azurerm_key_vault_key.tre_encryption[0].versionless_id}"
-  }
-
-  depends_on = [
-    azurerm_cosmosdb_account.mongo,
-    azurerm_role_assignment.kv_encryption_key_user[0]
-  ]
+  lifecycle { ignore_changes = [tags] }
 }
 
-
 resource "azurerm_cosmosdb_mongo_database" "mongo" {
   name                = "porter"
   resource_group_name = azurerm_resource_group.core.name