From 22f226a17e07b339517b0974739bb5e82d1b5d3a Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Wed, 4 Dec 2024 18:28:44 +0000 Subject: [PATCH 01/14] change cmk name to include tre-id + add dependency to one of the stg accounts --- core/terraform/cmk_encryption.tf | 2 +- core/terraform/locals.tf | 2 ++ core/terraform/main.tf | 8 ++++---- core/terraform/storage.tf | 5 +++-- core/terraform/variables.tf | 7 ------- devops/terraform/variables.tf | 2 +- 6 files changed, 11 insertions(+), 15 deletions(-) diff --git a/core/terraform/cmk_encryption.tf b/core/terraform/cmk_encryption.tf index c8b4b9a483..4c0b5a1b1c 100644 --- a/core/terraform/cmk_encryption.tf +++ b/core/terraform/cmk_encryption.tf @@ -20,7 +20,7 @@ resource "azurerm_role_assignment" "kv_encryption_key_user" { resource "azurerm_key_vault_key" "tre_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = var.kv_encryption_key_name + name = local.cmk_name key_vault_id = local.key_store_id key_type = "RSA" key_size = 2048 diff --git a/core/terraform/locals.tf b/core/terraform/locals.tf index 0b8bc5dfc7..fc60c731ee 100644 --- a/core/terraform/locals.tf +++ b/core/terraform/locals.tf @@ -43,4 +43,6 @@ locals { # The key store for encryption keys could either be external or created by terraform key_store_id = var.enable_cmk_encryption ? (var.external_key_store_id != null ? var.external_key_store_id : data.azurerm_key_vault.encryption_kv[0].id) : null + + cmk_name = "tre-encryption-${var.tre_id}" } diff --git a/core/terraform/main.tf b/core/terraform/main.tf index 6a554f9ff8..e280650344 100644 --- a/core/terraform/main.tf +++ b/core/terraform/main.tf @@ -79,7 +79,7 @@ module "azure_monitor" { enable_local_debugging = var.enable_local_debugging enable_cmk_encryption = var.enable_cmk_encryption key_store_id = local.key_store_id - kv_encryption_key_name = var.kv_encryption_key_name + kv_encryption_key_name = local.cmk_name encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null depends_on = [ @@ -112,7 +112,7 @@ module "appgateway" { enable_cmk_encryption = var.enable_cmk_encryption key_store_id = local.key_store_id - kv_encryption_key_name = var.kv_encryption_key_name + kv_encryption_key_name = local.cmk_name encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null depends_on = [ @@ -152,7 +152,7 @@ module "airlock_resources" { myip = local.myip enable_cmk_encryption = var.enable_cmk_encryption key_store_id = local.key_store_id - kv_encryption_key_name = var.kv_encryption_key_name + kv_encryption_key_name = local.cmk_name encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null depends_on = [ @@ -192,7 +192,7 @@ module "resource_processor_vmss_porter" { rp_bundle_values = var.rp_bundle_values enable_cmk_encryption = var.enable_cmk_encryption key_store_id = local.key_store_id - kv_encryption_key_name = var.kv_encryption_key_name + kv_encryption_key_name = local.cmk_name depends_on = [ module.network, diff --git a/core/terraform/storage.tf b/core/terraform/storage.tf index 0a9a823f71..fc9e552eec 100644 --- a/core/terraform/storage.tf +++ b/core/terraform/storage.tf @@ -80,10 +80,11 @@ resource "azurerm_storage_account_customer_managed_key" "encryption" { count = var.enable_cmk_encryption ? 1 : 0 storage_account_id = azurerm_storage_account.stg.id key_vault_id = local.key_store_id - key_name = var.kv_encryption_key_name + key_name = local.cmk_name user_assigned_identity_id = azurerm_user_assigned_identity.encryption[0].id depends_on = [ - azurerm_role_assignment.kv_encryption_key_user[0] + azurerm_role_assignment.kv_encryption_key_user[0], + azurerm_key_vault_key.tre_encryption[0] ] } diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf index d364d027b8..1f1004d8bb 100644 --- a/core/terraform/variables.tf +++ b/core/terraform/variables.tf @@ -241,10 +241,3 @@ variable "encryption_kv_name" { description = "Name of Key Vault for encryption keys, required only if external_key_store_id is not set (only used if enable_cmk_encryption is true)" default = null } - -variable "kv_encryption_key_name" { - type = string - description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)" - default = "tre-encryption" -} - diff --git a/devops/terraform/variables.tf b/devops/terraform/variables.tf index 238bc2f26e..2599c16155 100644 --- a/devops/terraform/variables.tf +++ b/devops/terraform/variables.tf @@ -45,5 +45,5 @@ variable "encryption_kv_name" { variable "kv_mgmt_encryption_key_name" { type = string description = "Name of Key Vault Encryption Key for management resources (only used if enable_cmk_encryption is true)" - default = "tre-mgmt-encryption" + default = "tre-encryption-mgmt" } From a051bc1ec9b6be441d26b28b24c41eaf1c4aeaf5 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Mon, 9 Dec 2024 10:32:09 +0000 Subject: [PATCH 02/14] add cmk for ACR and service bus --- core/terraform/servicebus.tf | 16 ++++++++++++++++ devops/terraform/.terraform.lock.hcl | 19 +++++++++++++++++++ devops/terraform/main.tf | 20 +++++++++++++++++++- devops/terraform/variables.tf | 1 - docs/tre-admins/customer-managed-keys.md | 3 +++ 5 files changed, 57 insertions(+), 2 deletions(-) diff --git a/core/terraform/servicebus.tf b/core/terraform/servicebus.tf index 3a056017ba..faef9322d7 100644 --- a/core/terraform/servicebus.tf +++ b/core/terraform/servicebus.tf @@ -29,6 +29,22 @@ resource "azurerm_servicebus_namespace" "sb" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = azurerm_key_vault_key.tre_encryption[0].id + identity_id = azurerm_user_assigned_identity.encryption[0].id + } + } + + dynamic "identity" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + type = "UserAssigned" + identity_ids = [azurerm_user_assigned_identity.encryption[0].id] + } + } + lifecycle { ignore_changes = [tags] } } diff --git a/devops/terraform/.terraform.lock.hcl b/devops/terraform/.terraform.lock.hcl index b76fcebd94..f117d4f722 100644 --- a/devops/terraform/.terraform.lock.hcl +++ b/devops/terraform/.terraform.lock.hcl @@ -20,3 +20,22 @@ provider "registry.terraform.io/hashicorp/azurerm" { "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + hashes = [ + "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} diff --git a/devops/terraform/main.tf b/devops/terraform/main.tf index 50cd3d7c0d..ec0ff94722 100644 --- a/devops/terraform/main.tf +++ b/devops/terraform/main.tf @@ -65,9 +65,27 @@ resource "azurerm_container_registry" "shared_acr" { name = var.acr_name resource_group_name = azurerm_resource_group.mgmt.name location = azurerm_resource_group.mgmt.location - sku = var.acr_sku + sku = var.acr_sku != null ? var.acr_sku : (var.enable_cmk_encryption ? "Premium" : "Standard") admin_enabled = true + dynamic "identity" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + type = "UserAssigned" + identity_ids = [azurerm_user_assigned_identity.tre_mgmt_encryption[0].id] + } + } + + dynamic "encryption" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + enabled = true + key_vault_key_id = azurerm_key_vault_key.tre_mgmt_encryption[0].id + identity_client_id = azurerm_user_assigned_identity.tre_mgmt_encryption[0].client_id + } + + } + lifecycle { ignore_changes = [tags] } } diff --git a/devops/terraform/variables.tf b/devops/terraform/variables.tf index 2599c16155..3210da5504 100644 --- a/devops/terraform/variables.tf +++ b/devops/terraform/variables.tf @@ -15,7 +15,6 @@ variable "location" { variable "acr_sku" { type = string - default = "Standard" description = "Price tier for ACR" } diff --git a/docs/tre-admins/customer-managed-keys.md b/docs/tre-admins/customer-managed-keys.md index 414bf0870a..e665b31cf7 100644 --- a/docs/tre-admins/customer-managed-keys.md +++ b/docs/tre-admins/customer-managed-keys.md @@ -7,6 +7,9 @@ You can enable customer-managed keys (CMK) for supporting resources in Azure TRE CMK encryption is not supported for the rest of the resources such as those deployed by a TRE workspace. +!!! caution + Currently, it is not possible to redeploy TRE with CMK enabled if it has previously been deployed without it. This is due to limitations of resources such as Azure Container Registry (ACR) that only allow enabling the CMK encryption at the time of resource creation. + When enabled, CMK encryption provides an additional layer of encryption control for supported Azure resources within the TRE by allowing you to manage and control the encryption keys used to protect your data. To enable CMK encryption, set `enable_cmk_encryption: true` in the developer settings section of your `config.yaml` file. From c2bf73d4e612330fe8f2c7f1e8d25cecd353c576 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Mon, 9 Dec 2024 13:38:44 +0000 Subject: [PATCH 03/14] add null default for acr_sku --- devops/terraform/.terraform.lock.hcl | 19 ------------------- devops/terraform/variables.tf | 1 + 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/devops/terraform/.terraform.lock.hcl b/devops/terraform/.terraform.lock.hcl index f117d4f722..b76fcebd94 100644 --- a/devops/terraform/.terraform.lock.hcl +++ b/devops/terraform/.terraform.lock.hcl @@ -20,22 +20,3 @@ provider "registry.terraform.io/hashicorp/azurerm" { "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.3" - hashes = [ - "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", - "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", - "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", - "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", - "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", - "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", - "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", - "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", - "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", - "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", - "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", - ] -} diff --git a/devops/terraform/variables.tf b/devops/terraform/variables.tf index 3210da5504..9c9ad2bfbe 100644 --- a/devops/terraform/variables.tf +++ b/devops/terraform/variables.tf @@ -16,6 +16,7 @@ variable "location" { variable "acr_sku" { type = string description = "Price tier for ACR" + default = null } variable "acr_name" { From 3f20c6fd157dfd12d581eb99e924fe1bfce33d53 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 10 Dec 2024 17:18:58 +0000 Subject: [PATCH 04/14] bump core version to 0.11.8 --- core/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/version.txt b/core/version.txt index eec2a4dd5e..5dae1332b4 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.7" +__version__ = "0.11.8" From c9cf59560c05cec0fd0bdff4ac431fac8f8718ec Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 10 Dec 2024 22:00:31 +0000 Subject: [PATCH 05/14] set 'Enable support for customer-managed keys' for tables and queues in storage accounts (core/mgmt only) --- core/terraform/airlock/airlock_processor.tf | 2 ++ core/terraform/airlock/storage_accounts.tf | 10 ++++++++++ core/terraform/appgateway/staticweb.tf | 2 ++ core/terraform/azure-monitor/azure-monitor.tf | 2 ++ core/terraform/storage.tf | 2 ++ core/version.txt | 2 +- devops/terraform/bootstrap.sh | 5 +++++ 7 files changed, 24 insertions(+), 1 deletion(-) diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf index 88f5a37aed..5416d858ad 100644 --- a/core/terraform/airlock/airlock_processor.tf +++ b/core/terraform/airlock/airlock_processor.tf @@ -24,6 +24,8 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" { location = var.location account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false tags = var.tre_core_tags diff --git a/core/terraform/airlock/storage_accounts.tf b/core/terraform/airlock/storage_accounts.tf index 70cd58996e..74bcd3fb30 100644 --- a/core/terraform/airlock/storage_accounts.tf +++ b/core/terraform/airlock/storage_accounts.tf @@ -7,6 +7,8 @@ resource "azurerm_storage_account" "sa_import_external" { resource_group_name = var.resource_group_name account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" cross_tenant_replication_enabled = false # Don't allow anonymous access (unrelated to the 'public' networking rules) @@ -71,6 +73,8 @@ resource "azurerm_storage_account" "sa_export_approved" { resource_group_name = var.resource_group_name account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" cross_tenant_replication_enabled = false # Don't allow anonymous access (unrelated to the 'public' networking rules) @@ -135,6 +139,8 @@ resource "azurerm_storage_account" "sa_import_in_progress" { resource_group_name = var.resource_group_name account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false @@ -229,6 +235,8 @@ resource "azurerm_storage_account" "sa_import_rejected" { resource_group_name = var.resource_group_name account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false @@ -297,6 +305,8 @@ resource "azurerm_storage_account" "sa_import_blocked" { resource_group_name = var.resource_group_name account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false diff --git a/core/terraform/appgateway/staticweb.tf b/core/terraform/appgateway/staticweb.tf index 4a9dee49a5..c0ff13ea11 100644 --- a/core/terraform/appgateway/staticweb.tf +++ b/core/terraform/appgateway/staticweb.tf @@ -6,6 +6,8 @@ resource "azurerm_storage_account" "staticweb" { account_kind = "StorageV2" account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" enable_https_traffic_only = true allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false diff --git a/core/terraform/azure-monitor/azure-monitor.tf b/core/terraform/azure-monitor/azure-monitor.tf index 795a0a2af4..de19ac16b2 100644 --- a/core/terraform/azure-monitor/azure-monitor.tf +++ b/core/terraform/azure-monitor/azure-monitor.tf @@ -20,6 +20,8 @@ resource "azurerm_storage_account" "az_monitor" { account_kind = "StorageV2" account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false tags = var.tre_core_tags diff --git a/core/terraform/storage.tf b/core/terraform/storage.tf index fc9e552eec..4fa985104e 100644 --- a/core/terraform/storage.tf +++ b/core/terraform/storage.tf @@ -4,6 +4,8 @@ resource "azurerm_storage_account" "stg" { location = azurerm_resource_group.core.location account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false diff --git a/core/version.txt b/core/version.txt index 5dae1332b4..20cc868f1e 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.8" +__version__ = "0.11.9" diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh index d0671c3a18..8f67d0b47e 100755 --- a/devops/terraform/bootstrap.sh +++ b/devops/terraform/bootstrap.sh @@ -12,11 +12,16 @@ az group create --resource-group "$TF_VAR_mgmt_resource_group_name" --location " if ! az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --query "name" -o none 2>/dev/null; then # only run `az storage account create` if doesn't exist (to prevent error from occuring if storage account was originally created without infrastructure encryption enabled) + # Set default encryption types based on enable_cmk + encryption_type=$([ "${TF_VAR_enable_cmk_encryption:-false}" = true ] && echo "Account" || echo "Service") + # shellcheck disable=SC2154 az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \ --name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \ --allow-blob-public-access false \ --kind StorageV2 --sku Standard_LRS -o table \ + --encryption-key-type-for-queue "$encryption_type" \ + --encryption-key-type-for-table "$encryption_type" \ --require-infrastructure-encryption true else echo "Storage account already exists..." From a11081a68aff1fdbf6f6eb85f3c1f3841a508ac1 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Wed, 11 Dec 2024 09:03:08 +0000 Subject: [PATCH 06/14] add key type encryption to state store --- devops/terraform/main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/devops/terraform/main.tf b/devops/terraform/main.tf index ec0ff94722..bd178f37d0 100644 --- a/devops/terraform/main.tf +++ b/devops/terraform/main.tf @@ -27,6 +27,8 @@ resource "azurerm_storage_account" "state_storage" { account_tier = "Standard" account_kind = "StorageV2" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" cross_tenant_replication_enabled = false allow_nested_items_to_be_public = false shared_access_key_enabled = false From 9cccef785748a922a0896f93460098c50f46d13f Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Fri, 13 Dec 2024 00:35:05 +0000 Subject: [PATCH 07/14] add support for customer-managed key (CMK) encryption in templates --- CHANGELOG.md | 1 + core/terraform/cmk_encryption.tf | 2 +- core/terraform/locals.tf | 3 ++- core/version.txt | 2 +- docs/tre-admins/customer-managed-keys.md | 5 ---- .../shared_services/admin-vm/parameters.json | 12 ++++++++++ .../shared_services/admin-vm/porter.yaml | 14 ++++++++++- .../admin-vm/terraform/admin-jumpbox.tf | 22 ++++++++++++++--- .../admin-vm/terraform/data.tf | 12 ++++++++++ .../admin-vm/terraform/locals.tf | 2 ++ .../admin-vm/terraform/variables.tf | 9 +++++++ .../shared_services/certs/parameters.json | 12 ++++++++++ templates/shared_services/certs/porter.yaml | 12 +++++++++- .../shared_services/certs/terraform/data.tf | 12 ++++++++++ .../shared_services/certs/terraform/locals.tf | 3 +++ .../certs/terraform/staticweb.tf | 20 ++++++++++++++++ .../certs/terraform/variables.tf | 9 +++++++ .../cyclecloud/parameters.json | 12 ++++++++++ .../shared_services/cyclecloud/porter.yaml | 14 ++++++++++- .../cyclecloud/terraform/data.tf | 11 +++++++++ .../cyclecloud/terraform/locals.tf | 2 ++ .../cyclecloud/terraform/storage.tf | 20 ++++++++++++++++ .../cyclecloud/terraform/variables.tf | 9 ++++++- .../sonatype-nexus-vm/parameters.json | 12 ++++++++++ .../sonatype-nexus-vm/porter.yaml | 14 ++++++++++- .../sonatype-nexus-vm/terraform/data.tf | 11 +++++++++ .../sonatype-nexus-vm/terraform/locals.tf | 2 ++ .../sonatype-nexus-vm/terraform/variables.tf | 9 +++++++ .../sonatype-nexus-vm/terraform/vm.tf | 24 +++++++++++++++---- .../azureml/parameters.json | 12 ++++++++++ .../workspace_services/azureml/porter.yaml | 14 ++++++++++- .../azureml/terraform/acr.tf | 18 ++++++++++++++ .../azureml/terraform/data.tf | 12 ++++++++++ .../azureml/terraform/locals.tf | 2 ++ .../azureml/terraform/storage.tf | 21 +++++++++++++++- .../azureml/terraform/variables.tf | 9 +++++-- .../workspace_services/gitea/parameters.json | 12 ++++++++++ .../workspace_services/gitea/porter.yaml | 14 ++++++++++- .../gitea/terraform/data.tf | 12 ++++++++++ .../gitea/terraform/locals.tf | 4 +++- .../gitea/terraform/storage.tf | 20 ++++++++++++++++ .../gitea/terraform/variables.tf | 7 ++++++ .../parameters.json | 12 ++++++++++ .../porter.yaml | 14 ++++++++++- .../terraform/data.tf | 12 ++++++++++ .../terraform/locals.tf | 3 +++ .../terraform/variables.tf | 7 ++++++ .../terraform/windowsvm.tf | 22 ++++++++++++++--- .../parameters.json | 12 ++++++++++ .../porter.yaml | 14 ++++++++++- .../terraform/data.tf | 12 ++++++++++ .../terraform/locals.tf | 3 +++ .../terraform/variables.tf | 9 ++++++- .../terraform/windowsvm.tf | 22 ++++++++++++++--- .../guacamole-azure-linuxvm/parameters.json | 12 ++++++++++ .../guacamole-azure-linuxvm/porter.yaml | 14 ++++++++++- .../terraform/linuxvm.tf | 22 ++++++++++++++--- .../terraform/locals.tf | 3 +++ .../guacamole-azure-linuxvm/terraform/main.tf | 12 ++++++++++ .../terraform/variables.tf | 7 ++++++ .../guacamole-azure-windowsvm/parameters.json | 12 ++++++++++ .../guacamole-azure-windowsvm/porter.yaml | 14 ++++++++++- .../terraform/data.tf | 12 ++++++++++ .../terraform/locals.tf | 3 +++ .../terraform/variables.tf | 7 ++++++ .../terraform/windowsvm.tf | 23 +++++++++++++++--- .../airlock-import-review/parameters.json | 12 ++++++++++ .../airlock-import-review/porter.yaml | 14 ++++++++++- templates/workspaces/base/parameters.json | 4 ++-- templates/workspaces/base/porter.yaml | 2 +- .../terraform/airlock/storage_accounts.tf | 10 ++++++++ .../terraform/azure-monitor/azure-monitor.tf | 2 ++ .../base/terraform/cmk-encryption.tf | 2 +- templates/workspaces/base/terraform/locals.tf | 3 ++- .../workspaces/base/terraform/storage.tf | 2 ++ .../workspaces/base/terraform/variables.tf | 1 - .../workspaces/unrestricted/parameters.json | 12 ++++++++++ templates/workspaces/unrestricted/porter.yaml | 14 ++++++++++- 78 files changed, 759 insertions(+), 51 deletions(-) create mode 100644 templates/shared_services/cyclecloud/terraform/data.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d3288c92a..1c5a19df31 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ ENHANCEMENTS: * Move Github PR bot commands into main documentation ([#4167](https://github.com/microsoft/AzureTRE/pull/4167)) * Block Authentication with keys to CosmosDB SQL account ([#4175](https://github.com/microsoft/AzureTRE/pull/4175)) * Add support for customer-managed keys encryption in base workspace ([#4161](https://github.com/microsoft/AzureTRE/pull/4161)) +* Add support for customer-managed keys encryption in templates ([#4145](https://github.com/microsoft/AzureTRE/issues/4145)) BUG FIXES: - Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112)) diff --git a/core/terraform/cmk_encryption.tf b/core/terraform/cmk_encryption.tf index 4c0b5a1b1c..056a471478 100644 --- a/core/terraform/cmk_encryption.tf +++ b/core/terraform/cmk_encryption.tf @@ -4,7 +4,7 @@ resource "azurerm_user_assigned_identity" "encryption" { location = azurerm_resource_group.core.location tags = local.tre_core_tags - name = "id-encryption-${var.tre_id}" + name = local.encryption_identity_name lifecycle { ignore_changes = [tags] } } diff --git a/core/terraform/locals.tf b/core/terraform/locals.tf index bac02640e6..22d327f96f 100644 --- a/core/terraform/locals.tf +++ b/core/terraform/locals.tf @@ -44,5 +44,6 @@ locals { # The key store for encryption keys could either be external or created by terraform key_store_id = var.enable_cmk_encryption ? (var.external_key_store_id != null ? var.external_key_store_id : data.azurerm_key_vault.encryption_kv[0].id) : "" - cmk_name = "tre-encryption-${var.tre_id}" + cmk_name = "tre-encryption-${var.tre_id}" + encryption_identity_name = "id-encryption-${var.tre_id}" } diff --git a/core/version.txt b/core/version.txt index 20cc868f1e..c9f772e183 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.9" +__version__ = "0.11.10" diff --git a/docs/tre-admins/customer-managed-keys.md b/docs/tre-admins/customer-managed-keys.md index e97bc61655..252d16e87b 100644 --- a/docs/tre-admins/customer-managed-keys.md +++ b/docs/tre-admins/customer-managed-keys.md @@ -2,11 +2,6 @@ You can enable customer-managed keys (CMK) for supporting resources in Azure TRE. -!!! warning - Currently Azure TRE only supports CMK encryption for resources in the TRE core and Base Workspace. - CMK encryption is not supported for the rest of the resources such as those deployed by a TRE workspace. - - !!! caution Currently, it is not possible to redeploy TRE with CMK enabled if it has previously been deployed without it. This is due to limitations of resources such as Azure Container Registry (ACR) that only allow enabling the CMK encryption at the time of resource creation. diff --git a/templates/shared_services/admin-vm/parameters.json b/templates/shared_services/admin-vm/parameters.json index ac546acffc..f133067bf8 100755 --- a/templates/shared_services/admin-vm/parameters.json +++ b/templates/shared_services/admin-vm/parameters.json @@ -45,6 +45,18 @@ "source": { "env": "ARM_ENVIRONMENT" } + }, + { + "name": "enable_cmk_encryption", + "source": { + "env": "ENABLE_CMK_ENCRYPTION" + } + }, + { + "name": "key_store_id", + "source": { + "env": "KEY_STORE_ID" + } } ] } diff --git a/templates/shared_services/admin-vm/porter.yaml b/templates/shared_services/admin-vm/porter.yaml index 96d9e11867..a242c2ce69 100644 --- a/templates/shared_services/admin-vm/porter.yaml +++ b/templates/shared_services/admin-vm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-admin-vm -version: 0.4.7 +version: 0.5.0 description: "An admin vm shared service" dockerfile: Dockerfile.tmpl registry: azuretre @@ -44,6 +44,12 @@ parameters: env: ADMIN_JUMPBOX_VM_SKU type: string default: Standard_B2s + - name: enable_cmk_encryption + type: boolean + default: false + - name: key_store_id + type: string + default: "" mixins: - terraform: @@ -56,6 +62,8 @@ install: tre_id: ${ bundle.parameters.tre_id } tre_resource_id: ${ bundle.parameters.id } admin_jumpbox_vm_sku: ${ bundle.parameters.admin_jumpbox_vm_sku } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -71,6 +79,8 @@ upgrade: tre_id: ${ bundle.parameters.tre_id } tre_resource_id: ${ bundle.parameters.id } admin_jumpbox_vm_sku: ${ bundle.parameters.admin_jumpbox_vm_sku } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -86,6 +96,8 @@ uninstall: tre_id: ${ bundle.parameters.tre_id } tre_resource_id: ${ bundle.parameters.id } admin_jumpbox_vm_sku: ${ bundle.parameters.admin_jumpbox_vm_sku } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf index 3ef4b8734b..ec381423c5 100644 --- a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf +++ b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf @@ -45,14 +45,30 @@ resource "azurerm_windows_virtual_machine" "jumpbox" { } os_disk { - name = "vm-dsk-${var.tre_id}" - caching = "ReadWrite" - storage_account_type = "Standard_LRS" + name = "vm-dsk-${var.tre_id}" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + disk_encryption_set_id = var.enable_cmk_encryption ? azurerm_disk_encryption_set.jumpbox_disk_encryption[0].id : null } lifecycle { ignore_changes = [tags] } } +resource "azurerm_disk_encryption_set" "jumpbox_disk_encryption" { + count = var.enable_cmk_encryption ? 1 : 0 + name = "vmss-disk-encryption-jumpbox-${var.tre_id}-${tre_resource_id}" + location = data.azurerm_resource_group.rg.location + resource_group_name = data.azurerm_resource_group.rg.name + key_vault_key_id = data.azurerm_key_vault_key.tre_encryption_key[0].versionless_id + encryption_type = "EncryptionAtRestWithPlatformAndCustomerKeys" + auto_key_rotation_enabled = true + + identity { + type = "UserAssigned" + identity_ids = [data.azurerm_user_assigned_identity.tre_encryption_identity[0].id] + } +} + resource "azurerm_key_vault_secret" "jumpbox_credentials" { name = "${azurerm_windows_virtual_machine.jumpbox.name}-jumpbox-password" value = random_password.password.result diff --git a/templates/shared_services/admin-vm/terraform/data.tf b/templates/shared_services/admin-vm/terraform/data.tf index 69c133b06e..b6ad53211c 100644 --- a/templates/shared_services/admin-vm/terraform/data.tf +++ b/templates/shared_services/admin-vm/terraform/data.tf @@ -11,3 +11,15 @@ data "azurerm_key_vault" "keyvault" { data "azurerm_resource_group" "rg" { name = local.core_resource_group_name } + +data "azurerm_key_vault_key" "tre_encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} + +data "azurerm_user_assigned_identity" "tre_encryption_identity" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.encryption_identity_name + resource_group_name = local.core_resource_group_name +} diff --git a/templates/shared_services/admin-vm/terraform/locals.tf b/templates/shared_services/admin-vm/terraform/locals.tf index f9ad84b852..84c7fb8dfb 100644 --- a/templates/shared_services/admin-vm/terraform/locals.tf +++ b/templates/shared_services/admin-vm/terraform/locals.tf @@ -6,4 +6,6 @@ locals { tre_id = var.tre_id tre_shared_service_id = var.tre_resource_id } + cmk_name = "tre-encryption-${var.tre_id}" + encryption_identity_name = "id-encryption-${var.tre_id}" } diff --git a/templates/shared_services/admin-vm/terraform/variables.tf b/templates/shared_services/admin-vm/terraform/variables.tf index b52d21ea1e..69ba1e51b3 100644 --- a/templates/shared_services/admin-vm/terraform/variables.tf +++ b/templates/shared_services/admin-vm/terraform/variables.tf @@ -11,3 +11,12 @@ variable "tre_resource_id" { variable "admin_jumpbox_vm_sku" { type = string } + +variable "enable_cmk_encryption" { + type = bool + default = false +} + +variable "key_store_id" { + type = string +} diff --git a/templates/shared_services/certs/parameters.json b/templates/shared_services/certs/parameters.json index 53dd18791e..ba8512e794 100755 --- a/templates/shared_services/certs/parameters.json +++ b/templates/shared_services/certs/parameters.json @@ -57,6 +57,18 @@ "source": { "env": "ARM_ENVIRONMENT" } + }, + { + "name": "enable_cmk_encryption", + "source": { + "env": "ENABLE_CMK_ENCRYPTION" + } + }, + { + "name": "key_store_id", + "source": { + "env": "KEY_STORE_ID" + } } ] } diff --git a/templates/shared_services/certs/porter.yaml b/templates/shared_services/certs/porter.yaml index 2e3618caf9..b5d68bb8ef 100755 --- a/templates/shared_services/certs/porter.yaml +++ b/templates/shared_services/certs/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-certs -version: 0.6.1 +version: 1.0.0 description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt" registry: azuretre dockerfile: Dockerfile.tmpl @@ -51,6 +51,12 @@ parameters: - name: id type: string description: "Resource ID" + - name: enable_cmk_encryption + type: boolean + default: false + - name: key_store_id + type: string + default: "" mixins: - exec @@ -67,6 +73,8 @@ install: domain_prefix: ${ bundle.parameters.domain_prefix } cert_name: ${ bundle.parameters.cert_name } tre_resource_id: ${ bundle.parameters.id } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -132,6 +140,8 @@ uninstall: domain_prefix: ${ bundle.parameters.domain_prefix } cert_name: ${ bundle.parameters.cert_name } tre_resource_id: ${ bundle.parameters.id } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/shared_services/certs/terraform/data.tf b/templates/shared_services/certs/terraform/data.tf index bb577f11ae..1c7262e0e2 100644 --- a/templates/shared_services/certs/terraform/data.tf +++ b/templates/shared_services/certs/terraform/data.tf @@ -19,3 +19,15 @@ data "azurerm_user_assigned_identity" "resource_processor_vmss_id" { name = "id-vmss-${var.tre_id}" resource_group_name = "rg-${var.tre_id}" } + +data "azurerm_key_vault_key" "tre_encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} + +data "azurerm_user_assigned_identity" "tre_encryption_identity" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.encryption_identity_name + resource_group_name = data.azurerm_resource_group.rg.name +} diff --git a/templates/shared_services/certs/terraform/locals.tf b/templates/shared_services/certs/terraform/locals.tf index 47cb8f6843..eb6e2bc676 100644 --- a/templates/shared_services/certs/terraform/locals.tf +++ b/templates/shared_services/certs/terraform/locals.tf @@ -23,4 +23,7 @@ locals { tre_id = var.tre_id tre_shared_service_id = var.tre_resource_id } + + cmk_name = "tre-encryption-${var.tre_id}" + encryption_identity_name = "id-encryption-${var.tre_id}" } diff --git a/templates/shared_services/certs/terraform/staticweb.tf b/templates/shared_services/certs/terraform/staticweb.tf index 49f20fd03c..927b68f00b 100644 --- a/templates/shared_services/certs/terraform/staticweb.tf +++ b/templates/shared_services/certs/terraform/staticweb.tf @@ -6,6 +6,8 @@ resource "azurerm_storage_account" "staticweb" { account_kind = "StorageV2" account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" enable_https_traffic_only = true allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false @@ -19,9 +21,27 @@ resource "azurerm_storage_account" "staticweb" { error_404_document = "404.html" } + dynamic "identity" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + type = "UserAssigned" + identity_ids = [data.azurerm_user_assigned_identity.tre_encryption_identity[0].id] + } + } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } +resource "azurerm_storage_account_customer_managed_key" "staticweb_stg_encryption" { + count = var.enable_cmk_encryption ? 1 : 0 + storage_account_id = azurerm_storage_account.staticweb.id + key_vault_id = var.key_store_id + key_name = local.cmk_name + user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id + + depends_on = [azurerm_key_vault_key.encryption_key] +} + resource "azurerm_role_assignment" "stgwriter" { scope = azurerm_storage_account.staticweb.id role_definition_name = "Storage Blob Data Contributor" diff --git a/templates/shared_services/certs/terraform/variables.tf b/templates/shared_services/certs/terraform/variables.tf index 4aff0698f5..228654d989 100644 --- a/templates/shared_services/certs/terraform/variables.tf +++ b/templates/shared_services/certs/terraform/variables.tf @@ -14,3 +14,12 @@ variable "tre_resource_id" { type = string description = "Resource ID" } + +variable "enable_cmk_encryption" { + type = bool + default = false +} + +variable "key_store_id" { + type = string +} diff --git a/templates/shared_services/cyclecloud/parameters.json b/templates/shared_services/cyclecloud/parameters.json index fe722bc241..c39909257d 100755 --- a/templates/shared_services/cyclecloud/parameters.json +++ b/templates/shared_services/cyclecloud/parameters.json @@ -45,6 +45,18 @@ "source": { "env": "ARM_ENVIRONMENT" } + }, + { + "name": "enable_cmk_encryption", + "source": { + "env": "ENABLE_CMK_ENCRYPTION" + } + }, + { + "name": "key_store_id", + "source": { + "env": "KEY_STORE_ID" + } } ] } diff --git a/templates/shared_services/cyclecloud/porter.yaml b/templates/shared_services/cyclecloud/porter.yaml index 64ea04e3b7..e9d7914dcb 100644 --- a/templates/shared_services/cyclecloud/porter.yaml +++ b/templates/shared_services/cyclecloud/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-cyclecloud -version: 0.6.7 +version: 1.0.0 description: "An Azure TRE Shared Service Template for Azure Cyclecloud" registry: azuretre dockerfile: Dockerfile.tmpl @@ -46,6 +46,12 @@ parameters: env: ARM_ENVIRONMENT type: string default: "public" + - name: enable_cmk_encryption + type: boolean + default: false + - name: key_store_id + type: string + default: "" outputs: - name: connection_uri @@ -74,6 +80,8 @@ install: tre_id: ${ bundle.parameters.tre_id } tre_resource_id: ${ bundle.parameters.id } arm_environment: ${ bundle.parameters.arm_environment } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -92,6 +100,8 @@ upgrade: tre_id: ${ bundle.parameters.tre_id } tre_resource_id: ${ bundle.parameters.id } arm_environment: ${ bundle.parameters.arm_environment } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -110,6 +120,8 @@ uninstall: tre_id: ${ bundle.parameters.tre_id } tre_resource_id: ${ bundle.parameters.id } arm_environment: ${ bundle.parameters.arm_environment } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/shared_services/cyclecloud/terraform/data.tf b/templates/shared_services/cyclecloud/terraform/data.tf new file mode 100644 index 0000000000..26233788cc --- /dev/null +++ b/templates/shared_services/cyclecloud/terraform/data.tf @@ -0,0 +1,11 @@ +data "azurerm_key_vault_key" "tre_encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} + +data "azurerm_user_assigned_identity" "tre_encryption_identity" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.encryption_identity_name + resource_group_name = local.core_resource_group_name +} diff --git a/templates/shared_services/cyclecloud/terraform/locals.tf b/templates/shared_services/cyclecloud/terraform/locals.tf index 5c3777bc06..9d75e9f53b 100644 --- a/templates/shared_services/cyclecloud/terraform/locals.tf +++ b/templates/shared_services/cyclecloud/terraform/locals.tf @@ -8,4 +8,6 @@ locals { tre_id = var.tre_id tre_shared_service_id = var.tre_resource_id } + cmk_name = "tre-encryption-${var.tre_id}" + encryption_identity_name = "id-encryption-${var.tre_id}" } diff --git a/templates/shared_services/cyclecloud/terraform/storage.tf b/templates/shared_services/cyclecloud/terraform/storage.tf index 4803993332..d10cc5512d 100644 --- a/templates/shared_services/cyclecloud/terraform/storage.tf +++ b/templates/shared_services/cyclecloud/terraform/storage.tf @@ -4,15 +4,35 @@ resource "azurerm_storage_account" "cyclecloud" { resource_group_name = data.azurerm_resource_group.rg.name account_tier = "Standard" account_replication_type = "GRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" cross_tenant_replication_enabled = false tags = local.tre_shared_service_tags # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below infrastructure_encryption_enabled = true + dynamic "identity" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + type = "UserAssigned" + identity_ids = [data.azurerm_user_assigned_identity.tre_encryption_identity[0].id] + } + } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } +resource "azurerm_storage_account_customer_managed_key" "cyclecloud_stg_encryption" { + count = var.enable_cmk_encryption ? 1 : 0 + storage_account_id = azurerm_storage_account.cyclecloud.id + key_vault_id = var.key_store_id + key_name = local.cmk_name + user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id + + depends_on = [azurerm_key_vault_key.encryption_key] +} + data "azurerm_private_dns_zone" "blobcore" { name = module.terraform_azurerm_environment_configuration.private_links["privatelink.blob.core.windows.net"] resource_group_name = local.core_resource_group_name diff --git a/templates/shared_services/cyclecloud/terraform/variables.tf b/templates/shared_services/cyclecloud/terraform/variables.tf index 1c064dbb76..48a64a1945 100644 --- a/templates/shared_services/cyclecloud/terraform/variables.tf +++ b/templates/shared_services/cyclecloud/terraform/variables.tf @@ -6,4 +6,11 @@ variable "tre_resource_id" { } variable "arm_environment" { type = string -} \ No newline at end of file +} +variable "enable_cmk_encryption" { + type = bool + default = false +} +variable "key_store_id" { + type = string +} diff --git a/templates/shared_services/sonatype-nexus-vm/parameters.json b/templates/shared_services/sonatype-nexus-vm/parameters.json index 0e7c0c4e58..26712c312d 100755 --- a/templates/shared_services/sonatype-nexus-vm/parameters.json +++ b/templates/shared_services/sonatype-nexus-vm/parameters.json @@ -51,6 +51,18 @@ "source": { "env": "ARM_ENVIRONMENT" } + }, + { + "name": "enable_cmk_encryption", + "source": { + "env": "ENABLE_CMK_ENCRYPTION" + } + }, + { + "name": "key_store_id", + "source": { + "env": "KEY_STORE_ID" + } } ] } diff --git a/templates/shared_services/sonatype-nexus-vm/porter.yaml b/templates/shared_services/sonatype-nexus-vm/porter.yaml index ee9701b05f..2f91ee53f2 100644 --- a/templates/shared_services/sonatype-nexus-vm/porter.yaml +++ b/templates/shared_services/sonatype-nexus-vm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-sonatype-nexus -version: 3.1.0 +version: 3.2.0 description: "A Sonatype Nexus shared service" dockerfile: Dockerfile.tmpl registry: azuretre @@ -47,6 +47,12 @@ parameters: type: string default: "nexus-ssl" description: "Name of the certificate for configuring Nexus SSL with (stored in the core KeyVault)" + - name: enable_cmk_encryption + type: boolean + default: false + - name: key_store_id + type: string + default: "" outputs: - name: workspace_vm_allowed_fqdns_list type: string @@ -85,6 +91,8 @@ install: tre_id: ${ bundle.parameters.tre_id } tre_resource_id: ${ bundle.parameters.id } ssl_cert_name: ${ bundle.parameters.ssl_cert_name } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -106,6 +114,8 @@ upgrade: tre_id: ${ bundle.parameters.tre_id } tre_resource_id: ${ bundle.parameters.id } ssl_cert_name: ${ bundle.parameters.ssl_cert_name } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -127,6 +137,8 @@ uninstall: tre_id: ${ bundle.parameters.tre_id } tre_resource_id: ${ bundle.parameters.id } ssl_cert_name: ${ bundle.parameters.ssl_cert_name } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/data.tf b/templates/shared_services/sonatype-nexus-vm/terraform/data.tf index ad0ed71585..37ccf7d9b6 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/data.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/data.tf @@ -38,3 +38,14 @@ data "azurerm_private_dns_zone" "nexus" { resource_group_name = local.core_resource_group_name } +data "azurerm_key_vault_key" "tre_encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} + +data "azurerm_user_assigned_identity" "tre_encryption_identity" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.encryption_identity_name + resource_group_name = local.core_resource_group_name +} diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf b/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf index 67cae90039..0e1a561c4c 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf @@ -10,4 +10,6 @@ locals { tre_id = var.tre_id tre_shared_service_id = var.tre_resource_id } + cmk_name = "tre-encryption-${var.tre_id}" + encryption_identity_name = "id-encryption-${var.tre_id}" } diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/variables.tf b/templates/shared_services/sonatype-nexus-vm/terraform/variables.tf index 23c2fa3826..b0ff6e794a 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/variables.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/variables.tf @@ -10,3 +10,12 @@ variable "tre_resource_id" { variable "ssl_cert_name" { type = string } + +variable "enable_cmk_encryption" { + type = bool + default = false +} + +variable "key_store_id" { + type = string +} diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf index e9633eda5a..35ecf6b056 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf @@ -116,10 +116,11 @@ resource "azurerm_linux_virtual_machine" "nexus" { } os_disk { - name = "osdisk-nexus-${var.tre_id}" - caching = "ReadWrite" - storage_account_type = "Standard_LRS" - disk_size_gb = 64 + name = "osdisk-nexus-${var.tre_id}" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + disk_size_gb = 64 + disk_encryption_set_id = var.enable_cmk_encryption ? azurerm_disk_encryption_set.jumpbox_disk_encryption[0].id : null } identity { @@ -145,6 +146,21 @@ resource "azurerm_linux_virtual_machine" "nexus" { } } +resource "azurerm_disk_encryption_set" "nexus_disk_encryption" { + count = var.enable_cmk_encryption ? 1 : 0 + name = "vmss-disk-encryption-nexus-${var.tre_id}-${tre_resource_id}" + location = data.azurerm_resource_group.rg.location + resource_group_name = data.azurerm_resource_group.rg.name + key_vault_key_id = data.azurerm_key_vault_key.tre_encryption_key[0].versionless_id + encryption_type = "EncryptionAtRestWithPlatformAndCustomerKeys" + auto_key_rotation_enabled = true + + identity { + type = "UserAssigned" + identity_ids = [data.azurerm_user_assigned_identity.tre_encryption_identity[0].id] + } +} + data "template_cloudinit_config" "nexus_config" { gzip = true base64_encode = true diff --git a/templates/workspace_services/azureml/parameters.json b/templates/workspace_services/azureml/parameters.json index e538071afc..db593f4b28 100755 --- a/templates/workspace_services/azureml/parameters.json +++ b/templates/workspace_services/azureml/parameters.json @@ -69,6 +69,18 @@ "source": { "env": "ARM_ENVIRONMENT" } + }, + { + "name": "enable_cmk_encryption", + "source": { + "env": "ENABLE_CMK_ENCRYPTION" + } + }, + { + "name": "key_store_id", + "source": { + "env": "KEY_STORE_ID" + } } ] } diff --git a/templates/workspace_services/azureml/porter.yaml b/templates/workspace_services/azureml/porter.yaml index ab04640b47..5bc4e9b547 100644 --- a/templates/workspace_services/azureml/porter.yaml +++ b/templates/workspace_services/azureml/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-azureml -version: 0.8.15 +version: 1.0.0 description: "An Azure TRE service for Azure Machine Learning" registry: azuretre dockerfile: Dockerfile.tmpl @@ -63,6 +63,12 @@ parameters: env: ARM_ENVIRONMENT - name: azure_environment env: AZURE_ENVIRONMENT + - name: enable_cmk_encryption + type: boolean + default: false + - name: key_store_id + type: string + default: "" outputs: - name: azureml_workspace_name @@ -139,6 +145,8 @@ install: auth_tenant_id: ${ bundle.credentials.auth_tenant_id } arm_environment: ${ bundle.parameters.arm_environment } azure_environment: ${ bundle.parameters.azure_environment } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -175,6 +183,8 @@ upgrade: auth_tenant_id: ${ bundle.credentials.auth_tenant_id } arm_environment: ${ bundle.parameters.arm_environment } azure_environment: ${ bundle.parameters.azure_environment } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -211,6 +221,8 @@ uninstall: auth_tenant_id: ${ bundle.credentials.auth_tenant_id } arm_environment: ${ bundle.parameters.arm_environment } azure_environment: ${ bundle.parameters.azure_environment } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/workspace_services/azureml/terraform/acr.tf b/templates/workspace_services/azureml/terraform/acr.tf index a0de2fca71..523a72b7bc 100644 --- a/templates/workspace_services/azureml/terraform/acr.tf +++ b/templates/workspace_services/azureml/terraform/acr.tf @@ -9,6 +9,24 @@ resource "azurerm_container_registry" "acr" { public_network_access_enabled = false tags = local.tre_workspace_service_tags + dynamic "identity" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + type = "UserAssigned" + identity_ids = [data.azurerm_user_assigned_identity.tre_encryption_identity[0].id] + } + } + + dynamic "encryption" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + enabled = true + key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].id + identity_client_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id + } + + } + lifecycle { ignore_changes = [tags] } } diff --git a/templates/workspace_services/azureml/terraform/data.tf b/templates/workspace_services/azureml/terraform/data.tf index 0612a9d634..d9db7e09b9 100644 --- a/templates/workspace_services/azureml/terraform/data.tf +++ b/templates/workspace_services/azureml/terraform/data.tf @@ -47,3 +47,15 @@ data "azurerm_private_dns_zone" "notebooks" { name = module.terraform_azurerm_environment_configuration.private_links["privatelink.notebooks.azure.net"] resource_group_name = local.core_resource_group_name } + +data "azurerm_key_vault_key" "ws_encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} + +data "azurerm_user_assigned_identity" "ws_encryption_identity" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.encryption_identity_name + resource_group_name = data.azurerm_resource_group.ws.name +} diff --git a/templates/workspace_services/azureml/terraform/locals.tf b/templates/workspace_services/azureml/terraform/locals.tf index ac11d6c921..2ed4ce0787 100644 --- a/templates/workspace_services/azureml/terraform/locals.tf +++ b/templates/workspace_services/azureml/terraform/locals.tf @@ -14,4 +14,6 @@ locals { tre_workspace_id = var.workspace_id tre_workspace_service_id = var.tre_resource_id } + cmk_name = "tre-encryption-${local.workspace_resource_name_suffix}" + encryption_identity_name = "id-encryption-${var.tre_id}-${local.short_workspace_id}" } diff --git a/templates/workspace_services/azureml/terraform/storage.tf b/templates/workspace_services/azureml/terraform/storage.tf index 2a5966beb8..dff5f14062 100644 --- a/templates/workspace_services/azureml/terraform/storage.tf +++ b/templates/workspace_services/azureml/terraform/storage.tf @@ -4,18 +4,38 @@ resource "azurerm_storage_account" "aml" { resource_group_name = data.azurerm_resource_group.ws.name account_tier = "Standard" account_replication_type = "GRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" cross_tenant_replication_enabled = false tags = local.tre_workspace_service_tags network_rules { default_action = "Deny" } + dynamic "identity" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + type = "UserAssigned" + identity_ids = [data.azurerm_user_assigned_identity.tre_encryption_identity[0].id] + } + } + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below infrastructure_encryption_enabled = true lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } +resource "azurerm_storage_account_customer_managed_key" "aml_stg_encryption" { + count = var.enable_cmk_encryption ? 1 : 0 + storage_account_id = azurerm_storage_account.aml.id + key_vault_id = var.key_store_id + key_name = local.cmk_name + user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id + + depends_on = [azurerm_key_vault_key.encryption_key] +} + data "azurerm_private_dns_zone" "blobcore" { name = module.terraform_azurerm_environment_configuration.private_links["privatelink.blob.core.windows.net"] resource_group_name = local.core_resource_group_name @@ -49,7 +69,6 @@ resource "azurerm_private_endpoint" "blobpe" { } - resource "azurerm_private_endpoint" "filepe" { name = "pe-file-${local.storage_name}" location = data.azurerm_resource_group.ws.location diff --git a/templates/workspace_services/azureml/terraform/variables.tf b/templates/workspace_services/azureml/terraform/variables.tf index a47b5588ff..ef994567b2 100644 --- a/templates/workspace_services/azureml/terraform/variables.tf +++ b/templates/workspace_services/azureml/terraform/variables.tf @@ -35,11 +35,16 @@ variable "auth_client_secret" { sensitive = true description = "Used to authenticate into the AAD Tenant to get app role members" } - variable "arm_environment" { type = string } - variable "azure_environment" { type = string } +variable "enable_cmk_encryption" { + type = bool + default = false +} +variable "key_store_id" { + type = string +} diff --git a/templates/workspace_services/gitea/parameters.json b/templates/workspace_services/gitea/parameters.json index 811e0a5f3b..b35183879d 100755 --- a/templates/workspace_services/gitea/parameters.json +++ b/templates/workspace_services/gitea/parameters.json @@ -69,6 +69,18 @@ "source": { "env": "SQL_SKU" } + }, + { + "name": "enable_cmk_encryption", + "source": { + "env": "ENABLE_CMK_ENCRYPTION" + } + }, + { + "name": "key_store_id", + "source": { + "env": "KEY_STORE_ID" + } } ] } diff --git a/templates/workspace_services/gitea/porter.yaml b/templates/workspace_services/gitea/porter.yaml index 1d648b0c25..aea894d54b 100644 --- a/templates/workspace_services/gitea/porter.yaml +++ b/templates/workspace_services/gitea/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-service-gitea -version: 1.1.1 +version: 2.0.0 description: "A Gitea workspace service" dockerfile: Dockerfile.tmpl registry: azuretre @@ -66,6 +66,12 @@ parameters: - name: aad_authority_url type: string default: "https://login.microsoftonline.com" + - name: enable_cmk_encryption + type: boolean + default: false + - name: key_store_id + type: string + default: "" mixins: - exec @@ -106,6 +112,8 @@ install: aad_authority_url: ${ bundle.parameters.aad_authority_url } arm_environment: ${ bundle.parameters.arm_environment } sql_sku: ${ bundle.parameters.sql_sku } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -131,6 +139,8 @@ upgrade: aad_authority_url: ${ bundle.parameters.aad_authority_url } arm_environment: ${ bundle.parameters.arm_environment } sql_sku: ${ bundle.parameters.sql_sku } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -156,6 +166,8 @@ uninstall: aad_authority_url: ${ bundle.parameters.aad_authority_url } arm_environment: ${ bundle.parameters.arm_environment } sql_sku: ${ bundle.parameters.sql_sku } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/workspace_services/gitea/terraform/data.tf b/templates/workspace_services/gitea/terraform/data.tf index 883091089d..29e85de352 100644 --- a/templates/workspace_services/gitea/terraform/data.tf +++ b/templates/workspace_services/gitea/terraform/data.tf @@ -74,3 +74,15 @@ data "azurerm_monitor_diagnostic_categories" "gitea" { azurerm_linux_web_app.gitea, ] } + +data "azurerm_key_vault_key" "ws_encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} + +data "azurerm_user_assigned_identity" "ws_encryption_identity" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.encryption_identity_name + resource_group_name = data.azurerm_resource_group.ws.name +} diff --git a/templates/workspace_services/gitea/terraform/locals.tf b/templates/workspace_services/gitea/terraform/locals.tf index 665181c21e..69f7c9f0df 100644 --- a/templates/workspace_services/gitea/terraform/locals.tf +++ b/templates/workspace_services/gitea/terraform/locals.tf @@ -22,5 +22,7 @@ locals { "AppServiceHTTPLogs", "AppServiceConsoleLogs", "AppServiceAppLogs", "AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServicePlatformLogs", "AppServiceAntivirusScanAuditLogs" ] - gitea_openid_auth = "${var.aad_authority_url}/${data.azurerm_key_vault_secret.aad_tenant_id.value}/v2.0" + gitea_openid_auth = "${var.aad_authority_url}/${data.azurerm_key_vault_secret.aad_tenant_id.value}/v2.0" + cmk_name = "tre-encryption-${local.workspace_resource_name_suffix}" + encryption_identity_name = "id-encryption-${var.tre_id}-${local.short_workspace_id}" } diff --git a/templates/workspace_services/gitea/terraform/storage.tf b/templates/workspace_services/gitea/terraform/storage.tf index 649ee11092..3fc37c1ab8 100644 --- a/templates/workspace_services/gitea/terraform/storage.tf +++ b/templates/workspace_services/gitea/terraform/storage.tf @@ -4,15 +4,35 @@ resource "azurerm_storage_account" "gitea" { location = data.azurerm_resource_group.ws.location account_tier = "Standard" account_replication_type = "GRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" cross_tenant_replication_enabled = false tags = local.workspace_service_tags # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below infrastructure_encryption_enabled = true + dynamic "identity" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + type = "UserAssigned" + identity_ids = [data.azurerm_user_assigned_identity.tre_encryption_identity[0].id] + } + } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } +resource "azurerm_storage_account_customer_managed_key" "gitea_stg_encryption" { + count = var.enable_cmk_encryption ? 1 : 0 + storage_account_id = azurerm_storage_account.gitea.id + key_vault_id = var.key_store_id + key_name = local.cmk_name + user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id + + depends_on = [azurerm_key_vault_key.encryption_key] +} + resource "azurerm_storage_account_network_rules" "stgrules" { storage_account_id = azurerm_storage_account.gitea.id diff --git a/templates/workspace_services/gitea/terraform/variables.tf b/templates/workspace_services/gitea/terraform/variables.tf index 181a27045e..267c41fcc6 100644 --- a/templates/workspace_services/gitea/terraform/variables.tf +++ b/templates/workspace_services/gitea/terraform/variables.tf @@ -27,3 +27,10 @@ variable "arm_environment" { variable "sql_sku" { type = string } +variable "enable_cmk_encryption" { + type = bool + default = false +} +variable "key_store_id" { + type = string +} diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/parameters.json b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/parameters.json index 9c6ec9b9f3..e6b0e091fe 100755 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/parameters.json +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/parameters.json @@ -75,6 +75,18 @@ "source": { "env": "ARM_ENVIRONMENT" } + }, + { + "name": "enable_cmk_encryption", + "source": { + "env": "ENABLE_CMK_ENCRYPTION" + } + }, + { + "name": "key_store_id", + "source": { + "env": "KEY_STORE_ID" + } } ] } diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml index 39d3f471cb..2992852c4d 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-guacamole-export-reviewvm -version: 0.1.12 +version: 0.2.0 description: "An Azure TRE User Resource Template for reviewing Airlock export requests" dockerfile: Dockerfile.tmpl registry: azuretre @@ -75,6 +75,12 @@ parameters: type: string description: "A SAS token to access storage resource in workspace under review" env: airlock_request_sas_url + - name: enable_cmk_encryption + type: boolean + default: false + - name: key_store_id + type: string + default: "" outputs: - name: ip @@ -118,6 +124,8 @@ install: image: ${ bundle.parameters.os_image } vm_size: ${ bundle.parameters.vm_size } airlock_request_sas_url: ${ bundle.parameters.airlock_request_sas_url } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -142,6 +150,8 @@ upgrade: image: ${ bundle.parameters.os_image } vm_size: ${ bundle.parameters.vm_size } airlock_request_sas_url: "unused" + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -178,6 +188,8 @@ uninstall: image: ${ bundle.parameters.os_image } vm_size: ${ bundle.parameters.vm_size } airlock_request_sas_url: "unused" + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/data.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/data.tf index 2c6512997b..5379f1a599 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/data.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/data.tf @@ -33,3 +33,15 @@ data "azurerm_private_endpoint_connection" "airlock_export_inprogress_pe" { name = "pe-sa-export-ip-blob-${local.short_workspace_id}" resource_group_name = data.azurerm_resource_group.ws.name } + +data "azurerm_key_vault_key" "ws_encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} + +data "azurerm_user_assigned_identity" "ws_encryption_identity" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.encryption_identity_name + resource_group_name = data.azurerm_resource_group.ws.name +} diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/locals.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/locals.tf index 508f1083c2..1f3ac946bd 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/locals.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/locals.tf @@ -24,4 +24,7 @@ locals { # selected_image_source_refs is an array to enable easy use of a dynamic block selected_image_source_refs = lookup(local.selected_image, "source_image_reference", null) == null ? [] : [local.selected_image.source_image_reference] selected_image_source_id = lookup(local.selected_image, "source_image_name", null) == null ? null : "${var.image_gallery_id}/images/${local.selected_image.source_image_name}" + + cmk_name = "tre-encryption-${local.workspace_resource_name_suffix}" + encryption_identity_name = "id-encryption-${var.tre_id}-${local.short_workspace_id}" } diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/variables.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/variables.tf index 36cdb77b3c..b557c708cb 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/variables.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/variables.tf @@ -23,3 +23,10 @@ variable "image_gallery_id" { variable "airlock_request_sas_url" { type = string } +variable "enable_cmk_encryption" { + type = bool + default = false +} +variable "key_store_id" { + type = string +} diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf index 9efc1661f2..a1cd64368a 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf @@ -140,9 +140,10 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { } os_disk { - name = "osdisk-${local.vm_name}" - caching = "ReadWrite" - storage_account_type = "Standard_LRS" + name = "osdisk-${local.vm_name}" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + disk_encryption_set_id = var.enable_cmk_encryption ? azurerm_disk_encryption_set.windowsvm_disk_encryption[0].id : null } identity { @@ -154,6 +155,21 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { lifecycle { ignore_changes = [tags] } } +resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" { + count = var.enable_cmk_encryption ? 1 : 0 + name = "vmss-disk-encryption-windowsvm-${var.tre_id}-${tre_resource_id}" + location = data.azurerm_resource_group.ws.location + resource_group_name = data.azurerm_resource_group.ws.name + key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id + encryption_type = "EncryptionAtRestWithPlatformAndCustomerKeys" + auto_key_rotation_enabled = true + + identity { + type = "UserAssigned" + identity_ids = [data.azurerm_user_assigned_identity.ws_encryption_identity[0].id] + } +} + resource "azurerm_virtual_machine_extension" "config_script" { name = "${azurerm_windows_virtual_machine.windowsvm.name}-vmextension" virtual_machine_id = azurerm_windows_virtual_machine.windowsvm.id diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/parameters.json b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/parameters.json index 5e12488c7e..07be376ae5 100755 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/parameters.json +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/parameters.json @@ -81,6 +81,18 @@ "source": { "env": "ARM_ENVIRONMENT" } + }, + { + "name": "enable_cmk_encryption", + "source": { + "env": "ENABLE_CMK_ENCRYPTION" + } + }, + { + "name": "key_store_id", + "source": { + "env": "KEY_STORE_ID" + } } ] } diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml index e2beac65d7..ebdb4374cd 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-guacamole-import-reviewvm -version: 0.2.12 +version: 0.3.0 description: "An Azure TRE User Resource Template for reviewing Airlock import requests" dockerfile: Dockerfile.tmpl registry: azuretre @@ -84,6 +84,12 @@ parameters: type: string description: "A SAS token to access storage resource in workspace under review" env: airlock_request_sas_url + - name: enable_cmk_encryption + type: boolean + default: false + - name: key_store_id + type: string + default: "" outputs: - name: ip @@ -128,6 +134,8 @@ install: vm_size: ${ bundle.parameters.vm_size } image_gallery_id: ${ bundle.parameters.image_gallery_id } airlock_request_sas_url: ${ bundle.parameters.airlock_request_sas_url } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -153,6 +161,8 @@ upgrade: vm_size: ${ bundle.parameters.vm_size } image_gallery_id: ${ bundle.parameters.image_gallery_id } airlock_request_sas_url: "unused" + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -190,6 +200,8 @@ uninstall: vm_size: ${ bundle.parameters.vm_size } image_gallery_id: ${ bundle.parameters.image_gallery_id } airlock_request_sas_url: "unused" + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/data.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/data.tf index 04675964b9..d3ce0f2eb3 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/data.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/data.tf @@ -22,3 +22,15 @@ data "azurerm_linux_web_app" "guacamole" { name = "guacamole-${var.tre_id}-ws-${local.short_workspace_id}-svc-${local.short_parent_id}" resource_group_name = data.azurerm_resource_group.ws.name } + +data "azurerm_key_vault_key" "ws_encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} + +data "azurerm_user_assigned_identity" "ws_encryption_identity" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.encryption_identity_name + resource_group_name = data.azurerm_resource_group.ws.name +} diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/locals.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/locals.tf index 508f1083c2..1f3ac946bd 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/locals.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/locals.tf @@ -24,4 +24,7 @@ locals { # selected_image_source_refs is an array to enable easy use of a dynamic block selected_image_source_refs = lookup(local.selected_image, "source_image_reference", null) == null ? [] : [local.selected_image.source_image_reference] selected_image_source_id = lookup(local.selected_image, "source_image_name", null) == null ? null : "${var.image_gallery_id}/images/${local.selected_image.source_image_name}" + + cmk_name = "tre-encryption-${local.workspace_resource_name_suffix}" + encryption_identity_name = "id-encryption-${var.tre_id}-${local.short_workspace_id}" } diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/variables.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/variables.tf index c6847da884..b557c708cb 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/variables.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/variables.tf @@ -22,4 +22,11 @@ variable "image_gallery_id" { } variable "airlock_request_sas_url" { type = string -} \ No newline at end of file +} +variable "enable_cmk_encryption" { + type = bool + default = false +} +variable "key_store_id" { + type = string +} diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf index 75891d5018..bd09f8f484 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf @@ -61,9 +61,10 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { } os_disk { - name = "osdisk-${local.vm_name}" - caching = "ReadWrite" - storage_account_type = "Standard_LRS" + name = "osdisk-${local.vm_name}" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + disk_encryption_set_id = var.enable_cmk_encryption ? azurerm_disk_encryption_set.windowsvm_disk_encryption[0].id : null } identity { @@ -75,6 +76,21 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { lifecycle { ignore_changes = [tags] } } +resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" { + count = var.enable_cmk_encryption ? 1 : 0 + name = "vmss-disk-encryption-windowsvm-${var.tre_id}-${tre_resource_id}" + location = data.azurerm_resource_group.ws.location + resource_group_name = data.azurerm_resource_group.ws.name + key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id + encryption_type = "EncryptionAtRestWithPlatformAndCustomerKeys" + auto_key_rotation_enabled = true + + identity { + type = "UserAssigned" + identity_ids = [data.azurerm_user_assigned_identity.ws_encryption_identity[0].id] + } +} + resource "azurerm_virtual_machine_extension" "config_script" { name = "${azurerm_windows_virtual_machine.windowsvm.name}-vmextension" virtual_machine_id = azurerm_windows_virtual_machine.windowsvm.id diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/parameters.json b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/parameters.json index 0c4dc1a484..6ff93df11d 100755 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/parameters.json +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/parameters.json @@ -87,6 +87,18 @@ "source": { "env": "ARM_ENVIRONMENT" } + }, + { + "name": "enable_cmk_encryption", + "source": { + "env": "ENABLE_CMK_ENCRYPTION" + } + }, + { + "name": "key_store_id", + "source": { + "env": "KEY_STORE_ID" + } } ] } diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml index 9f90933613..7660a89b0d 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-guacamole-linuxvm -version: 1.0.6 +version: 1.1.0 description: "An Azure TRE User Resource Template for Guacamole (Linux)" dockerfile: Dockerfile.tmpl registry: azuretre @@ -93,6 +93,12 @@ parameters: - name: shared_storage_name type: string default: "vm-shared-storage" + - name: enable_cmk_encryption + type: boolean + default: false + - name: key_store_id + type: string + default: "" outputs: - name: ip @@ -138,6 +144,8 @@ install: shared_storage_access: ${ bundle.parameters.shared_storage_access } shared_storage_name: ${ bundle.parameters.shared_storage_name } image_gallery_id: ${ bundle.parameters.image_gallery_id } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -164,6 +172,8 @@ upgrade: shared_storage_access: ${ bundle.parameters.shared_storage_access } shared_storage_name: ${ bundle.parameters.shared_storage_name } image_gallery_id: ${ bundle.parameters.image_gallery_id } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -202,6 +212,8 @@ uninstall: shared_storage_access: ${ bundle.parameters.shared_storage_access } shared_storage_name: ${ bundle.parameters.shared_storage_name } image_gallery_id: ${ bundle.parameters.image_gallery_id } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf index 8172ec77bb..bbb32f34fd 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf @@ -60,9 +60,10 @@ resource "azurerm_linux_virtual_machine" "linuxvm" { } os_disk { - name = "osdisk-${local.vm_name}" - caching = "ReadWrite" - storage_account_type = "Standard_LRS" + name = "osdisk-${local.vm_name}" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + disk_encryption_set_id = var.enable_cmk_encryption ? azurerm_disk_encryption_set.linuxvm_disk_encryption[0].id : null } identity { @@ -74,6 +75,21 @@ resource "azurerm_linux_virtual_machine" "linuxvm" { lifecycle { ignore_changes = [tags] } } +resource "azurerm_disk_encryption_set" "linuxvm_disk_encryption" { + count = var.enable_cmk_encryption ? 1 : 0 + name = "vmss-disk-encryption-linuxvm-${var.tre_id}-${tre_resource_id}" + location = data.azurerm_resource_group.ws.location + resource_group_name = data.azurerm_resource_group.ws.name + key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id + encryption_type = "EncryptionAtRestWithPlatformAndCustomerKeys" + auto_key_rotation_enabled = true + + identity { + type = "UserAssigned" + identity_ids = [data.azurerm_user_assigned_identity.ws_encryption_identity[0].id] + } +} + data "template_cloudinit_config" "config" { gzip = true base64_encode = true diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf index e0281269fd..a7f326efcf 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf @@ -26,4 +26,7 @@ locals { selected_image_source_refs = lookup(local.selected_image, "source_image_reference", null) == null ? [] : [local.selected_image.source_image_reference] selected_image_source_id = lookup(local.selected_image, "source_image_name", null) == null ? null : "${var.image_gallery_id}/images/${local.selected_image.source_image_name}" apt_sku = local.selected_image_source_refs[0]["apt_sku"] + + cmk_name = "tre-encryption-${local.workspace_resource_name_suffix}" + encryption_identity_name = "id-encryption-${var.tre_id}-${local.short_workspace_id}" } diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/main.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/main.tf index a5a8dca738..0c96368904 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/main.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/main.tf @@ -70,3 +70,15 @@ data "azurerm_public_ip" "app_gateway_ip" { name = "pip-agw-${var.tre_id}" resource_group_name = data.azurerm_resource_group.core.name } + +data "azurerm_key_vault_key" "ws_encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} + +data "azurerm_user_assigned_identity" "ws_encryption_identity" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.encryption_identity_name + resource_group_name = data.azurerm_resource_group.ws.name +} diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/variables.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/variables.tf index 4908ae52a2..2e3f95b33d 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/variables.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/variables.tf @@ -26,3 +26,10 @@ variable "image_gallery_id" { type = string default = "" } +variable "enable_cmk_encryption" { + type = bool + default = false +} +variable "key_store_id" { + type = string +} diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/parameters.json b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/parameters.json index 23e54b669b..d9becce90e 100755 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/parameters.json +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/parameters.json @@ -87,6 +87,18 @@ "source": { "env": "ARM_ENVIRONMENT" } + }, + { + "name": "enable_cmk_encryption", + "source": { + "env": "ENABLE_CMK_ENCRYPTION" + } + }, + { + "name": "key_store_id", + "source": { + "env": "KEY_STORE_ID" + } } ] } diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml index 6be6dc0de3..588228dc68 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-guacamole-windowsvm -version: 1.0.4 +version: 1.1.0 description: "An Azure TRE User Resource Template for Guacamole (Windows 10)" dockerfile: Dockerfile.tmpl registry: azuretre @@ -100,6 +100,12 @@ parameters: default: "vm-shared-storage" - name: arm_environment type: string + - name: enable_cmk_encryption + type: boolean + default: false + - name: key_store_id + type: string + default: "" outputs: - name: ip @@ -145,6 +151,8 @@ install: shared_storage_access: ${ bundle.parameters.shared_storage_access } shared_storage_name: ${ bundle.parameters.shared_storage_name } image_gallery_id: ${ bundle.parameters.image_gallery_id } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -171,6 +179,8 @@ upgrade: shared_storage_access: ${ bundle.parameters.shared_storage_access } shared_storage_name: ${ bundle.parameters.shared_storage_name } image_gallery_id: ${ bundle.parameters.image_gallery_id } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -209,6 +219,8 @@ uninstall: shared_storage_access: ${ bundle.parameters.shared_storage_access } shared_storage_name: ${ bundle.parameters.shared_storage_name } image_gallery_id: ${ bundle.parameters.image_gallery_id } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/data.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/data.tf index b8f4239143..4f670db1fb 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/data.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/data.tf @@ -42,3 +42,15 @@ data "azurerm_storage_share" "shared_storage" { name = var.shared_storage_name storage_account_name = data.azurerm_storage_account.stg.name } + +data "azurerm_key_vault_key" "ws_encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} + +data "azurerm_user_assigned_identity" "ws_encryption_identity" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.encryption_identity_name + resource_group_name = data.azurerm_resource_group.ws.name +} diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/locals.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/locals.tf index e5137d1967..239e304772 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/locals.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/locals.tf @@ -26,4 +26,7 @@ locals { # selected_image_source_refs is an array to enable easy use of a dynamic block selected_image_source_refs = lookup(local.selected_image, "source_image_reference", null) == null ? [] : [local.selected_image.source_image_reference] selected_image_source_id = lookup(local.selected_image, "source_image_name", null) == null ? null : "${var.image_gallery_id}/images/${local.selected_image.source_image_name}" + + cmk_name = "tre-encryption-${local.workspace_resource_name_suffix}" + encryption_identity_name = "id-encryption-${var.tre_id}-${local.short_workspace_id}" } diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/variables.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/variables.tf index 4908ae52a2..2e3f95b33d 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/variables.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/variables.tf @@ -26,3 +26,10 @@ variable "image_gallery_id" { type = string default = "" } +variable "enable_cmk_encryption" { + type = bool + default = false +} +variable "key_store_id" { + type = string +} diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf index 575f8a7efd..91aaffa002 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf @@ -71,9 +71,10 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { } os_disk { - name = "osdisk-${local.vm_name}" - caching = "ReadWrite" - storage_account_type = "Standard_LRS" + name = "osdisk-${local.vm_name}" + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + disk_encryption_set_id = var.enable_cmk_encryption ? azurerm_disk_encryption_set.windowsvm_disk_encryption[0].id : null } identity { @@ -85,6 +86,22 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { lifecycle { ignore_changes = [tags] } } +resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" { + count = var.enable_cmk_encryption ? 1 : 0 + name = "vmss-disk-encryption-windowsvm-${var.tre_id}-${tre_resource_id}" + location = data.azurerm_resource_group.ws.location + resource_group_name = data.azurerm_resource_group.ws.name + key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id + encryption_type = "EncryptionAtRestWithPlatformAndCustomerKeys" + auto_key_rotation_enabled = true + + identity { + type = "UserAssigned" + identity_ids = [data.azurerm_user_assigned_identity.ws_encryption_identity[0].id] + } +} + + resource "azurerm_virtual_machine_extension" "config_script" { name = "${azurerm_windows_virtual_machine.windowsvm.name}-vmextension" virtual_machine_id = azurerm_windows_virtual_machine.windowsvm.id diff --git a/templates/workspaces/airlock-import-review/parameters.json b/templates/workspaces/airlock-import-review/parameters.json index 3af43908f2..56dd8ec0de 100755 --- a/templates/workspaces/airlock-import-review/parameters.json +++ b/templates/workspaces/airlock-import-review/parameters.json @@ -135,6 +135,18 @@ "source": { "env": "AZURE_ENVIRONMENT" } + }, + { + "name": "enable_cmk_encryption", + "source": { + "env": "ENABLE_CMK_ENCRYPTION" + } + }, + { + "name": "key_store_id", + "source": { + "env": "KEY_STORE_ID" + } } ] } diff --git a/templates/workspaces/airlock-import-review/porter.yaml b/templates/workspaces/airlock-import-review/porter.yaml index 544b94d8b6..73e922b4db 100644 --- a/templates/workspaces/airlock-import-review/porter.yaml +++ b/templates/workspaces/airlock-import-review/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-airlock-import-review -version: 0.13.4 +version: 1.0.0 description: "A workspace to do Airlock Data Import Reviews for Azure TRE" dockerfile: Dockerfile.tmpl registry: azuretre @@ -112,6 +112,12 @@ parameters: type: string description: "The SKU used when deploying an Azure App Service Plan" default: "P1v3" + - name: enable_cmk_encryption + type: boolean + default: false + - name: key_store_id + type: string + default: "" outputs: - name: app_role_id_workspace_owner @@ -178,6 +184,8 @@ install: app_service_plan_sku: ${ bundle.parameters.app_service_plan_sku } enable_airlock: false arm_environment: ${ bundle.parameters.arm_environment } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -219,6 +227,8 @@ upgrade: app_service_plan_sku: ${ bundle.parameters.app_service_plan_sku } enable_airlock: false arm_environment: ${ bundle.parameters.arm_environment } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -283,6 +293,8 @@ uninstall: app_service_plan_sku: ${ bundle.parameters.app_service_plan_sku } enable_airlock: false arm_environment: ${ bundle.parameters.arm_environment } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/workspaces/base/parameters.json b/templates/workspaces/base/parameters.json index fa261465ca..f95d146600 100755 --- a/templates/workspaces/base/parameters.json +++ b/templates/workspaces/base/parameters.json @@ -151,13 +151,13 @@ { "name": "enable_cmk_encryption", "source": { - "env": "enable_cmk_encryption" + "env": "ENABLE_CMK_ENCRYPTION" } }, { "name": "key_store_id", "source": { - "env": "key_store_id" + "env": "KEY_STORE_ID" } } ] diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index 75ee4374a1..dbd6f63f60 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-base -version: 1.7.0 +version: 2.0.0 description: "A base Azure TRE workspace" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspaces/base/terraform/airlock/storage_accounts.tf b/templates/workspaces/base/terraform/airlock/storage_accounts.tf index 0bcea7c812..88b35883a7 100644 --- a/templates/workspaces/base/terraform/airlock/storage_accounts.tf +++ b/templates/workspaces/base/terraform/airlock/storage_accounts.tf @@ -5,6 +5,8 @@ resource "azurerm_storage_account" "sa_import_approved" { resource_group_name = var.ws_resource_group_name account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false @@ -68,6 +70,8 @@ resource "azurerm_storage_account" "sa_export_internal" { resource_group_name = var.ws_resource_group_name account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false @@ -131,6 +135,8 @@ resource "azurerm_storage_account" "sa_export_inprogress" { resource_group_name = var.ws_resource_group_name account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false @@ -201,6 +207,8 @@ resource "azurerm_storage_account" "sa_export_rejected" { resource_group_name = var.ws_resource_group_name account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false @@ -264,6 +272,8 @@ resource "azurerm_storage_account" "sa_export_blocked" { resource_group_name = var.ws_resource_group_name account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false diff --git a/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf b/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf index 89c44962d6..b1f00d2a15 100644 --- a/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf +++ b/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf @@ -19,6 +19,8 @@ resource "azurerm_storage_account" "app_insights" { account_kind = "StorageV2" account_tier = "Standard" account_replication_type = "LRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false tags = var.tre_workspace_tags diff --git a/templates/workspaces/base/terraform/cmk-encryption.tf b/templates/workspaces/base/terraform/cmk-encryption.tf index 954bfd2361..9776a62d7e 100644 --- a/templates/workspaces/base/terraform/cmk-encryption.tf +++ b/templates/workspaces/base/terraform/cmk-encryption.tf @@ -4,7 +4,7 @@ resource "azurerm_user_assigned_identity" "encryption_identity" { location = azurerm_resource_group.ws.location tags = local.tre_workspace_tags - name = "id-encryption-${var.tre_id}-${local.short_workspace_id}" + name = local.encryption_identity_name lifecycle { ignore_changes = [tags] } } diff --git a/templates/workspaces/base/terraform/locals.tf b/templates/workspaces/base/terraform/locals.tf index 37a8263266..bc84d98e4d 100644 --- a/templates/workspaces/base/terraform/locals.tf +++ b/templates/workspaces/base/terraform/locals.tf @@ -8,5 +8,6 @@ locals { tre_id = var.tre_id tre_workspace_id = var.tre_resource_id } - kv_encryption_key_name = "tre-encryption-${local.workspace_resource_name_suffix}" + kv_encryption_key_name = "tre-encryption-${local.workspace_resource_name_suffix}" + encryption_identity_name = "id-encryption-${var.tre_id}-${local.short_workspace_id}" } diff --git a/templates/workspaces/base/terraform/storage.tf b/templates/workspaces/base/terraform/storage.tf index 5992d88d7c..626af7b63e 100644 --- a/templates/workspaces/base/terraform/storage.tf +++ b/templates/workspaces/base/terraform/storage.tf @@ -4,6 +4,8 @@ resource "azurerm_storage_account" "stg" { location = azurerm_resource_group.ws.location account_tier = "Standard" account_replication_type = "GRS" + table_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" + queue_encryption_key_type = var.enable_cmk_encryption ? "Account" : "Service" allow_nested_items_to_be_public = false is_hns_enabled = true cross_tenant_replication_enabled = false // not technically needed as cross tenant replication not supported when is_hns_enabled = true diff --git a/templates/workspaces/base/terraform/variables.tf b/templates/workspaces/base/terraform/variables.tf index 42eecbad69..a9b398e9fd 100644 --- a/templates/workspaces/base/terraform/variables.tf +++ b/templates/workspaces/base/terraform/variables.tf @@ -132,6 +132,5 @@ variable "enable_cmk_encryption" { variable "key_store_id" { type = string description = "ID of the Key Vault to store CMKs in (only used if enable_cmk_encryption is true)" - default = null } diff --git a/templates/workspaces/unrestricted/parameters.json b/templates/workspaces/unrestricted/parameters.json index 77e5faf93c..00ce33d3ba 100755 --- a/templates/workspaces/unrestricted/parameters.json +++ b/templates/workspaces/unrestricted/parameters.json @@ -147,6 +147,18 @@ "source": { "env": "ARM_ENVIRONMENT" } + }, + { + "name": "enable_cmk_encryption", + "source": { + "env": "ENABLE_CMK_ENCRYPTION" + } + }, + { + "name": "key_store_id", + "source": { + "env": "KEY_STORE_ID" + } } ] } diff --git a/templates/workspaces/unrestricted/porter.yaml b/templates/workspaces/unrestricted/porter.yaml index 8efa40a2c7..4b535071cb 100644 --- a/templates/workspaces/unrestricted/porter.yaml +++ b/templates/workspaces/unrestricted/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-unrestricted -version: 0.12.4 +version: 1.0.0 description: "A base Azure TRE workspace" dockerfile: Dockerfile.tmpl registry: azuretre @@ -118,6 +118,12 @@ parameters: - name: enable_airlock type: boolean default: false + - name: enable_cmk_encryption + type: boolean + default: false + - name: key_store_id + type: string + default: "" outputs: - name: app_role_id_workspace_owner @@ -185,6 +191,8 @@ install: app_service_plan_sku: ${ bundle.parameters.app_service_plan_sku } enable_airlock: ${ bundle.parameters.enable_airlock } arm_environment: ${ bundle.parameters.arm_environment } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -227,6 +235,8 @@ upgrade: app_service_plan_sku: ${ bundle.parameters.app_service_plan_sku } enable_airlock: ${ bundle.parameters.enable_airlock } arm_environment: ${ bundle.parameters.arm_environment } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -292,6 +302,8 @@ uninstall: app_service_plan_sku: ${ bundle.parameters.app_service_plan_sku } enable_airlock: ${ bundle.parameters.enable_airlock } arm_environment: ${ bundle.parameters.arm_environment } + enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption } + key_store_id: ${ bundle.parameters.key_store_id } backendConfig: use_azuread_auth: "true" use_oidc: "true" From 53a3056ee1b5104ac0c8224d922b30563916155a Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Fri, 13 Dec 2024 01:00:59 +0000 Subject: [PATCH 08/14] fix terraform issues found by linter --- templates/shared_services/admin-vm/terraform/admin-jumpbox.tf | 2 +- templates/shared_services/certs/terraform/staticweb.tf | 2 -- templates/shared_services/cyclecloud/terraform/storage.tf | 2 -- templates/shared_services/sonatype-nexus-vm/terraform/vm.tf | 4 ++-- templates/workspace_services/azureml/terraform/storage.tf | 2 -- templates/workspace_services/gitea/terraform/storage.tf | 2 -- .../guacamole-azure-export-reviewvm/terraform/windowsvm.tf | 2 +- .../guacamole-azure-import-reviewvm/terraform/windowsvm.tf | 2 +- .../guacamole-azure-linuxvm/terraform/linuxvm.tf | 2 +- .../guacamole-azure-windowsvm/terraform/windowsvm.tf | 2 +- 10 files changed, 7 insertions(+), 15 deletions(-) diff --git a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf index ec381423c5..3eab32b86f 100644 --- a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf +++ b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf @@ -56,7 +56,7 @@ resource "azurerm_windows_virtual_machine" "jumpbox" { resource "azurerm_disk_encryption_set" "jumpbox_disk_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = "vmss-disk-encryption-jumpbox-${var.tre_id}-${tre_resource_id}" + name = "vmss-disk-encryption-jumpbox-${var.tre_id}-${var.tre_resource_id}" location = data.azurerm_resource_group.rg.location resource_group_name = data.azurerm_resource_group.rg.name key_vault_key_id = data.azurerm_key_vault_key.tre_encryption_key[0].versionless_id diff --git a/templates/shared_services/certs/terraform/staticweb.tf b/templates/shared_services/certs/terraform/staticweb.tf index 927b68f00b..5de49e6065 100644 --- a/templates/shared_services/certs/terraform/staticweb.tf +++ b/templates/shared_services/certs/terraform/staticweb.tf @@ -38,8 +38,6 @@ resource "azurerm_storage_account_customer_managed_key" "staticweb_stg_encryptio key_vault_id = var.key_store_id key_name = local.cmk_name user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id - - depends_on = [azurerm_key_vault_key.encryption_key] } resource "azurerm_role_assignment" "stgwriter" { diff --git a/templates/shared_services/cyclecloud/terraform/storage.tf b/templates/shared_services/cyclecloud/terraform/storage.tf index d10cc5512d..ed669ac609 100644 --- a/templates/shared_services/cyclecloud/terraform/storage.tf +++ b/templates/shared_services/cyclecloud/terraform/storage.tf @@ -29,8 +29,6 @@ resource "azurerm_storage_account_customer_managed_key" "cyclecloud_stg_encrypti key_vault_id = var.key_store_id key_name = local.cmk_name user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id - - depends_on = [azurerm_key_vault_key.encryption_key] } data "azurerm_private_dns_zone" "blobcore" { diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf index 35ecf6b056..5beae684e2 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf @@ -120,7 +120,7 @@ resource "azurerm_linux_virtual_machine" "nexus" { caching = "ReadWrite" storage_account_type = "Standard_LRS" disk_size_gb = 64 - disk_encryption_set_id = var.enable_cmk_encryption ? azurerm_disk_encryption_set.jumpbox_disk_encryption[0].id : null + disk_encryption_set_id = var.enable_cmk_encryption ? azurerm_disk_encryption_set.nexus_disk_encryption[0].id : null } identity { @@ -148,7 +148,7 @@ resource "azurerm_linux_virtual_machine" "nexus" { resource "azurerm_disk_encryption_set" "nexus_disk_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = "vmss-disk-encryption-nexus-${var.tre_id}-${tre_resource_id}" + name = "vmss-disk-encryption-nexus-${var.tre_id}-${var.tre_resource_id}" location = data.azurerm_resource_group.rg.location resource_group_name = data.azurerm_resource_group.rg.name key_vault_key_id = data.azurerm_key_vault_key.tre_encryption_key[0].versionless_id diff --git a/templates/workspace_services/azureml/terraform/storage.tf b/templates/workspace_services/azureml/terraform/storage.tf index dff5f14062..34dc8fc93b 100644 --- a/templates/workspace_services/azureml/terraform/storage.tf +++ b/templates/workspace_services/azureml/terraform/storage.tf @@ -32,8 +32,6 @@ resource "azurerm_storage_account_customer_managed_key" "aml_stg_encryption" { key_vault_id = var.key_store_id key_name = local.cmk_name user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id - - depends_on = [azurerm_key_vault_key.encryption_key] } data "azurerm_private_dns_zone" "blobcore" { diff --git a/templates/workspace_services/gitea/terraform/storage.tf b/templates/workspace_services/gitea/terraform/storage.tf index 3fc37c1ab8..0b779a3a33 100644 --- a/templates/workspace_services/gitea/terraform/storage.tf +++ b/templates/workspace_services/gitea/terraform/storage.tf @@ -29,8 +29,6 @@ resource "azurerm_storage_account_customer_managed_key" "gitea_stg_encryption" { key_vault_id = var.key_store_id key_name = local.cmk_name user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id - - depends_on = [azurerm_key_vault_key.encryption_key] } resource "azurerm_storage_account_network_rules" "stgrules" { diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf index a1cd64368a..1d0650f36b 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf @@ -157,7 +157,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = "vmss-disk-encryption-windowsvm-${var.tre_id}-${tre_resource_id}" + name = "vmss-disk-encryption-windowsvm-${var.tre_id}-${var.tre_resource_id}" location = data.azurerm_resource_group.ws.location resource_group_name = data.azurerm_resource_group.ws.name key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf index bd09f8f484..e617151796 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf @@ -78,7 +78,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = "vmss-disk-encryption-windowsvm-${var.tre_id}-${tre_resource_id}" + name = "vmss-disk-encryption-windowsvm-${var.tre_id}-${var.tre_resource_id}" location = data.azurerm_resource_group.ws.location resource_group_name = data.azurerm_resource_group.ws.name key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf index bbb32f34fd..83a8b29838 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf @@ -77,7 +77,7 @@ resource "azurerm_linux_virtual_machine" "linuxvm" { resource "azurerm_disk_encryption_set" "linuxvm_disk_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = "vmss-disk-encryption-linuxvm-${var.tre_id}-${tre_resource_id}" + name = "vmss-disk-encryption-linuxvm-${var.tre_id}-${var.tre_resource_id}" location = data.azurerm_resource_group.ws.location resource_group_name = data.azurerm_resource_group.ws.name key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf index 91aaffa002..85af217a67 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf @@ -88,7 +88,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = "vmss-disk-encryption-windowsvm-${var.tre_id}-${tre_resource_id}" + name = "vmss-disk-encryption-windowsvm-${var.tre_id}-${var.tre_resource_id}" location = data.azurerm_resource_group.ws.location resource_group_name = data.azurerm_resource_group.ws.name key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id From 1fa5e5ddea01e3aa3b2c15710d1a4d5744cf5e4e Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Fri, 13 Dec 2024 01:33:24 +0000 Subject: [PATCH 09/14] raise minor instead of major version --- templates/shared_services/certs/porter.yaml | 3 +-- templates/shared_services/cyclecloud/porter.yaml | 2 +- templates/workspace_services/azureml/porter.yaml | 2 +- templates/workspace_services/gitea/porter.yaml | 2 +- templates/workspaces/airlock-import-review/porter.yaml | 2 +- templates/workspaces/base/porter.yaml | 2 +- templates/workspaces/unrestricted/porter.yaml | 2 +- 7 files changed, 7 insertions(+), 8 deletions(-) diff --git a/templates/shared_services/certs/porter.yaml b/templates/shared_services/certs/porter.yaml index b9e2541272..cb0ae604d0 100755 --- a/templates/shared_services/certs/porter.yaml +++ b/templates/shared_services/certs/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-certs -version: 1.0.0 +version: 0.7.0 description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt" registry: azuretre dockerfile: Dockerfile.tmpl @@ -124,7 +124,6 @@ install: resource-group: ${ bundle.outputs.resource_group_name } name: ${ bundle.outputs.application_gateway_name } - upgrade: - exec: description: "Upgrade shared service" diff --git a/templates/shared_services/cyclecloud/porter.yaml b/templates/shared_services/cyclecloud/porter.yaml index 46fb3598ce..732b59447f 100644 --- a/templates/shared_services/cyclecloud/porter.yaml +++ b/templates/shared_services/cyclecloud/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-cyclecloud -version: 1.0.0 +version: 0.7.0 description: "An Azure TRE Shared Service Template for Azure Cyclecloud" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/workspace_services/azureml/porter.yaml b/templates/workspace_services/azureml/porter.yaml index ca6c15817b..75f659cc55 100644 --- a/templates/workspace_services/azureml/porter.yaml +++ b/templates/workspace_services/azureml/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-azureml -version: 1.0.0 +version: 0.9.0 description: "An Azure TRE service for Azure Machine Learning" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/workspace_services/gitea/porter.yaml b/templates/workspace_services/gitea/porter.yaml index 03f512b89d..b8aff0fa35 100644 --- a/templates/workspace_services/gitea/porter.yaml +++ b/templates/workspace_services/gitea/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-service-gitea -version: 2.0.0 +version: 1.2.0 description: "A Gitea workspace service" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspaces/airlock-import-review/porter.yaml b/templates/workspaces/airlock-import-review/porter.yaml index 74f20272c1..55c90896f6 100644 --- a/templates/workspaces/airlock-import-review/porter.yaml +++ b/templates/workspaces/airlock-import-review/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-airlock-import-review -version: 1.0.0 +version: 0.14.0 description: "A workspace to do Airlock Data Import Reviews for Azure TRE" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index b9f13d5a61..901ae0541b 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-base -version: 2.0.0 +version: 1.8.0 description: "A base Azure TRE workspace" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspaces/unrestricted/porter.yaml b/templates/workspaces/unrestricted/porter.yaml index 02201ac14c..2a72c33b2c 100644 --- a/templates/workspaces/unrestricted/porter.yaml +++ b/templates/workspaces/unrestricted/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-unrestricted -version: 1.0.0 +version: 0.13.0 description: "A base Azure TRE workspace" dockerfile: Dockerfile.tmpl registry: azuretre From abd2f2d35798a34e0ee2052ad420588e80dc1e90 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Fri, 13 Dec 2024 01:35:39 +0000 Subject: [PATCH 10/14] fix terraform issues found by linter --- templates/workspace_services/azureml/terraform/acr.tf | 4 ++-- templates/workspace_services/azureml/terraform/storage.tf | 4 ++-- templates/workspace_services/gitea/terraform/storage.tf | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/workspace_services/azureml/terraform/acr.tf b/templates/workspace_services/azureml/terraform/acr.tf index 523a72b7bc..0ea0388dd8 100644 --- a/templates/workspace_services/azureml/terraform/acr.tf +++ b/templates/workspace_services/azureml/terraform/acr.tf @@ -13,7 +13,7 @@ resource "azurerm_container_registry" "acr" { for_each = var.enable_cmk_encryption ? [1] : [] content { type = "UserAssigned" - identity_ids = [data.azurerm_user_assigned_identity.tre_encryption_identity[0].id] + identity_ids = [data.azurerm_user_assigned_identity.ws_encryption_identity[0].id] } } @@ -22,7 +22,7 @@ resource "azurerm_container_registry" "acr" { content { enabled = true key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].id - identity_client_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id + identity_client_id = data.azurerm_user_assigned_identity.ws_encryption_identity[0].id } } diff --git a/templates/workspace_services/azureml/terraform/storage.tf b/templates/workspace_services/azureml/terraform/storage.tf index 34dc8fc93b..94925a85eb 100644 --- a/templates/workspace_services/azureml/terraform/storage.tf +++ b/templates/workspace_services/azureml/terraform/storage.tf @@ -16,7 +16,7 @@ resource "azurerm_storage_account" "aml" { for_each = var.enable_cmk_encryption ? [1] : [] content { type = "UserAssigned" - identity_ids = [data.azurerm_user_assigned_identity.tre_encryption_identity[0].id] + identity_ids = [data.azurerm_user_assigned_identity.ws_encryption_identity[0].id] } } @@ -31,7 +31,7 @@ resource "azurerm_storage_account_customer_managed_key" "aml_stg_encryption" { storage_account_id = azurerm_storage_account.aml.id key_vault_id = var.key_store_id key_name = local.cmk_name - user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id + user_assigned_identity_id = data.azurerm_user_assigned_identity.ws_encryption_identity[0].id } data "azurerm_private_dns_zone" "blobcore" { diff --git a/templates/workspace_services/gitea/terraform/storage.tf b/templates/workspace_services/gitea/terraform/storage.tf index 0b779a3a33..c042a18ff7 100644 --- a/templates/workspace_services/gitea/terraform/storage.tf +++ b/templates/workspace_services/gitea/terraform/storage.tf @@ -16,7 +16,7 @@ resource "azurerm_storage_account" "gitea" { for_each = var.enable_cmk_encryption ? [1] : [] content { type = "UserAssigned" - identity_ids = [data.azurerm_user_assigned_identity.tre_encryption_identity[0].id] + identity_ids = [data.azurerm_user_assigned_identity.ws_encryption_identity[0].id] } } @@ -28,7 +28,7 @@ resource "azurerm_storage_account_customer_managed_key" "gitea_stg_encryption" { storage_account_id = azurerm_storage_account.gitea.id key_vault_id = var.key_store_id key_name = local.cmk_name - user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id + user_assigned_identity_id = data.azurerm_user_assigned_identity.ws_encryption_identity[0].id } resource "azurerm_storage_account_network_rules" "stgrules" { From 2777c6d0b39b77a90cbe88b6695a73c203524b52 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Fri, 13 Dec 2024 09:59:19 +0000 Subject: [PATCH 11/14] fix terraform issues found by linter --- templates/shared_services/certs/terraform/data.tf | 8 -------- templates/shared_services/cyclecloud/terraform/data.tf | 6 ------ templates/workspace_services/gitea/terraform/data.tf | 6 ------ 3 files changed, 20 deletions(-) diff --git a/templates/shared_services/certs/terraform/data.tf b/templates/shared_services/certs/terraform/data.tf index 1c7262e0e2..359ae36f43 100644 --- a/templates/shared_services/certs/terraform/data.tf +++ b/templates/shared_services/certs/terraform/data.tf @@ -1,5 +1,3 @@ -data "azurerm_client_config" "current" {} - data "azurerm_resource_group" "rg" { name = "rg-${var.tre_id}" } @@ -20,12 +18,6 @@ data "azurerm_user_assigned_identity" "resource_processor_vmss_id" { resource_group_name = "rg-${var.tre_id}" } -data "azurerm_key_vault_key" "tre_encryption_key" { - count = var.enable_cmk_encryption ? 1 : 0 - name = local.cmk_name - key_vault_id = var.key_store_id -} - data "azurerm_user_assigned_identity" "tre_encryption_identity" { count = var.enable_cmk_encryption ? 1 : 0 name = local.encryption_identity_name diff --git a/templates/shared_services/cyclecloud/terraform/data.tf b/templates/shared_services/cyclecloud/terraform/data.tf index 26233788cc..b3ab49aa77 100644 --- a/templates/shared_services/cyclecloud/terraform/data.tf +++ b/templates/shared_services/cyclecloud/terraform/data.tf @@ -1,9 +1,3 @@ -data "azurerm_key_vault_key" "tre_encryption_key" { - count = var.enable_cmk_encryption ? 1 : 0 - name = local.cmk_name - key_vault_id = var.key_store_id -} - data "azurerm_user_assigned_identity" "tre_encryption_identity" { count = var.enable_cmk_encryption ? 1 : 0 name = local.encryption_identity_name diff --git a/templates/workspace_services/gitea/terraform/data.tf b/templates/workspace_services/gitea/terraform/data.tf index 29e85de352..4447529bb0 100644 --- a/templates/workspace_services/gitea/terraform/data.tf +++ b/templates/workspace_services/gitea/terraform/data.tf @@ -75,12 +75,6 @@ data "azurerm_monitor_diagnostic_categories" "gitea" { ] } -data "azurerm_key_vault_key" "ws_encryption_key" { - count = var.enable_cmk_encryption ? 1 : 0 - name = local.cmk_name - key_vault_id = var.key_store_id -} - data "azurerm_user_assigned_identity" "ws_encryption_identity" { count = var.enable_cmk_encryption ? 1 : 0 name = local.encryption_identity_name From 4d3b71a9b535bd6eef49326f9402b0035a429be0 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Tue, 17 Dec 2024 12:51:43 +0000 Subject: [PATCH 12/14] fix: update identity_client_id reference in azureml --- .../workspace_services/azureml/terraform/.terraform.lock.hcl | 1 + templates/workspace_services/azureml/terraform/acr.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/workspace_services/azureml/terraform/.terraform.lock.hcl b/templates/workspace_services/azureml/terraform/.terraform.lock.hcl index 973c2cf117..d052c17d11 100644 --- a/templates/workspace_services/azureml/terraform/.terraform.lock.hcl +++ b/templates/workspace_services/azureml/terraform/.terraform.lock.hcl @@ -5,6 +5,7 @@ provider "registry.terraform.io/azure/azapi" { version = "1.15.0" constraints = "1.15.0" hashes = [ + "h1:Y7ruMuPh8UJRTRl4rm+cdpGtmURx2taqiuqfYaH3o48=", "h1:gIOgxVmFSxHrR+XOzgUEA+ybOmp8kxZlZH3eYeB/eFI=", "zh:0627a8bc77254debc25dc0c7b62e055138217c97b03221e593c3c56dc7550671", "zh:2fe045f07070ef75d0bec4b0595a74c14394daa838ddb964e2fd23cc98c40c34", diff --git a/templates/workspace_services/azureml/terraform/acr.tf b/templates/workspace_services/azureml/terraform/acr.tf index 0ea0388dd8..7fc9295e9a 100644 --- a/templates/workspace_services/azureml/terraform/acr.tf +++ b/templates/workspace_services/azureml/terraform/acr.tf @@ -22,7 +22,7 @@ resource "azurerm_container_registry" "acr" { content { enabled = true key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].id - identity_client_id = data.azurerm_user_assigned_identity.ws_encryption_identity[0].id + identity_client_id = data.azurerm_user_assigned_identity.ws_encryption_identity[0].client_id } } From 3fe5a72d046f4bc867a1219e2a17b8990f0d73e8 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Wed, 18 Dec 2024 07:37:31 +0000 Subject: [PATCH 13/14] remove the 'vmss' from disks encryption set names --- templates/shared_services/admin-vm/terraform/admin-jumpbox.tf | 2 +- templates/shared_services/sonatype-nexus-vm/terraform/vm.tf | 2 +- .../guacamole-azure-export-reviewvm/terraform/windowsvm.tf | 2 +- .../guacamole-azure-import-reviewvm/terraform/windowsvm.tf | 2 +- .../user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf | 2 +- .../guacamole-azure-windowsvm/terraform/windowsvm.tf | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf index 3eab32b86f..5160524505 100644 --- a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf +++ b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf @@ -56,7 +56,7 @@ resource "azurerm_windows_virtual_machine" "jumpbox" { resource "azurerm_disk_encryption_set" "jumpbox_disk_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = "vmss-disk-encryption-jumpbox-${var.tre_id}-${var.tre_resource_id}" + name = "disk-encryption-jumpbox-${var.tre_id}-${var.tre_resource_id}" location = data.azurerm_resource_group.rg.location resource_group_name = data.azurerm_resource_group.rg.name key_vault_key_id = data.azurerm_key_vault_key.tre_encryption_key[0].versionless_id diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf index 5beae684e2..cd7bf80ed4 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf @@ -148,7 +148,7 @@ resource "azurerm_linux_virtual_machine" "nexus" { resource "azurerm_disk_encryption_set" "nexus_disk_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = "vmss-disk-encryption-nexus-${var.tre_id}-${var.tre_resource_id}" + name = "disk-encryption-nexus-${var.tre_id}-${var.tre_resource_id}" location = data.azurerm_resource_group.rg.location resource_group_name = data.azurerm_resource_group.rg.name key_vault_key_id = data.azurerm_key_vault_key.tre_encryption_key[0].versionless_id diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf index 1d0650f36b..318ff29761 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf @@ -157,7 +157,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = "vmss-disk-encryption-windowsvm-${var.tre_id}-${var.tre_resource_id}" + name = "disk-encryption-windowsvm-${var.tre_id}-${var.tre_resource_id}" location = data.azurerm_resource_group.ws.location resource_group_name = data.azurerm_resource_group.ws.name key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf index e617151796..a4d250b7f4 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf @@ -78,7 +78,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = "vmss-disk-encryption-windowsvm-${var.tre_id}-${var.tre_resource_id}" + name = "disk-encryption-windowsvm-${var.tre_id}-${var.tre_resource_id}" location = data.azurerm_resource_group.ws.location resource_group_name = data.azurerm_resource_group.ws.name key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf index 83a8b29838..6fe87c542d 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf @@ -77,7 +77,7 @@ resource "azurerm_linux_virtual_machine" "linuxvm" { resource "azurerm_disk_encryption_set" "linuxvm_disk_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = "vmss-disk-encryption-linuxvm-${var.tre_id}-${var.tre_resource_id}" + name = "disk-encryption-linuxvm-${var.tre_id}-${var.tre_resource_id}" location = data.azurerm_resource_group.ws.location resource_group_name = data.azurerm_resource_group.ws.name key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf index 85af217a67..40e6601f4b 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf @@ -88,7 +88,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = "vmss-disk-encryption-windowsvm-${var.tre_id}-${var.tre_resource_id}" + name = "disk-encryption-windowsvm-${var.tre_id}-${var.tre_resource_id}" location = data.azurerm_resource_group.ws.location resource_group_name = data.azurerm_resource_group.ws.name key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id From c96a71673197fce021863a60bab63078f06bc9c3 Mon Sep 17 00:00:00 2001 From: Yuval Yaron Date: Sun, 22 Dec 2024 09:40:31 +0000 Subject: [PATCH 14/14] move all data resources to a data.tf file --- .../guacamole-azure-linuxvm/terraform/data.tf | 45 +++++++++++++++++++ .../guacamole-azure-linuxvm/terraform/main.tf | 45 ------------------- 2 files changed, 45 insertions(+), 45 deletions(-) create mode 100644 templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/data.tf diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/data.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/data.tf new file mode 100644 index 0000000000..c4edbbf029 --- /dev/null +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/data.tf @@ -0,0 +1,45 @@ +data "azurerm_resource_group" "ws" { + name = "rg-${var.tre_id}-ws-${local.short_workspace_id}" +} + +data "azurerm_resource_group" "core" { + name = "rg-${var.tre_id}" +} + +data "azurerm_virtual_network" "ws" { + name = "vnet-${var.tre_id}-ws-${local.short_workspace_id}" + resource_group_name = data.azurerm_resource_group.ws.name +} + +data "azurerm_subnet" "services" { + name = "ServicesSubnet" + virtual_network_name = data.azurerm_virtual_network.ws.name + resource_group_name = data.azurerm_resource_group.ws.name +} + +data "azurerm_key_vault" "ws" { + name = local.keyvault_name + resource_group_name = data.azurerm_resource_group.ws.name +} + +data "azurerm_linux_web_app" "guacamole" { + name = "guacamole-${var.tre_id}-ws-${local.short_workspace_id}-svc-${local.short_parent_id}" + resource_group_name = data.azurerm_resource_group.ws.name +} + +data "azurerm_public_ip" "app_gateway_ip" { + name = "pip-agw-${var.tre_id}" + resource_group_name = data.azurerm_resource_group.core.name +} + +data "azurerm_key_vault_key" "ws_encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} + +data "azurerm_user_assigned_identity" "ws_encryption_identity" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.encryption_identity_name + resource_group_name = data.azurerm_resource_group.ws.name +} diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/main.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/main.tf index 57c7986ebe..856d97f0ec 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/main.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/main.tf @@ -40,48 +40,3 @@ provider "azurerm" { storage_use_azuread = true } -data "azurerm_resource_group" "ws" { - name = "rg-${var.tre_id}-ws-${local.short_workspace_id}" -} - -data "azurerm_resource_group" "core" { - name = "rg-${var.tre_id}" -} - -data "azurerm_virtual_network" "ws" { - name = "vnet-${var.tre_id}-ws-${local.short_workspace_id}" - resource_group_name = data.azurerm_resource_group.ws.name -} - -data "azurerm_subnet" "services" { - name = "ServicesSubnet" - virtual_network_name = data.azurerm_virtual_network.ws.name - resource_group_name = data.azurerm_resource_group.ws.name -} - -data "azurerm_key_vault" "ws" { - name = local.keyvault_name - resource_group_name = data.azurerm_resource_group.ws.name -} - -data "azurerm_linux_web_app" "guacamole" { - name = "guacamole-${var.tre_id}-ws-${local.short_workspace_id}-svc-${local.short_parent_id}" - resource_group_name = data.azurerm_resource_group.ws.name -} - -data "azurerm_public_ip" "app_gateway_ip" { - name = "pip-agw-${var.tre_id}" - resource_group_name = data.azurerm_resource_group.core.name -} - -data "azurerm_key_vault_key" "ws_encryption_key" { - count = var.enable_cmk_encryption ? 1 : 0 - name = local.cmk_name - key_vault_id = var.key_store_id -} - -data "azurerm_user_assigned_identity" "ws_encryption_identity" { - count = var.enable_cmk_encryption ? 1 : 0 - name = local.encryption_identity_name - resource_group_name = data.azurerm_resource_group.ws.name -}