Merge branch 'main' into jr/upstream-main/146-workspace-app-plan

microsoft · Feb 9, 2025 · c13c1dc · c13c1dc
2 parents 729ac91 + 9327874
commit c13c1dc
Show file tree

Hide file tree

Showing 14 changed files with 111 additions and 26 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,9 +1,19 @@
 <!-- markdownlint-disable MD041 -->
-## 0.20.0 (Unreleased)
+## 0.21.0 (Unreleased)
 
 **BREAKING CHANGES & MIGRATIONS**:
-* InnerEye and MLFlow bundles depreciated and removed from main. If you wish to update and deploy these worksapce services they can be retrieved from release 0.19.1. ([#4127](https://github.com/microsoft/AzureTRE/issues/4127))
-* This released removed support for Porter v0.*. If you're upgrading from a much earlier verion you can't go directly to this one. ([#4228](https://github.com/microsoft/AzureTRE/issues/4228))
+
+ENHANCEMENTS:
+
+BUG FIXES:
+
+COMPONENTS:
+
+## 0.20.0 (Feburary 9, 2025)
+
+**BREAKING CHANGES & MIGRATIONS**:
+* InnerEye and MLFlow bundles depreciated and removed from main. If you wish to update and deploy these workspace services they can be retrieved from release 0.19.1. ([#4127](https://github.com/microsoft/AzureTRE/issues/4127))
+* This release removed support for Porter v0.*. If you're upgrading from a much earlier version you can't go directly to this one. ([#4228](https://github.com/microsoft/AzureTRE/issues/4228))
 
 FEATURES:
 * Add support for customer-managed keys encryption. Core support ([#4141](https://github.com/microsoft/AzureTRE/issues/4142), [#4144](https://github.com/microsoft/AzureTRE/issues/4144)), Base workspace ([#4161](https://github.com/microsoft/AzureTRE/pull/4161)), other templates ([#4145](https://github.com/microsoft/AzureTRE/issues/4145))
@@ -34,13 +44,15 @@ ENHANCEMENTS:
 * Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)])
 * Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237))
 * Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258))
+* Disable local authentication in ServiceBus ([#4259](https://github.com/microsoft/AzureTRE/issues/4259))
 * Allow enablement of Secure Boot and vTPM for Guacamole VMs ([#4235](https://github.com/microsoft/AzureTRE/issues/4235))
 * Surface the server-layout parameter of Guacamole [server-layout](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings) ([#4234](https://github.com/microsoft/AzureTRE/issues/4234))
 * Add encryption at host for VMs ([#4263](https://github.com/microsoft/AzureTRE/pull/4263))
 * Downgrade certs shared service App Gateway to Basic SKU ([#4300](https://github.com/microsoft/AzureTRE/issues/4300))
 * Airlock function host storage to use the user-assigned managed identity ([#4276](https://github.com/microsoft/AzureTRE/issues/4276))
 * Disable local authentication in EventGrid ([#4254](https://github.com/microsoft/AzureTRE/issues/4254))
 
+
 BUG FIXES:
 * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))
 * Template images are showing CVEs ([#4153](https://github.com/microsoft/AzureTRE/issues/4153))
@@ -53,7 +65,7 @@ BUG FIXES:
 * Fix failing tests, .env missing and storage logs ([#4207](https://github.com/microsoft/AzureTRE/issues/4207))
 * Unable to delete virtual machines, add skip_shutdown_and_force_delete = true ([#4135](https://github.com/microsoft/AzureTRE/issues/4135))
 * Bump terraform version in windows VM template ([#4212](https://github.com/microsoft/AzureTRE/issues/4212))
-* Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitiagte storage account deployment issue ([#4004](https://github.com/microsoft/AzureTRE/issues/4004))
+* Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitigate storage account deployment issue ([#4004](https://github.com/microsoft/AzureTRE/issues/4004))
 * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222))
 * Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)])
 * Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)])
@@ -64,6 +76,37 @@ BUG FIXES:
 
 COMPONENTS:
 
+| name | version |
+| ----- | ----- |
+| devops | 0.5.5 |
+| core | 0.11.23 |
+| ui | 0.6.3 |
+| tre-shared-service-databricks-private-auth | 0.1.11 |
+| tre-shared-service-gitea | 1.1.4 |
+| tre-shared-service-sonatype-nexus | 3.3.2 |
+| tre-shared-service-firewall | 1.3.0 |
+| tre-shared-service-admin-vm | 0.5.2 |
+| tre-shared-service-certs | 0.7.3 |
+| tre-shared-service-airlock-notifier | 1.0.8 |
+| tre-shared-service-cyclecloud | 0.7.2 |
+| tre-workspace-airlock-import-review | 0.14.2 |
+| tre-workspace-base | 1.9.2 |
+| tre-workspace-unrestricted | 0.13.2 |
+| tre-workspace-service-gitea | 1.2.2 |
+| tre-workspace-service-mysql | 1.0.9 |
+| tre-workspace-service-health | 0.2.11 |
+| tre-workspace-service-openai | 1.0.6 |
+| tre-service-azureml | 0.9.2 |
+| tre-user-resource-aml-compute-instance | 0.5.11 |
+| tre-service-databricks | 1.0.10 |
+| tre-workspace-service-azuresql | 1.0.15 |
+| tre-service-guacamole | 0.12.7 |
+| tre-service-guacamole-export-reviewvm | 0.2.2 |
+| tre-service-guacamole-linuxvm | 1.2.4 |
+| tre-service-guacamole-import-reviewvm | 0.3.2 |
+| tre-service-guacamole-windowsvm | 1.2.6 |
+| tre-workspace-service-ohdsi | 0.3.2 |
+
 ## 0.19.1
 
 **BREAKING CHANGES & MIGRATIONS**:
@@ -79,6 +122,7 @@ BUG FIXES:
 * Workspace creation blocked due to Azure API depreciation ([#4095](https://github.com/microsoft/AzureTRE/issues/4095))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.2 |
@@ -137,6 +181,7 @@ BUG FIXES:
 * Update .NET version on Linux VMs ([#4067](https://github.com/microsoft/AzureTRE/issues/4067))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -200,6 +245,7 @@ BUG FIXES:
 * Add lifecycle rule to the Gitea Shared Service template for the MySQL resource to stop it recreating on `update` ([#4006](https://github.com/microsoft/AzureTRE/issues/4006))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -254,6 +300,7 @@ BUG FIXES:
 * Fix issue with firewall failing to deploy on a new TRE deploy ([#3775](https://github.com/microsoft/AzureTRE/issues/3775))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -303,6 +350,7 @@ BUG FIXES:
 * Airlock Import Review workspace uses dedicated DNS zone to prevent conflict with core ([#3767](https://github.com/microsoft/AzureTRE/pull/3767))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -345,6 +393,7 @@ BUG FIXES:
 * Fix workspace not loading fails if operation or history roles are not loaded  ([#3755](https://github.com/microsoft/AzureTRE/issues/3755))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -383,6 +432,7 @@ BUG FIXES:
 * SecuredByRole failing if roles are null ([#3740](https://github.com/microsoft/AzureTRE/issues/3740  ))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -432,6 +482,7 @@ BUG FIXES:
 * Fix issue with cost tags not displaying correctly for some user roles ([#3721](https://github.com/microsoft/AzureTRE/issues/3721))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -468,6 +519,7 @@ BUG FIXES:
 * Fix firewall config related to Nexus so that `pypi.org` is added to the allow-list  ([#3694](https://github.com/microsoft/AzureTRE/issues/3694))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -517,6 +569,7 @@ BUG FIXES:
 * Added missing region entries in `databricks-udr.json` ([[#3688](https://github.com/microsoft/AzureTRE/pull/3688))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -556,6 +609,7 @@ BUG FIXES:
 * Upgrade airlock and unrestricted workspaces to base workspace version 0.12.0 ([#3659](https://github.com/microsoft/AzureTRE/pull/3659))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -615,6 +669,7 @@ BUG FIXES:
 
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -656,6 +711,7 @@ BUG FIXES:
 * Nexus fails to install due to `az login` and firewall rules ([#3453](https://github.com/microsoft/AzureTRE/issues/3453))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -858,6 +914,7 @@ BUG FIXES:
 * Fix KeyVault purge error on MLFlow uninstall ([#3082](https://github.com/microsoft/AzureTRE/pull/3082))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.4.4 |
@@ -934,6 +991,7 @@ BUG FIXES:
 * Handle 429 TooManyRequests and 503 ServiceUnavailable which might return from Azure Cost Management in TRE Cost API ([#2835](https://github.com/microsoft/AzureTRE/issues/2835))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.4.2 |
@@ -981,6 +1039,7 @@ BUG FIXES:
 * Fix issues with AML workspace service deployment ([#2768](https://github.com/microsoft/AzureTRE/pull/2768))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.4.2 |

diff --git a/airlock_processor/BlobCreatedTrigger/function.json b/airlock_processor/BlobCreatedTrigger/function.json
@@ -8,7 +8,9 @@
       "direction": "in",
       "topicName": "%BLOB_CREATED_TOPIC_NAME%",
       "subscriptionName": "%TOPIC_SUBSCRIPTION_NAME%",
-      "connection": "SB_CONNECTION_STRING"
+      "connection": "%SERVICEBUS_CONNECTION_NAME%",
+      "accessRights": "listen",
+      "autoComplete": true
     },
     {
       "type": "eventGrid",

diff --git a/airlock_processor/DataDeletionTrigger/function.json b/airlock_processor/DataDeletionTrigger/function.json
@@ -7,7 +7,9 @@
       "type": "serviceBusTrigger",
       "direction": "in",
       "queueName": "%AIRLOCK_DATA_DELETION_QUEUE_NAME%",
-      "connection": "SB_CONNECTION_STRING"
+      "connection": "%SERVICEBUS_CONNECTION_NAME%",
+      "accessRights": "listen",
+      "autoComplete": true
     }
   ]
 }
diff --git a/airlock_processor/ScanResultTrigger/function.json b/airlock_processor/ScanResultTrigger/function.json
@@ -7,7 +7,9 @@
       "type": "serviceBusTrigger",
       "direction": "in",
       "queueName": "%AIRLOCK_SCAN_RESULT_QUEUE_NAME%",
-      "connection": "SB_CONNECTION_STRING"
+      "connection": "%SERVICEBUS_CONNECTION_NAME%",
+      "accessRights": "listen",
+      "autoComplete": true
     },
     {
       "type": "eventGrid",

diff --git a/airlock_processor/StatusChangedQueueTrigger/function.json b/airlock_processor/StatusChangedQueueTrigger/function.json
@@ -6,7 +6,9 @@
       "type": "serviceBusTrigger",
       "direction": "in",
       "queueName": "%AIRLOCK_STATUS_CHANGED_QUEUE_NAME%",
-      "connection": "SB_CONNECTION_STRING"
+      "connection": "%SERVICEBUS_CONNECTION_NAME%",
+      "accessRights": "listen",
+      "autoComplete": true
     },
     {
       "type": "eventGrid",

diff --git a/airlock_processor/_version.py b/airlock_processor/_version.py
@@ -1 +1 @@
-__version__ = "0.8.1"
+__version__ = "0.8.2"
diff --git a/airlock_processor/host.json b/airlock_processor/host.json
@@ -8,7 +8,7 @@
       }
     }
   },
-  "extensionBundle": {
+"extensionBundle": {
     "id": "Microsoft.Azure.Functions.ExtensionBundle",
     "version": "[4.0.0, 5.0.0)"
   }

diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
@@ -66,21 +66,32 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
   }
 
   app_settings = {
-    "SB_CONNECTION_STRING"                = var.airlock_servicebus.default_primary_connection_string
-    "BLOB_CREATED_TOPIC_NAME"             = azurerm_servicebus_topic.blob_created.name
-    "TOPIC_SUBSCRIPTION_NAME"             = azurerm_servicebus_subscription.airlock_processor.name
-    "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = false
-    "AIRLOCK_STATUS_CHANGED_QUEUE_NAME"   = local.status_changed_queue_name
-    "AIRLOCK_SCAN_RESULT_QUEUE_NAME"      = local.scan_result_queue_name
-    "AIRLOCK_DATA_DELETION_QUEUE_NAME"    = local.data_deletion_queue_name
-    "ENABLE_MALWARE_SCANNING"             = var.enable_malware_scanning
-    "ARM_ENVIRONMENT"                     = var.arm_environment
-    "MANAGED_IDENTITY_CLIENT_ID"          = azurerm_user_assigned_identity.airlock_id.client_id
-    "TRE_ID"                              = var.tre_id
-    "WEBSITE_CONTENTOVERVNET"             = 1
-    "STORAGE_ENDPOINT_SUFFIX"             = module.terraform_azurerm_environment_configuration.storage_suffix
-    "AzureWebJobsStorage__clientId"       = azurerm_user_assigned_identity.airlock_id.client_id
-    "AzureWebJobsStorage__credential"     = "managedidentity"
+    "SERVICEBUS_CONNECTION_NAME"                              = local.servicebus_connection
+    "${local.servicebus_connection}__tenantId"                = azurerm_user_assigned_identity.airlock_id.tenant_id
+    "${local.servicebus_connection}__clientId"                = azurerm_user_assigned_identity.airlock_id.client_id
+    "${local.servicebus_connection}__credential"              = "managedidentity"
+    "${local.servicebus_connection}__fullyQualifiedNamespace" = var.airlock_servicebus_fqdn
+
+    "BLOB_CREATED_TOPIC_NAME"                    = azurerm_servicebus_topic.blob_created.name
+    "TOPIC_SUBSCRIPTION_NAME"                    = azurerm_servicebus_subscription.airlock_processor.name
+    "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING"   = azurerm_eventgrid_topic.step_result.endpoint
+    "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING"   = azurerm_eventgrid_topic.step_result.primary_access_key
+    "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.data_deletion.endpoint
+    "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.data_deletion.primary_access_key
+    "WEBSITES_ENABLE_APP_SERVICE_STORAGE"        = false
+    "AIRLOCK_STATUS_CHANGED_QUEUE_NAME"          = local.status_changed_queue_name
+    "AIRLOCK_SCAN_RESULT_QUEUE_NAME"             = local.scan_result_queue_name
+    "AIRLOCK_DATA_DELETION_QUEUE_NAME"           = local.data_deletion_queue_name
+    "ENABLE_MALWARE_SCANNING"                    = var.enable_malware_scanning
+    "ARM_ENVIRONMENT"                            = var.arm_environment
+    "MANAGED_IDENTITY_CLIENT_ID"                 = azurerm_user_assigned_identity.airlock_id.client_id
+    "TRE_ID"                                     = var.tre_id
+    "WEBSITE_CONTENTOVERVNET"                    = 1
+    "STORAGE_ENDPOINT_SUFFIX"                    = module.terraform_azurerm_environment_configuration.storage_suffix
+
+    "TOPIC_SUBSCRIPTION_NAME"         = azurerm_servicebus_subscription.airlock_processor.name
+    "AzureWebJobsStorage__clientId"   = azurerm_user_assigned_identity.airlock_id.client_id
+    "AzureWebJobsStorage__credential" = "managedidentity"
 
     "EVENT_GRID_STEP_RESULT_CONNECTION"                           = local.step_result_eventgrid_connection
     "${local.step_result_eventgrid_connection}__topicEndpointUri" = azurerm_eventgrid_topic.step_result.endpoint

diff --git a/core/terraform/airlock/locals.tf b/core/terraform/airlock/locals.tf
@@ -61,6 +61,7 @@ locals {
     azurerm_storage_account.sa_export_approved.id
   ]
 
+  servicebus_connection              = "SERVICEBUS_CONNECTION"
   step_result_eventgrid_connection   = "EVENT_GRID_STEP_RESULT_CONNECTION"
   data_deletion_eventgrid_connection = "EVENT_GRID_DATA_DELETION_CONNECTION"
 }
diff --git a/core/terraform/airlock/variables.tf b/core/terraform/airlock/variables.tf
@@ -62,6 +62,9 @@ variable "airlock_servicebus" {
     default_primary_connection_string = string
   })
 }
+variable "airlock_servicebus_fqdn" {
+  type = string
+}
 variable "tre_core_tags" {
   type = map(string)
 }

diff --git a/core/terraform/main.tf b/core/terraform/main.tf
@@ -132,6 +132,7 @@ module "airlock_resources" {
   airlock_app_service_plan_sku          = var.core_app_service_plan_sku
   airlock_processor_subnet_id           = module.network.airlock_processor_subnet_id
   airlock_servicebus                    = azurerm_servicebus_namespace.sb
+  airlock_servicebus_fqdn               = azurerm_servicebus_namespace.sb.endpoint
   applicationinsights_connection_string = module.azure_monitor.app_insights_connection_string
   enable_malware_scanning               = var.enable_airlock_malware_scanning
   arm_environment                       = var.arm_environment

diff --git a/core/terraform/servicebus.tf b/core/terraform/servicebus.tf
@@ -5,6 +5,7 @@ resource "azurerm_servicebus_namespace" "sb" {
   sku                          = "Premium"
   premium_messaging_partitions = "1"
   capacity                     = "1"
+  local_auth_enabled           = false
   tags                         = local.tre_core_tags
 
   # Block public access

diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.11.22"
+__version__ = "0.11.23"
diff --git a/docs/tre-developers/release.md b/docs/tre-developers/release.md
@@ -21,6 +21,7 @@ The process follows these steps:
    5. Include a final line with a link to the full changelog similar to this:
    <!-- markdownlint-disable-next-line MD034 -->
       **Full Changelog**: https://github.com/microsoft/AzureTRE/compare/v0.9.1...v0.9.2
+
 7. Update [AzureTRE-Deployment](https://github.com/microsoft/AzureTRE-Deployment). The procedure may vary depending on the level of changes introduced in the new version but should include the following steps:
    1. Update the tag used in [devcontainer.json](https://github.com/microsoft/AzureTRE-Deployment/blob/main/.devcontainer/devcontainer.json).
    2. Rebuild the container.