From 4926593e7832e7a9e8b3d437745b87e50441918d Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Tue, 7 May 2024 16:41:40 +0100 Subject: [PATCH] Squashed commit of the following: commit e66cd8206e51c1af615b84e0c56bdcf8b92988f2 Author: tim-allen-ck Date: Tue May 7 16:35:57 2024 +0100 squash commits commit 933e1603bb45a45a4edb6933d3af4596cb2c2593 Author: tim-allen-ck Date: Thu Apr 4 15:54:39 2024 +0100 update BRANCH_LAST_ACTIVITY_IN_HOURS_FOR_STOP: 8 commit 379e93c05f6b99bb9b2222755e5d9346e0a169b1 Author: tim-allen-ck Date: Thu Apr 4 15:52:25 2024 +0100 update commit 161880fad5234823f8522e9d7632f53b88d4d8e8 Author: Tim Allen Date: Tue Apr 2 09:38:19 2024 +0100 Update clean_validation_envs.yml commit 79080439ebebf1d8fb2d453cae6c3590e3e46d05 Author: tim-allen-ck Date: Tue May 7 16:32:15 2024 +0100 update changelog commit 76466e407dd773bdafc5ad6c56f4ad75814c3a9c Author: tim-allen-ck Date: Tue May 7 16:28:55 2024 +0100 update changelog commit 9b3b98e07da0264543ccc456c0328cb348bd01da Author: tim-allen-ck Date: Fri Apr 12 09:27:52 2024 +0100 changelog update commit d199c777bf5a2c908c6532e11517579562888b6c Author: Tim Allen Date: Fri Apr 12 09:01:26 2024 +0100 Update Resource processor Ubuntu Image (#3902) * Update clean_validation_envs.yml * update * update BRANCH_LAST_ACTIVITY_IN_HOURS_FOR_STOP: 8 * update core resource processor image * remove clean env * update version * update changelog commit c4d84045ed8eba4cfc192caca19adcec3dc063d1 Author: tim-allen-ck Date: Thu Apr 11 12:18:36 2024 +0100 update readme and changelog commit 81dd79b35d2d4319d87f341a51d907702599daaf Author: tim-allen-ck Date: Thu Apr 11 12:18:36 2024 +0100 update readme and changelog commit 8cecc55e38b434cd2451b99d1bd2272083edc45d Author: wojciechcloudkubed <159798789+wojciechcloudkubed@users.noreply.github.com> Date: Tue Apr 2 09:23:37 2024 +0100 Ubuntu update (#1) * personal * update ubuntu image * revert changes * update ubuntu version * update version * update offer * update sku * change offer --------- Co-authored-by: Wojciech <57405495+thewbuk@users.noreply.github.com> commit 49813bf08b0188ad3f77b1a3d5384799f9e09568 Author: Jonny Rylands Date: Wed May 1 18:22:19 2024 +0100 Remove TLS1.0/1.1 support. Resolves #3914 (#3916) commit a094c19d5708b064628f06ed7f09016fa654f733 Author: tim-allen-ck Date: Tue May 7 16:12:53 2024 +0100 doc update commit 004a9c0a15e91e1fdc08acf6a3d41b2fe88d52cd Author: tim-allen-ck Date: Tue May 7 10:27:09 2024 +0100 update script commit 8044fb7c24178bd91d3cc05d1a8aaef81b52f4d1 Author: tim-allen-ck Date: Wed May 1 15:19:48 2024 +0100 updaet commit 218aa8bdb3a8701d2bd266f249b5467a5a599994 Author: tim-allen-ck Date: Wed May 1 15:19:40 2024 +0100 update commit 0ac060f9829df37738c9794f7af22f77d0aa4786 Author: tim-allen-ck Date: Tue Apr 30 15:44:47 2024 +0100 update commit 0486933a37a5e2b5f2354d57a970a8bed9c564f5 Author: tim-allen-ck Date: Tue Apr 30 12:43:46 2024 +0100 update vm config commit c9f0749da41b446b27d9ad3d380cade03a6f5688 Author: tim-allen-ck Date: Mon Apr 29 18:11:50 2024 +0100 Prevent screen timeout commit 7c2db7f5973300312bbfcb6a54dfc77fd4423de9 Author: tim-allen-ck Date: Mon Apr 29 18:09:49 2024 +0100 updates commit 8d6cf1d47966a173f7e65e98c2f6bbe423a824d8 Author: tim-allen-ck Date: Mon Apr 29 17:16:38 2024 +0100 update commit 3ecdec77319417d1346f36dc3dc3975946458f10 Author: tim-allen-ck Date: Mon Apr 29 12:21:28 2024 +0100 update commit eb59085ada8f20ffc4fdc536cca1251166abc909 Author: tim-allen-ck Date: Mon Apr 29 12:19:33 2024 +0100 nexus update commit 915c6bcd464459a7ab81e073cee1ffc2d14f5038 Author: tim-allen-ck Date: Mon Apr 29 10:24:45 2024 +0100 updste commit 2345db24f5779921d84dd5d4233e6569ada7e995 Author: tim-allen-ck Date: Mon Apr 29 10:24:36 2024 +0100 update proxy url commit 6b454a37d82c60f22c4ab82e510ac39f43d3d57f Author: tim-allen-ck Date: Mon Apr 29 10:03:44 2024 +0100 update commit 2ce801bddfc1e4eb54633bfdfdc4ee3bd88249f1 Author: tim-allen-ck Date: Mon Apr 29 09:48:20 2024 +0100 add in r studio download commit 3b83b4c13c6bc5d5c886c0a47f1e897c8cbf65c6 Author: tim-allen-ck Date: Mon Apr 29 09:46:11 2024 +0100 add in snapcraft to nexus commit dfb6b7bae1ac0a585f53c99de85761d64a9b38a5 Author: tim-allen-ck Date: Fri Apr 26 16:55:45 2024 +0100 spelling commit f896ce314a54f85dd3e2246de29f596c312161d1 Author: tim-allen-ck Date: Fri Apr 26 16:08:41 2024 +0100 update version commit fd540af3ffa5392c14f62001d9494bf912b556aa Author: tim-allen-ck Date: Fri Apr 26 16:08:32 2024 +0100 clean up script commit 1f8456f5a001959677435169230a921e79f77f13 Author: tim-allen-ck Date: Fri Apr 26 14:27:31 2024 +0100 update commit 89e65eb693ce2d7a3cc2c8177ace28ba41d46013 Author: tim-allen-ck Date: Fri Apr 26 14:27:23 2024 +0100 update commit ae4cb0475f7affc8174a40431683565706f9112a Author: tim-allen-ck Date: Fri Apr 26 14:22:13 2024 +0100 update commit c33e0330ced874a540e7c1bcc9bfbdadbcdb4799 Author: tim-allen-ck Date: Fri Apr 26 14:10:46 2024 +0100 update commit 2e290e159c3cc62f6941b751876c727cb65c1709 Author: tim-allen-ck Date: Fri Apr 26 14:03:41 2024 +0100 update commit 2c16b604446cdb1f92cd3e202a10e5f62d64fc29 Author: tim-allen-ck Date: Fri Apr 26 13:57:50 2024 +0100 update commit 757d565276d9c88204d3acf4174fedbf9f19c410 Author: tim-allen-ck Date: Fri Apr 26 12:18:28 2024 +0100 update commit 977b487e64b419089e5c7a7361c1c079e1443183 Author: tim-allen-ck Date: Fri Apr 26 11:45:21 2024 +0100 update commit 572c27cbbc70b825170b5b71ea0fe93e5a43fbad Author: tim-allen-ck Date: Fri Apr 26 11:45:12 2024 +0100 update commit dc7a6c522a0874639c25158b3de463a2ec50155b Author: tim-allen-ck Date: Fri Apr 26 11:39:38 2024 +0100 add in extensions commit e46c5bbbac67f710f6f2852a5f8f7191adf93c4a Author: tim-allen-ck Date: Fri Apr 26 11:34:57 2024 +0100 add sleeps commit fa1572001fc79e72e464539ad356c197c7f43bc7 Author: tim-allen-ck Date: Fri Apr 26 11:33:44 2024 +0100 update commit 893cf8daa33a231bb33026602cdc89a4da7a52ce Author: tim-allen-ck Date: Fri Apr 26 10:20:12 2024 +0100 update commit 42223aa4b81d773e1c08e9a5e270e61668d00eb8 Author: tim-allen-ck Date: Fri Apr 26 10:16:27 2024 +0100 commit commit 0a7b1e87ed65924d3a6319e3fcd523f7e67376f5 Author: tim-allen-ck Date: Fri Apr 26 10:16:19 2024 +0100 update commit 6ce77b00e52add974f4be049043aee2e86c0079a Author: tim-allen-ck Date: Fri Apr 26 09:43:49 2024 +0100 update commit f1d68da0cdcf8c2e61a6c71c2c625fa21f06e31c Author: tim-allen-ck Date: Thu Apr 25 17:58:40 2024 +0100 update commit 060b6fd5d0e611323047615122950f76188b1f75 Author: tim-allen-ck Date: Thu Apr 25 16:17:09 2024 +0100 vm update commit c4e70942407a5134bd6b7bb04e8a900dc8790787 Author: tim-allen-ck Date: Thu Apr 25 14:20:05 2024 +0100 update commit 760f783fef6b6eaaaff8bb6e0d500723286937c2 Author: tim-allen-ck Date: Tue Apr 23 16:58:05 2024 +0100 updat commit 943e07b9d5eb50a6a2925080bdbbd8a457477b9c Author: tim-allen-ck Date: Tue Apr 23 15:16:03 2024 +0100 add in ms download and other apps commit 7a4d250d3b9ed12624b0c7e1481fce93285ba9ff Author: tim-allen-ck Date: Thu Apr 18 09:57:54 2024 +0100 update linux commit 770e4c76dbcb4225cb76fc3d03dd27f8ff03c99c Author: tim-allen-ck Date: Tue Apr 16 15:31:25 2024 +0100 fix linting commit 4354ca0917935d14c282d38ba896a7a90d08f9e8 Author: tim-allen-ck Date: Tue Apr 16 14:06:49 2024 +0100 format commit 6980ecbb832e2e46578953e46b7ab91f57e3a980 Author: tim-allen-ck Date: Mon Apr 15 16:16:50 2024 +0100 update commit a3e5492f79a52eccd634f5591f865e791d07633f Author: tim-allen-ck Date: Mon Apr 15 16:16:38 2024 +0100 update commit f9d9ffcd4ae7f54e88f3e242c2e7fbd22ded53f1 Author: tim-allen-ck Date: Mon Apr 15 14:44:27 2024 +0100 update commit d5a40452e5c226afe78805d9cd9fcb34818da279 Author: tim-allen-ck Date: Mon Apr 15 14:39:17 2024 +0100 update commit aa4713ca58eba12cc3033b66893cb87ff011bd0a Author: tim-allen-ck Date: Mon Apr 15 12:08:41 2024 +0100 update image version commit 2082559750d01e06032396be3c222d100e7671a1 Author: tim-allen-ck Date: Mon Apr 15 09:28:08 2024 +0100 update to gen2 commit cd1a4dbf2fdbfda70c493880f3be4fde3a1590d8 Author: tim-allen-ck Date: Fri Apr 12 16:49:59 2024 +0100 updaet vm config commit eff70504b880de8645e2d5e6ca3db4e849cccb0d Author: tim-allen-ck Date: Fri Apr 12 16:00:41 2024 +0100 edit commit ba9ae5088cdb902953381c9f3909a10d19eca617 Author: tim-allen-ck Date: Fri Apr 12 15:10:09 2024 +0100 update commit 81801f8914d1fae57a024c40d30e74849cb2358f Author: tim-allen-ck Date: Fri Apr 12 14:36:17 2024 +0100 update version commit 86909a3b8a8bbe9b6a6b253761c29d0dd5e7049d Author: tim-allen-ck Date: Fri Apr 12 12:50:34 2024 +0100 vm-config commit c5ce11b550e29c13881bc2ada49c18893ae1c716 Author: tim-allen-ck Date: Fri Apr 12 10:43:48 2024 +0100 update config commit b1bb5c96ba6eb753ae082a4efd45f22b2282f45f Merge: 9a28c420 cb59c992 Author: Tim Allen Date: Fri Apr 12 09:32:38 2024 +0100 Merge branch 'main' into ubuntu-update commit 9a28c42075148a4a58ab2ecde2db3ca1d15b9d3e Author: tim-allen-ck Date: Fri Apr 12 09:31:47 2024 +0100 reset commit 4a2036bc4c897754f91d19824e01505f81f48197 Author: tim-allen-ck Date: Fri Apr 12 09:29:53 2024 +0100 update resource proccesor commit e1939430b31c13ea1183924c91554100061d162d Author: tim-allen-ck Date: Fri Apr 12 09:27:52 2024 +0100 changelog update commit e8ba5fda9f058b0f94135848f8f898083ecb552d Author: tim-allen-ck Date: Thu Apr 11 12:18:36 2024 +0100 update readme and changelog commit f3b4efb385019cf67acdd2115386d0ce94a16d42 Author: Tim Allen Date: Fri Apr 12 09:01:26 2024 +0100 Update Resource processor Ubuntu Image (#3902) * Update clean_validation_envs.yml * update * update BRANCH_LAST_ACTIVITY_IN_HOURS_FOR_STOP: 8 * update core resource processor image * remove clean env * update version * update changelog commit 85cdb983a17297e853c199c0c0ba1bc06b989c50 Author: tim-allen-ck Date: Thu Apr 11 12:18:36 2024 +0100 update readme and changelog commit b17bfabd8aac12a5ac1709e8dcd973afbd993f21 Author: wojciechcloudkubed <159798789+wojciechcloudkubed@users.noreply.github.com> Date: Tue Apr 2 09:23:37 2024 +0100 Ubuntu update (#1) * personal * update ubuntu image * revert changes * update ubuntu version * update version * update offer * update sku * change offer --------- Co-authored-by: Wojciech <57405495+thewbuk@users.noreply.github.com> commit d8fa5d412184c821361b623233c79d3b8f238242 Author: Tim Allen Date: Fri Apr 12 09:01:26 2024 +0100 Update Resource processor Ubuntu Image (#3902) * Update clean_validation_envs.yml * update * update BRANCH_LAST_ACTIVITY_IN_HOURS_FOR_STOP: 8 * update core resource processor image * remove clean env * update version * update changelog commit 5e2cdb52f04d0b4d18dee8f287f2a2e0672cfb7b Author: tim-allen-ck Date: Thu Apr 11 12:18:36 2024 +0100 update readme and changelog commit 9af4f05a2bedfb54b769bc11ef81bbc607680801 Author: wojciechcloudkubed <159798789+wojciechcloudkubed@users.noreply.github.com> Date: Tue Apr 2 09:23:37 2024 +0100 Ubuntu update (#1) * personal * update ubuntu image * revert changes * update ubuntu version * update version * update offer * update sku * change offer --------- Co-authored-by: Wojciech <57405495+thewbuk@users.noreply.github.com> commit aa4b9487467420435cac009441f19bbb8f265f02 Author: Tim Allen Date: Fri Apr 12 09:01:26 2024 +0100 Update Resource processor Ubuntu Image (#3902) * Update clean_validation_envs.yml * update * update BRANCH_LAST_ACTIVITY_IN_HOURS_FOR_STOP: 8 * update core resource processor image * remove clean env * update version * update changelog commit 39aa2846941ac02dac76ae8b546d58470c018983 Author: tim-allen-ck Date: Fri Apr 12 09:12:48 2024 +0100 resolving comments commit cb59c99233575b096207e6afc288af9da7ee0256 Author: Tim Allen Date: Fri Apr 12 09:01:26 2024 +0100 Update Resource processor Ubuntu Image (#3902) * Update clean_validation_envs.yml * update * update BRANCH_LAST_ACTIVITY_IN_HOURS_FOR_STOP: 8 * update core resource processor image * remove clean env * update version * update changelog commit e06dbcd284b42231261f09d2d9078446119af706 Author: tim-allen-ck Date: Thu Apr 11 19:57:14 2024 +0100 moby-tini || true commit c08a2b78f600b73ad6e1ea6771f00ceac806897b Author: tim-allen-ck Date: Thu Apr 11 17:02:01 2024 +0100 update version commit 104939002386bb1c70eb22873cc5f00b40facffe Author: tim-allen-ck Date: Thu Apr 11 17:01:21 2024 +0100 remove moby-tini commit ce4dc82ba377fc28ee4f55be2968618a42178347 Author: tim-allen-ck Date: Thu Apr 11 15:53:12 2024 +0100 update version commit 7a43e653d840cc436cc0754aa7bf9493b5222306 Author: tim-allen-ck Date: Thu Apr 11 15:52:58 2024 +0100 update vm config commit 7db0e5fdcb0c2f16224ca86224df96fbe1ad1e76 Author: tim-allen-ck Date: Thu Apr 11 14:46:09 2024 +0100 update ds install_ui: true commit 8ff7f69abeb8e50c3b301b1023a6155d665335da Author: tim-allen-ck Date: Thu Apr 11 14:08:22 2024 +0100 update script commit be7212b684ac32f0df27ea3e3e1198c6d1aeeb5b Author: tim-allen-ck Date: Thu Apr 11 13:40:29 2024 +0100 update version commit 3a30d23cd81eedaefabd5291dcbb2fe0cab526ba Author: tim-allen-ck Date: Thu Apr 11 13:40:18 2024 +0100 ds install_ui: false commit a3d9109ed4736348238b54ad4ceb0be4fa2145d2 Author: tim-allen-ck Date: Thu Apr 11 12:18:36 2024 +0100 update readme and changelog commit 875f2f454ddce9ffbab8e490fc91b25df59789e3 Author: wojciechcloudkubed <159798789+wojciechcloudkubed@users.noreply.github.com> Date: Tue Apr 2 09:23:37 2024 +0100 Ubuntu update (#1) * personal * update ubuntu image * revert changes * update ubuntu version * update version * update offer * update sku * change offer --------- Co-authored-by: Wojciech <57405495+thewbuk@users.noreply.github.com> commit 9fc272b93a7211867339ba6b9f64a0a88afbba6e Merge: 3a9eecbf bc2f2332 Author: Tim Allen Date: Thu Apr 11 12:12:57 2024 +0100 Merge branch 'main' into ubuntu-update commit 3a9eecbf08be075a14a2875cfa97cd21073b4258 Author: tim-allen-ck Date: Thu Apr 11 12:12:16 2024 +0100 testing commit 3b7522eebb4674fd60c1afdeca40fc60e727b36a Author: tim-allen-ck Date: Thu Apr 11 11:49:49 2024 +0100 version for guac commit d75e442ffca717e05abb8a4cf2453ac0691ec59f Author: tim-allen-ck Date: Thu Apr 11 11:34:15 2024 +0100 update to gen2 commit d4a57a331763ce86f57bda17204212a1f0af5633 Author: tim-allen-ck Date: Thu Apr 11 11:28:21 2024 +0100 update Readme for user resources commit af50b399b90dbffca77c1e113ac66c755c5f502d Author: tim-allen-ck Date: Thu Apr 11 11:12:46 2024 +0100 update apt-get commit bc414b75addc05fd5560bfbe14bd9d512e235c9b Author: tim-allen-ck Date: Thu Apr 11 11:07:43 2024 +0100 update config commit bc2f233216727f2586c7e79cdd4ca0a12d4dfbbe Author: wojciechcloudkubed <159798789+wojciechcloudkubed@users.noreply.github.com> Date: Thu Apr 11 09:50:09 2024 +0100 Update "Azure AD" references to "Microsoft Entra ID" (#3873) * rename Azure AD to Microsoft Entra Workforce ID * update Azure Active Directory to Microsoft Entra Workforce ID * replace * update version * change stale version * update from stale * update version * update readme * Microsoft Entra Workforce ID -> Microsoft Entra ID * AAD -> Microsoft Entra ID * Delete .devcontainer/devcontainer.json * Revert "Delete .devcontainer/devcontainer.json" This reverts commit 5dd6d5c2656c5304bf4adf6bb38e1a20735bbc8a. * revert code changes * remove double names * update version * go back version * api update version * revert for linting * revert test linting * fix linting * roll back linting * increase line length * fix linting * fix formatting * fix lintin 3 * update urls * update aad urls --------- Co-authored-by: Tim Allen commit a09af34ee572e166f5498825ef98450e3af9ced1 Author: tim-allen-ck Date: Wed Apr 10 16:44:01 2024 +0100 update apt-source-list commit 271c7e0fc3ebc2c108caf99d4669f182cc4a11a6 Author: tim-allen-ck Date: Wed Apr 10 15:57:32 2024 +0100 update pypi source commit 1ea11594ac3efe1f6dfcf49a975ba8b287c329cf Author: tim-allen-ck Date: Wed Apr 10 15:53:40 2024 +0100 update commit d1beb038d67b9f1e0dba1f0be9bfb18bf25e9b38 Author: tim-allen-ck Date: Wed Apr 10 15:51:51 2024 +0100 updaye commit 9c2211b70ae50930df09ed681e61553728254cb0 Author: tim-allen-ck Date: Wed Apr 10 15:31:17 2024 +0100 update core commit c7ebc5b9330846d5c10ac0194442c3075eeb6c1d Author: tim-allen-ck Date: Wed Apr 10 15:29:00 2024 +0100 update linux vms commit 18df98cfca0445f76378f12c552f97d3353f6954 Author: tim-allen-ck Date: Wed Apr 10 15:27:42 2024 +0100 update version commit 19316a16ee519157748753867b2f5e8d7d553178 Author: tim-allen-ck Date: Wed Apr 10 14:03:08 2024 +0100 update install UI commit 47c81826b5a4902fbf01d86004c422e7bfecd42f Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue Apr 9 19:39:14 2024 +0300 Bump the npm_and_yarn group in /ui/app with 3 updates (#3891) * Bump the npm_and_yarn group in /ui/app with 3 updates Bumps the npm_and_yarn group in /ui/app with 3 updates: [express](https://github.com/expressjs/express), [follow-redirects](https://github.com/follow-redirects/follow-redirects) and [webpack-dev-middleware](https://github.com/webpack/webpack-dev-middleware). Updates `express` from 4.18.3 to 4.19.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](https://github.com/expressjs/express/compare/4.18.3...4.19.2) Updates `follow-redirects` from 1.15.5 to 1.15.6 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.15.5...v1.15.6) Updates `webpack-dev-middleware` from 5.3.3 to 5.3.4 - [Release notes](https://github.com/webpack/webpack-dev-middleware/releases) - [Changelog](https://github.com/webpack/webpack-dev-middleware/blob/v5.3.4/CHANGELOG.md) - [Commits](https://github.com/webpack/webpack-dev-middleware/compare/v5.3.3...v5.3.4) --- updated-dependencies: - dependency-name: express dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: follow-redirects dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: webpack-dev-middleware dependency-type: indirect dependency-group: npm_and_yarn-security-group ... Signed-off-by: dependabot[bot] * update ui version --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tim Allen commit 072cfdc24936ea65194152d6eb5fe39c6485d55c Author: tim-allen-ck Date: Tue Apr 9 17:26:28 2024 +0100 add in microsoft-apt/ubuntu/20.04 to source-list commit 30ecfa2401c2096237c02c336fccd47f90e606ed Author: tim-allen-ck Date: Tue Apr 9 14:55:25 2024 +0100 add in image to enum commit 33d14bee981e529928dcd8d21018555d69a1d9dc Author: tim-allen-ck Date: Tue Apr 9 14:33:52 2024 +0100 update image options commit 7aa64ba948609526b283c8142ab3d2e3d9581bf2 Author: tim-allen-ck Date: Tue Apr 9 12:09:38 2024 +0100 update commit ea63ebfaf4e838cf85988cd2cf53109a1acc35cd Author: Tim Allen Date: Tue Apr 9 06:37:40 2024 +0100 Feature/GitHub actions update (#3897) * Update clean_validation_envs.yml * azure login (#19) Co-authored-by: Wojciech <57405495+thewbuk@users.noreply.github.com> * GitHub actions update (#22) * azure login * reset cron * update action versions --------- Co-authored-by: wojciechcloudkubed <159798789+wojciechcloudkubed@users.noreply.github.com> * change conclusion action * add in teams --------- Co-authored-by: wojciechcloudkubed <159798789+wojciechcloudkubed@users.noreply.github.com> commit de141651ad9fb9f58e7b78e383edf263eaa549d1 Author: Tim Allen Date: Fri Apr 5 12:42:03 2024 +0100 Documentation Pipeline Fix (#3898) add in permissions to pipeline commit c92494e384362121d489380559e91c46cd6edf82 Merge: 27167496 086be330 Author: Tim Allen Date: Thu Apr 4 16:54:43 2024 +0100 Merge branch 'main' into ubuntu-update commit 27167496ec361294dcfe851bed55a30541594416 Author: wojciechcloudkubed <159798789+wojciechcloudkubed@users.noreply.github.com> Date: Tue Apr 2 09:23:37 2024 +0100 Ubuntu update (#1) * personal * update ubuntu image * revert changes * update ubuntu version * update version * update offer * update sku * change offer --------- Co-authored-by: Wojciech <57405495+thewbuk@users.noreply.github.com> --- .../devcontainer_run_command/action.yml | 2 +- .github/workflows/build_docker_images.yml | 32 ++--- .github/workflows/build_docs.yml | 10 +- .../workflows/build_validation_develop.yml | 4 +- .github/workflows/clean_validation_envs.yml | 4 +- .github/workflows/cli-package.yml | 4 +- .github/workflows/deploy_tre_reusable.yml | 45 ++++--- .github/workflows/flag_external_pr.yml | 4 +- .github/workflows/lets_encrypt.yml | 4 +- .github/workflows/pr_comment_bot.yml | 12 +- CHANGELOG.md | 7 +- README.md | 2 +- api_app/.env.sample | 4 +- api_app/_version.py | 2 +- core/terraform/appgateway/appgateway.tf | 6 + .../resource_processor/vmss_porter/main.tf | 4 +- core/version.txt | 2 +- docs/azure-tre-overview/airlock.md | 2 +- docs/azure-tre-overview/architecture.md | 2 +- .../tre-resources-breakdown.md | 8 +- docs/index.md | 2 +- docs/tre-admins/auth.md | 42 +++--- docs/tre-admins/environment-variables.md | 6 +- docs/tre-admins/identities/api.md | 8 +- .../identities/application_admin.md | 12 +- docs/tre-admins/identities/auth-manual.md | 2 +- docs/tre-admins/identities/client.md | 6 +- docs/tre-admins/identities/test-account.md | 6 +- docs/tre-admins/identities/workspace.md | 8 +- .../setup-instructions/ad-tenant-choices.md | 8 +- .../cicd-pre-deployment-steps.md | 4 +- .../installing-base-workspace.md | 2 +- .../setup-instructions/prerequisites.md | 2 +- .../setup-instructions/setup-auth-entities.md | 6 +- .../ui-install-base-workspace.md | 2 +- .../setup-instructions/workflows.md | 2 +- docs/tre-developers/api.md | 2 +- docs/tre-developers/ui.md | 6 +- docs/tre-templates/shared-services/gitea.md | 2 +- docs/tre-templates/shared-services/nexus.md | 19 ++- docs/tre-templates/user-resources/custom.md | 80 +++++++++++ .../user-resources/guacamole-linux-vm.md | 9 ++ .../tre-templates/workspace-services/gitea.md | 2 +- .../authoring-workspace-templates.md | 4 +- .../local-development/local-development.md | 2 +- e2e_tests/.env.sample | 2 +- e2e_tests/test_performance.py | 2 +- .../sonatype-nexus-vm/porter.yaml | 2 +- .../scripts/nexus_realms_config.json | 5 +- .../microsoft_download_conf.json | 32 +++++ .../r_studio_download_conf.json | 32 +++++ .../nexus_repos_config/snapcraft_conf.json | 32 +++++ .../sonatype-nexus-vm/terraform/locals.tf | 2 +- .../sonatype-nexus-vm/terraform/vm.tf | 3 +- .../guacamole/user_resources/README.md | 30 +++-- .../guacamole-azure-linuxvm/porter.yaml | 19 +-- .../template_schema.json | 3 +- .../terraform/apt_sources_config.yml | 4 +- .../terraform/get_apt_keys.sh | 4 + .../terraform/linuxvm.tf | 3 + .../terraform/locals.tf | 2 +- .../terraform/pypi_sources_config.sh | 2 +- .../terraform/vm_config.sh | 125 +++++++++++++++--- .../terraform/vm_config_byoi.sh | 78 +++++++++++ .../airlock-import-review/.env.sample | 4 +- templates/workspaces/base/.env.sample | 4 +- templates/workspaces/unrestricted/.env.sample | 4 +- ui/README.md | 2 +- ui/app/package.json | 2 +- ui/app/yarn.lock | 28 ++-- 70 files changed, 619 insertions(+), 211 deletions(-) create mode 100644 docs/tre-templates/user-resources/custom.md create mode 100644 templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/microsoft_download_conf.json create mode 100644 templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/r_studio_download_conf.json create mode 100644 templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/snapcraft_conf.json create mode 100644 templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config_byoi.sh diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml index f403c60083..d39dada904 100644 --- a/.github/actions/devcontainer_run_command/action.yml +++ b/.github/actions/devcontainer_run_command/action.yml @@ -132,7 +132,7 @@ runs: echo "AZURE_ENVIRONMENT=$azure_env" >> $GITHUB_ENV - name: Azure Login - uses: azure/login@v1 + uses: azure/login@v2 if: contains(inputs.COMMAND, 'bootstrap') != true with: creds: ${{ inputs.AZURE_CREDENTIALS }} diff --git a/.github/workflows/build_docker_images.yml b/.github/workflows/build_docker_images.yml index 32511b64bc..f43117e608 100644 --- a/.github/workflows/build_docker_images.yml +++ b/.github/workflows/build_docker_images.yml @@ -21,18 +21,18 @@ jobs: steps: - name: Upload Event File # this step is required to publish test results from forks - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: Event File path: ${{ github.event_path }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false - name: Filter changes - uses: dorny/paths-filter@v2 + uses: dorny/paths-filter@v3 id: filter with: filters: | @@ -93,7 +93,7 @@ jobs: - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 # Unit Tests are executed by calling the 'test-results' target in the # Dockerfile's. Test runner exit codes must be swallowed (and kept) so we @@ -105,7 +105,7 @@ jobs: if: | (steps.filter.outputs.api == 'true' || github.event_name == 'workflow_dispatch') - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: ./api_app/ file: ./api_app/Dockerfile @@ -116,7 +116,7 @@ jobs: - name: "Check pytest failure file existence" id: check_api_test_result - uses: andstor/file-existence-action@v2 + uses: andstor/file-existence-action@v3 with: files: "test-results/pytest_api_unit_failed" @@ -125,7 +125,7 @@ jobs: (steps.filter.outputs.api == 'true' || github.event_name == 'workflow_dispatch') && steps.check_api_test_result.outputs.files_exists == 'false' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: ./api_app/ file: ./api_app/Dockerfile @@ -136,7 +136,7 @@ jobs: if: | (steps.filter.outputs.resource_processor == 'true' || github.event_name == 'workflow_dispatch') - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: ./resource_processor file: ./resource_processor/vmss_porter/Dockerfile @@ -147,7 +147,7 @@ jobs: if: | (steps.filter.outputs.guacamole_server == 'true' || github.event_name == 'workflow_dispatch') - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: ./templates/workspace_services/guacamole/guacamole-server file: ./templates/workspace_services/guacamole/guacamole-server/docker/Dockerfile @@ -158,7 +158,7 @@ jobs: - name: "Check maven failure file existence" id: check_maven_test_result - uses: andstor/file-existence-action@v2 + uses: andstor/file-existence-action@v3 with: files: "test-results/guacamole_package_failed" @@ -167,7 +167,7 @@ jobs: (steps.filter.outputs.guacamole_server == 'true' || github.event_name == 'workflow_dispatch') && steps.check_maven_test_result.outputs.files_exists == 'false' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: ./templates/workspace_services/guacamole/guacamole-server file: ./templates/workspace_services/guacamole/guacamole-server/docker/Dockerfile @@ -178,7 +178,7 @@ jobs: if: | (steps.filter.outputs.gitea == 'true' || github.event_name == 'workflow_dispatch') - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: ./templates/shared_services/gitea/docker file: ./templates/shared_services/gitea/docker/Dockerfile @@ -195,7 +195,7 @@ jobs: if: | (steps.filter.outputs.airlock_processor == 'true' || github.event_name == 'workflow_dispatch') - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: ./airlock_processor/ file: ./airlock_processor/Dockerfile @@ -206,7 +206,7 @@ jobs: - name: "Check pytest failure file existence" id: check_airlock_processor_test_result - uses: andstor/file-existence-action@v2 + uses: andstor/file-existence-action@v3 with: files: "test-results/pytest_airlock_processor_unit_failed" @@ -215,7 +215,7 @@ jobs: (steps.filter.outputs.airlock_processor == 'true' || github.event_name == 'workflow_dispatch') && steps.check_airlock_processor_test_result.outputs.files_exists == 'false' - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: ./airlock_processor/ file: ./airlock_processor/Dockerfile @@ -224,7 +224,7 @@ jobs: - name: Upload Unit Test Results if: always() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: test-results path: test-results diff --git a/.github/workflows/build_docs.yml b/.github/workflows/build_docs.yml index 8cbfc132a7..042f52ddf3 100644 --- a/.github/workflows/build_docs.yml +++ b/.github/workflows/build_docs.yml @@ -6,7 +6,7 @@ on: types: [published] push: paths: - - 'docs/**' + - "docs/**" - mkdocs.yml branches: - main @@ -14,20 +14,22 @@ jobs: deploy: name: Deploy Documentation runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout main - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 persist-credentials: true - - uses: actions/setup-python@v4 + - uses: actions/setup-python@v5 with: python-version: 3.x - name: Install Dependencies run: | pip install -r docs/requirements.txt - name: Configure Git User - # Required by mike for the commit it does to the gh-pages branch + # Required by mike for the commit it does to the gh-pages branch run: | git config user.name "ci-docs" git config user.email "ci-docs@dummy.com" diff --git a/.github/workflows/build_validation_develop.yml b/.github/workflows/build_validation_develop.yml index b1f1b563bc..cd93a8cd48 100644 --- a/.github/workflows/build_validation_develop.yml +++ b/.github/workflows/build_validation_develop.yml @@ -19,14 +19,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: # Full git history is needed to get a proper list of # changed files within `super-linter` fetch-depth: 0 persist-credentials: false - - uses: dorny/paths-filter@v2 + - uses: dorny/paths-filter@v3 id: filter with: filters: | diff --git a/.github/workflows/clean_validation_envs.yml b/.github/workflows/clean_validation_envs.yml index a784a570aa..332afd50b4 100644 --- a/.github/workflows/clean_validation_envs.yml +++ b/.github/workflows/clean_validation_envs.yml @@ -14,14 +14,14 @@ jobs: environment: CICD timeout-minutes: 30 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: # This is CRITICAL since we're making decisions based on branch existence fetch-depth: 0 persist-credentials: false - name: Azure Login - uses: azure/login@v1 + uses: azure/login@v2 with: creds: ${{ secrets.AZURE_CREDENTIALS }} environment: ${{ (secrets.AZURE_ENVIRONMENT != '' && secrets.AZURE_ENVIRONMENT) || 'AzureCloud' }} diff --git a/.github/workflows/cli-package.yml b/.github/workflows/cli-package.yml index 862057d824..ee05e2c9ba 100644 --- a/.github/workflows/cli-package.yml +++ b/.github/workflows/cli-package.yml @@ -21,7 +21,7 @@ jobs: steps: - name: Checkout (GitHub) - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build and run dev container task uses: ./.github/actions/devcontainer_run_command @@ -50,7 +50,7 @@ jobs: AZURE_ENVIRONMENT: ${{ secrets.AZURE_ENVIRONMENT }} - name: Upload Wheel as artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: tre-cli path: dist/tre-*.whl diff --git a/.github/workflows/deploy_tre_reusable.yml b/.github/workflows/deploy_tre_reusable.yml index 31d9e03b39..9a2f986f97 100644 --- a/.github/workflows/deploy_tre_reusable.yml +++ b/.github/workflows/deploy_tre_reusable.yml @@ -185,7 +185,7 @@ jobs: details_url: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # if the following values are missing (i.e. not triggered via comment workflow) @@ -193,10 +193,10 @@ jobs: ref: ${{ inputs.prRef }} - name: Set up Docker BuildKit - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Azure Login - uses: azure/login@v1 + uses: azure/login@v2 with: creds: ${{ secrets.AZURE_CREDENTIALS }} environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }} @@ -274,7 +274,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # if the following values are missing (i.e. not triggered via comment workflow) @@ -298,7 +298,7 @@ jobs: environment: ${{ inputs.environmentName }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # if the following values are missing (i.e. not triggered via comment workflow) @@ -322,7 +322,7 @@ jobs: environment: ${{ inputs.environmentName }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # if the following values are missing (i.e. not triggered via comment workflow) @@ -408,7 +408,7 @@ jobs: environment: ${{ inputs.environmentName }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # if the following values are missing (i.e. not triggered via comment workflow) @@ -454,7 +454,7 @@ jobs: environment: ${{ inputs.environmentName }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # if the following values are missing (i.e. not triggered via comment workflow) @@ -500,7 +500,7 @@ jobs: environment: ${{ inputs.environmentName }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # if the following values are missing (i.e. not triggered via comment workflow) @@ -560,7 +560,7 @@ jobs: environment: ${{ inputs.environmentName }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # if the following values are missing (i.e. not triggered via comment workflow) @@ -609,7 +609,7 @@ jobs: environment: ${{ inputs.environmentName }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # if the following values are missing (i.e. not triggered via comment workflow) @@ -643,7 +643,7 @@ jobs: environment: ${{ inputs.environmentName }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # if the following values are missing (i.e. not triggered via comment workflow) @@ -692,7 +692,7 @@ jobs: environment: ${{ inputs.environmentName }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # if the following values are missing (i.e. not triggered via comment workflow) @@ -723,7 +723,7 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # if the following values are missing (i.e. not triggered via comment workflow) @@ -752,7 +752,7 @@ jobs: - name: Upload Test Results if: always() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: E2E Test (Smoke) Results path: "./e2e_tests/pytest_e2e_smoke.xml" @@ -766,7 +766,7 @@ jobs: timeout-minutes: 300 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # if the following values are missing (i.e. not triggered via comment workflow) @@ -796,7 +796,7 @@ jobs: - name: Upload Test Results if: always() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: E2E Test Results path: "./e2e_tests/pytest_e2e_custom.xml" @@ -811,8 +811,11 @@ jobs: if: always() environment: ${{ inputs.environmentName }} steps: - - uses: technote-space/workflow-conclusion-action@v3 - + # - uses: technote-space/workflow-conclusion-action@v3 (removed due to archived repo and deprecated node.js version) + - uses: im-open/workflow-conclusion@v2.2.2 + id: conclusion + with: + github-token: ${{ secrets.GITHUB_TOKEN }} # For PR builds triggered from comment builds, the GITHUB_REF is set to main # so the checks aren't automatically associated with the PR # If prHeadSha is specified then explicity mark the checks for that SHA @@ -845,12 +848,12 @@ jobs: timezone: Europe/Zurich - name: Download Artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: path: artifacts - name: Publish E2E Test Results - uses: EnricoMi/publish-unit-test-result-action@v2 + uses: EnricoMi/publish-unit-test-result-action@v2.16.1 with: junit_files: "artifacts/**/*.xml" check_name: "E2E Test Results" diff --git a/.github/workflows/flag_external_pr.yml b/.github/workflows/flag_external_pr.yml index 8e1ac68996..45206688ad 100644 --- a/.github/workflows/flag_external_pr.yml +++ b/.github/workflows/flag_external_pr.yml @@ -15,13 +15,13 @@ jobs: steps: # Ensure we have the script file for the github-script action to use - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false - id: check_command name: Check for a command using GitHub script - uses: actions/github-script@v6 + uses: actions/github-script@v7 with: result-encoding: string script: | diff --git a/.github/workflows/lets_encrypt.yml b/.github/workflows/lets_encrypt.yml index 768ca0619a..d0f00e1dd0 100644 --- a/.github/workflows/lets_encrypt.yml +++ b/.github/workflows/lets_encrypt.yml @@ -23,12 +23,12 @@ jobs: environment: CICD steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false - name: Install Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@v3 with: terraform_version: 1.2.9 terraform_wrapper: false diff --git a/.github/workflows/pr_comment_bot.yml b/.github/workflows/pr_comment_bot.yml index 40457ed99e..cfc14dc739 100644 --- a/.github/workflows/pr_comment_bot.yml +++ b/.github/workflows/pr_comment_bot.yml @@ -32,14 +32,14 @@ jobs: steps: # Ensure we have the script file for the github-script action to use - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # Determine whether the comment is a command - id: check_command name: Check for a command using GitHub script - uses: actions/github-script@v6 + uses: actions/github-script@v7 with: script: | const script = require('./.github/scripts/build.js') @@ -79,13 +79,13 @@ jobs: steps: # Ensure we have the script files - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # Perform az login for destroy env script to be able to run - name: Azure Login - uses: azure/login@v1 + uses: azure/login@v2 with: creds: ${{ secrets.AZURE_CREDENTIALS }} environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }} @@ -115,13 +115,13 @@ jobs: steps: # Ensure we have the script files - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false # Perform az login for destroy env script to be able to run - name: Azure Login - uses: azure/login@v1 + uses: azure/login@v2 with: creds: ${{ secrets.AZURE_CREDENTIALS }} environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 61bac4fa19..f5ac393f6a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,12 @@ FEATURES: ENHANCEMENTS: BUG FIXES: - +* Update Guacomole Linux VM Images to Ubuntu 22.04 LTS. Part of ([#3523](https://github.com/microsoft/AzureTRE/issues/3523)) +* Update Nexus Shared Service with new proxys. Part of ([#3523](https://github.com/microsoft/AzureTRE/issues/3523)) +* Update to Resource Processor Image, now using Ubuntu 22.04 (jammy). Part of ([#3523](https://github.com/microsoft/AzureTRE/issues/3523)) +* Remove TLS1.0/1.1 support from Application Gateway ([#3914](https://github.com/microsoft/AzureTRE/issues/3914)) +* GitHub Actions version updates. ([#3847](https://github.com/microsoft/AzureTRE/issues/3847)) + COMPONENTS: ## 0.17.0 diff --git a/README.md b/README.md index 4bcb9bcc3e..2fbbb0b2b5 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Core features include: - Self-service provisioning of research tooling for research teams - Package and repository mirroring - PyPi, R-CRAN, Apt and more. - Extensible architecture - build your own service templates as required -- Azure Active Directory integration +- Microsoft Entra ID integration - Airlock - import and export - Cost reporting - Ready to workspace templates including: diff --git a/api_app/.env.sample b/api_app/.env.sample index acc5a0056f..0cf370e342 100644 --- a/api_app/.env.sample +++ b/api_app/.env.sample @@ -4,7 +4,7 @@ # LOGGING_LEVEL can be set to DEBUG, INFO, WARNING, ERROR or CRITICAL LOGGING_LEVEL="INFO" -# OAUTH information - client ids etc. for the AAD Apps +# OAUTH information - client ids etc. for the Microsoft Entra ID Apps # ---------------------------------------------------- # The AppId for the API service principal (TRE API) API_CLIENT_ID=__CHANGE_ME__ @@ -12,7 +12,7 @@ API_CLIENT_ID=__CHANGE_ME__ API_CLIENT_SECRET=__CHANGE_ME__ # The AppId for the Swagger service principal (TRE Swagger UI) SWAGGER_UI_CLIENT_ID=__CHANGE_ME__ -# The Azure AD tenant +# The Microsoft Entra Workforce tenant AAD_TENANT_ID=__CHANGE_ME__ # API parameters diff --git a/api_app/_version.py b/api_app/_version.py index 391a39001a..bcea63d014 100644 --- a/api_app/_version.py +++ b/api_app/_version.py @@ -1 +1 @@ -__version__ = "0.18.5" +__version__ = "0.18.6" diff --git a/core/terraform/appgateway/appgateway.tf b/core/terraform/appgateway/appgateway.tf index c3c573c8ae..6f743fbe6b 100644 --- a/core/terraform/appgateway/appgateway.tf +++ b/core/terraform/appgateway/appgateway.tf @@ -65,6 +65,12 @@ resource "azurerm_application_gateway" "agw" { key_vault_secret_id = azurerm_key_vault_certificate.tlscert.secret_id } + # SSL policy + ssl_policy { + policy_type = "Predefined" + policy_name = "AppGwSslPolicy20220101" + } + # Backend pool with the static website in storage account. backend_address_pool { name = local.staticweb_backend_pool_name diff --git a/core/terraform/resource_processor/vmss_porter/main.tf b/core/terraform/resource_processor/vmss_porter/main.tf index a9599527d2..a361a42faa 100644 --- a/core/terraform/resource_processor/vmss_porter/main.tf +++ b/core/terraform/resource_processor/vmss_porter/main.tf @@ -107,8 +107,8 @@ resource "azurerm_linux_virtual_machine_scale_set" "vm_linux" { source_image_reference { publisher = "Canonical" - offer = "UbuntuServer" - sku = "18.04-LTS" + offer = "0001-com-ubuntu-server-jammy" + sku = "22_04-lts" version = "latest" } diff --git a/core/version.txt b/core/version.txt index 50533e307d..88081a7269 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.9.6" +__version__ = "0.9.9" diff --git a/docs/azure-tre-overview/airlock.md b/docs/azure-tre-overview/airlock.md index 791b024e71..91b50ee77c 100644 --- a/docs/azure-tre-overview/airlock.md +++ b/docs/azure-tre-overview/airlock.md @@ -117,7 +117,7 @@ Whenever the airlock process changes to a state of **Draft**, **Submitted**, **A When the state changes to `In-progress` the Workspace Owner (Airlock Manager) gets notified. > * The Notification mechanism is also data-driven, allowing an organization to extend the notifications behavior. The mechanism is exemplified with a Logic App determining the notifications logic. -> * Notifications will work with All TRE users being AAD users (guests or not), with email defined – if not, notifications will not be sent. +> * Notifications will work with All TRE users being Microsoft Entra ID users (guests or not), with email defined – if not, notifications will not be sent. ## Architecture diff --git a/docs/azure-tre-overview/architecture.md b/docs/azure-tre-overview/architecture.md index 89abf8f147..33a18718b3 100644 --- a/docs/azure-tre-overview/architecture.md +++ b/docs/azure-tre-overview/architecture.md @@ -8,7 +8,7 @@ All traffic has to be explicitly allowed by the Application Gateway or the Firew [![Architecture overview](../assets/archtecture-overview.png)](../assets/archtecture-overview.png) -The Azure resources outside the network boundries of the Azure TRE are Azure Active Directory, Microsoft Graph and TRE Management. TRE Management are resources used during deployment. +The Azure resources outside the network boundries of the Azure TRE are Microsoft Entra ID, Microsoft Graph and TRE Management. TRE Management are resources used during deployment. The Azure TRE core plane consists of two groups of components: diff --git a/docs/azure-tre-overview/tre-resources-breakdown.md b/docs/azure-tre-overview/tre-resources-breakdown.md index cb2272a6bb..b4f6a329e9 100644 --- a/docs/azure-tre-overview/tre-resources-breakdown.md +++ b/docs/azure-tre-overview/tre-resources-breakdown.md @@ -36,10 +36,10 @@ Once an Azure TRE has been [provisioned](../../tre-admins/setup-instructions/pre | fw-dsk-{TRE_ID} | Azure Firewall | [Azure TRE Firewall](../networking) restricts external outbound traffic from all TRE resources | [Azure Firewall](https://docs.microsoft.com/en-us/azure/firewall/overview) | kv-{TRE_ID} | Azure Key Vault | Management of TRE secrets & certificates | [Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/general/overview) | log-{TRE_ID} | Log Analytics Workspace | Azure Monitor Logs store for all TRE resources | [Log Analytics](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-platform-logs#log-analytics-workspaces) -| id-agw-{TRE_ID} | Managed Identity | User-managed identity for TRE Application Gateway | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) -| id-api-{TRE_ID} | Managed Identity | User-managed identity for TRE API App Service | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) -| id-gitea-{TRE_ID} | Managed Identity | User-managed identity for TRE Gitea App Service | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) -| id-vmss-{TRE_ID} | Managed Identity | User-managed identity for TRE Resource Processer (VMSS) | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) +| id-agw-{TRE_ID} | Managed Identity | User-managed identity for TRE Application Gateway | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) +| id-api-{TRE_ID} | Managed Identity | User-managed identity for TRE API App Service | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) +| id-gitea-{TRE_ID} | Managed Identity | User-managed identity for TRE Gitea App Service | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) +| id-vmss-{TRE_ID} | Managed Identity | User-managed identity for TRE Resource Processer (VMSS) | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) | sb-{TRE_ID} | Service Bus Namespace | Messaging for TRE API | [Service Bus](https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview) | stappinsights{TRE_ID} | Storage Account | Storage for TRE Application Insights telemetry logs | [Storage Blobs](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview) | stg{TRE_ID} | Storage Account | Files shares for TRE services such as Gitea, Nexus | [Storage Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction) diff --git a/docs/index.md b/docs/index.md index 5398470069..daa36b31fb 100644 --- a/docs/index.md +++ b/docs/index.md @@ -20,7 +20,7 @@ Core features include: - Self-service for research teams – research tooling creation and administration - Package and repository mirroring - Extensible architecture - build your own service templates as required -- Azure Active Directory integration +- Microsoft Entra ID integration - Airlock - Cost reporting - Ready to workspace templates including: diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index ffbad4846a..3cff5e5a90 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -1,21 +1,21 @@ # Introduction to Authentication and Authorization -[Azure Active Directory (AAD)](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. AAD holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. +[Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. Microsoft Entra ID holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. -It is common that the Azure Administrator is not necessarily the Azure Active Directory Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually. +It is common that the Azure Administrator is not necessarily the Microsoft Entra ID Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually. This page describes the automated Auth setup for TRE. ## Pre-requisites -The automation utilises a `make` command, which reads a few environment variables and creates the AAD assets. The following values are needed to be in place before you run the creation process. (`/config.yaml`) +The automation utilises a `make` command, which reads a few environment variables and creates the Microsoft Entra ID assets. The following values are needed to be in place before you run the creation process. (`/config.yaml`) | Key | Description | | ----------- | ----------- | |TRE_ID|This is used to build up the name of the identities| -|AAD_TENANT_ID|The tenant id of where your AAD identities will be placed. This can be different to the tenant where your Azure resources are created.| -| LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application. -|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). -|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Active Directory licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). +|AAD_TENANT_ID|The tenant id of where your Microsoft Entra ID identities will be placed. This can be different to the tenant where your Azure resources are created.| +| LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application.| +|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md).| +|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles).| ## Create Authentication assets You can build all of the Identity assets by running the following at the command line @@ -28,8 +28,8 @@ The contents of your authentication section in `config.yaml` file should contain | Variable | Description | | -------- | ----------- | - | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer AAD Applications for TRE | - | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer AAD Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer Microsoft Entra ID Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer Microsoft Entra ID Applications for TRE | | `TEST_ACCOUNT_CLIENT_ID`| This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `TEST_ACCOUNT_CLIENT_SECRET` | This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `API_CLIENT_ID` | API application (client) ID. | @@ -38,16 +38,16 @@ The contents of your authentication section in `config.yaml` file should contain | `WORKSPACE_API_CLIENT_ID` | Each workspace is secured behind it's own AD Application| | `WORKSPACE_API_CLIENT_SECRET` | Each workspace is secured behind it's own AD Application. This is the secret for that application.| -### Using a separate Azure Active Directory tenant +### Using a separate Microsoft Entra ID tenant !!! caution - This section is only relevant it you are setting up a separate Azure Active Directory tenant for use. - This is only recommended for development environments when you don't have the required permissions to register applications in Azure Active Directory. - Using a separate Azure Active Directory tenant will prevent you from using certain Azure Active Directory integrated services. - For production deployments, work with your Azure Active Directory administrator to perform the required registration + This section is only relevant it you are setting up a separate Microsoft Entra ID tenant for use. + This is only recommended for development environments when you don't have the required permissions to register applications in Microsoft Entra ID. + Using a separate Microsoft Entra ID tenant will prevent you from using certain Microsoft Entra ID integrated services. + For production deployments, work with your Microsoft Entra ID administrator to perform the required registration -1. Create an Azure Active Directory tenant - To create a new Azure Active Directory tenant, [follow the steps here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) +1. Create an Microsoft Entra ID tenant + To create a new Microsoft Entra ID tenant, [follow the steps here](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-create-new-tenant) 1. Follow the steps outlined above. `make auth` should logon to the correct tenant. Make sure you logon back to the correct tenant before running `make all`. @@ -56,23 +56,23 @@ The contents of your authentication section in `config.yaml` file should contain App registrations (represented by service principals) define the various access permissions to the TRE system. There are a total of five main Applications of interest. -| AAD Application | Description | +| Microsoft Entra ID Application | Description | | ----------- | ----------- | | TRE API application | This is the main application and used to secure access to the [TRE API](../tre-developers/api.md). | | TRE UX | This is the client application that will authenticate to the TRE/Workspace APIs. | -| Application Admin | There are times when workspace services need to update the AAD Application. For example, Guacamole needs to add a redirect URI to the Workspace AAD Application. This identity is used to manage AAD Applications. +| Application Admin | There are times when workspace services need to update the Microsoft Entra ID Application. For example, Guacamole needs to add a redirect URI to the Workspace Microsoft Entra ID Application. This identity is used to manage Microsoft Entra ID Applications. | | Automation App | This application is created so that you can run the tests or any CI/CD capability without the need to divulge a user password. This is particularly important if your tenant is MFA enabled. | | Workspace API | Typically you would have an application securing one or more workspaces that are created by TRE. | -Some of the applications require **admin consent** to allow them to validate users against the AAD. Check the Microsoft Docs on [Configure the admin consent workflow](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) on how to request admin consent and handle admin consent requests. +Some of the applications require **admin consent** to allow them to validate users against the Microsoft Entra ID. Check the Microsoft Docs on [Configure the admin consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow) on how to request admin consent and handle admin consent requests. -We strongly recommend that you use `make auth` to create the AAD assets as this has been tested extensively. Should you wish to create these manually via the [Azure Portal](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app); more information can be found [here](./identities/auth-manual.md). +We strongly recommend that you use `make auth` to create the Microsoft Entra ID assets as this has been tested extensively. Should you wish to create these manually via the [Azure Portal](https://learn.microsoft.com/en-gb/entra/identity-platform/quickstart-register-app); more information can be found [here](./identities/auth-manual.md). ### Enabling users For a user to gain access to the system, they have to: -1. Have an identity in Azure AD +1. Have an identity in Microsoft Entra ID 1. Be linked with an app registration and assigned a role When these requirements are met, the user can sign-in using their credentials and use their privileges to use the API, login to workspace environment etc. based on their specific roles. diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md index 0b56fd92b2..815251cd84 100644 --- a/docs/tre-admins/environment-variables.md +++ b/docs/tre-admins/environment-variables.md @@ -15,7 +15,7 @@ | `ARM_SUBSCRIPTION_ID` | *Optional for manual deployment. If not specified the `az cli` selected subscription will be used.* The Azure subscription ID for all resources. | | `ARM_CLIENT_ID` | *Optional for manual deployment without logged-in credentials.* The client whose azure identity will be used to deploy the solution. | | `ARM_CLIENT_SECRET` | *Optional for manual deployment without logged-in credentials.* The password of the client defined in `ARM_CLIENT_ID`. | -| `ARM_TENANT_ID` | *Optional for manual deployment. If not specified the `az cli` selected subscription will be used.* The AAD tenant of the client defined in `ARM_CLIENT_ID`. | +| `ARM_TENANT_ID` | *Optional for manual deployment. If not specified the `az cli` selected subscription will be used.* The Microsoft Entra ID tenant of the client defined in `ARM_CLIENT_ID`. | ## For Azure TRE instance in `/config.yaml` @@ -43,8 +43,8 @@ | Variable | Description | | -------- | ----------- | - | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer AAD Applications for TRE | - | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer AAD Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer Microsoft Entra ID Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer Microsoft Entra ID Applications for TRE | | `TEST_ACCOUNT_CLIENT_ID`| This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `TEST_ACCOUNT_CLIENT_SECRET` | This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `API_CLIENT_ID` | API application (client) ID. | diff --git a/docs/tre-admins/identities/api.md b/docs/tre-admins/identities/api.md index 36aeec5bc3..7dbff00b5c 100644 --- a/docs/tre-admins/identities/api.md +++ b/docs/tre-admins/identities/api.md @@ -1,10 +1,10 @@ # The API Identity ## Name -The API Identity is typically called ` API` within the AAD Portal. +The API Identity is typically called ` API` within the Microsoft Entra ID Portal. ## Purpose -This identity's credentials are stored in the `core` Key Vault and mandatory for the running of the Trusted Research Environment (TRE). It is required for the API Application, hosted in Azure App Service, to authenticate to Azure Active Directory and authorize the various operations. +This identity's credentials are stored in the `core` Key Vault and mandatory for the running of the Trusted Research Environment (TRE). It is required for the API Application, hosted in Azure App Service, to authenticate to Microsoft Entra ID and authorize the various operations. ## Application Roles @@ -49,7 +49,7 @@ Below is a sample where `TRE_ID` has value `mytre`: | -------- | ----------- | | `--name` | The prefix of the name of the app registrations. `TRE` will give you `TRE API`. | | `--tre-url` | Used to construct auth redirection URLs for the UI and Swagger app. Use the values of the [environment variables](../environment-variables.md) `TRE_ID` and `LOCATION` in the URL. Reply URL for the localhost, `http://localhost:8000/api/docs/oauth2-redirect`, will be added by default. | -| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires AAD admin privileges. | +| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires Microsoft Entra ID admin privileges. | | `--automation-clientid` | This is an optional parameter but will grant TREAdmin permission to the Service Principal of the Automation Admin.| | `--reset-password` | Optional, default is 0. When run in a headless fashion, 1 is passed in to always reset the password. | @@ -60,7 +60,7 @@ Below is a sample where `TRE_ID` has value `mytre`: You can create an automation account which will aid your development flow, if you don't want to do this you can omit the `--automation-clientid` switch. -You can run the script without the `--admin-consent` and ask your admin to grant consent. If you don't have permissions and just want to create a development environment then skip this step and see the steps in the "Using a separate Azure Active Directory tenant) below. +You can run the script without the `--admin-consent` and ask your admin to grant consent. If you don't have permissions and just want to create a development environment then skip this step and see the steps in the "Using a separate Microsoft Entra ID tenant) below. ## Environment Variables | Variable | Description | Location | diff --git a/docs/tre-admins/identities/application_admin.md b/docs/tre-admins/identities/application_admin.md index f64fcdd2d4..f685b67b60 100644 --- a/docs/tre-admins/identities/application_admin.md +++ b/docs/tre-admins/identities/application_admin.md @@ -1,7 +1,7 @@ # The Application Administrator Identity ## Purpose -This identity's credentials are stored in the core key vault and are used when you wish to update AAD Applications. For instance, when you add Guacamole as a Workspace Service, you would need to add the URI of the Guacamole Service as a Redirect URI to the Workspace App to complete the login flow. +This identity's credentials are stored in the core key vault and are used when you wish to update Microsoft Entra ID Applications. For instance, when you add Guacamole as a Workspace Service, you would need to add the URI of the Guacamole Service as a Redirect URI to the Workspace App to complete the login flow. ## Application Roles This application does not have any roles defined. @@ -9,10 +9,10 @@ This application does not have any roles defined. ## Microsoft Graph Permissions | Name | Type* | Admin consent required | TRE usage | | --- | -- | -----| --------- | -| Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the AAD Application. This will be a manual process for the Tenant Admin. | -| Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. | -| Directory.Read.All | Application | Yes | This permission is required to read User details from Azure Active Directory. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. | -| Group.ReadWrite.All | Application | Yes | This permission is required to create and update Azure AD groups. This is requried if Azure AD groups are to be created automatically by the TRE. | +| Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the Microsoft Entra ID Application. This will be a manual process for the Tenant Admin. | +| Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the Microsoft Entra ID Administrator has delegated Microsoft Entra ID administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. | +| Directory.Read.All | Application | Yes | This permission is required to read User details from Microsoft Entra ID. This is needed if the Microsoft Entra ID Administrator has delegated Microsoft Entra ID administrative operations to the TRE. | +| Group.ReadWrite.All | Application | Yes | This permission is required to create and update Microsoft Entra ID groups. This is requried if Microsoft Entra ID groups are to be created automatically by the TRE. | '*' See the difference between [delegated and application permission](https://docs.microsoft.com/graph/auth/auth-concepts#delegated-and-application-permissions) types. See [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) for more details. @@ -28,7 +28,7 @@ This user is currently only used from the Porter bundles hosted on the Resource | Argument | Description | | -------- | ----------- | | `--name` | This is used to put a friendly name to the Application that can be seen in the portal. It is typical to use the name of your TRE instance. | -| `--admin-consent` | If you have the appropriate permission to grant admin consent, then pass in this argument. If you do not, you will have to ask an AAD Admin to consent after you have created the identity. Consent is required for this permission. | +| `--admin-consent` | If you have the appropriate permission to grant admin consent, then pass in this argument. If you do not, you will have to ask an Microsoft Entra ID Admin to consent after you have created the identity. Consent is required for this permission. | | `--application-permission` | This is a comma seperated list of the permissions that need to be assigned. For exampler `Application.ReadWrite.All,Directory.Read.All,Group.ReadWrite.All` | | `--reset-password` | Optional, default is 0. When run in a headless fashion, 1 is passed in to always reset the password. | diff --git a/docs/tre-admins/identities/auth-manual.md b/docs/tre-admins/identities/auth-manual.md index bc55df319f..7c09eca3b9 100644 --- a/docs/tre-admins/identities/auth-manual.md +++ b/docs/tre-admins/identities/auth-manual.md @@ -1,4 +1,4 @@ -# Manually creating AAD identities +# Manually creating Microsoft Entra ID identities This guide is here if you wanted to create these Application Registrations manually. diff --git a/docs/tre-admins/identities/client.md b/docs/tre-admins/identities/client.md index 60e5ef9732..725d3ec3f2 100644 --- a/docs/tre-admins/identities/client.md +++ b/docs/tre-admins/identities/client.md @@ -1,7 +1,7 @@ # TRE Client UX ## Name -The Client Identity is typically called ` UX` within the AAD Portal. +The Client Identity is typically called ` UX` within the Microsoft Entra ID Portal. ## Purpose This identity is used by any public facing client application so that user impersonation can occur to the Core API and any Workspace Applications. @@ -38,9 +38,9 @@ Example on how to run the script: | -------- | ----------- | | `--name` | The prefix of the name of the app registrations. `TRE` will give you `TRE API`. | | `--tre-url` | Used to construct auth redirection URLs for the UI and Swagger app. Use the values of the [environment variables](../environment-variables.md) `TRE_ID` and `LOCATION` in the URL. Reply URL for the localhost, `http://localhost:8000/api/docs/oauth2-redirect`, will be added by default. | -| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires AAD admin privileges. | +| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires Microsoft Entra ID admin privileges. | | `--automation-clientid` | This is an optional parameter but will create an application with test users with permission to use the `TRE API` and `TRE Swagger UI` | -| `--reset-password` | Optional, default is 0. This flag has no relevance when creating the UX as there is no password for the AAD Application. | +| `--reset-password` | Optional, default is 0. This flag has no relevance when creating the UX as there is no password for the Microsoft Entra ID Application. | ## Redirect URLs diff --git a/docs/tre-admins/identities/test-account.md b/docs/tre-admins/identities/test-account.md index c913885730..c06a71f412 100644 --- a/docs/tre-admins/identities/test-account.md +++ b/docs/tre-admins/identities/test-account.md @@ -1,7 +1,7 @@ # TRE Automation Admin Application ## Name -The Automation Application is typically called ` Automation Admin` within the AAD Portal. +The Automation Application is typically called ` Automation Admin` within the Microsoft Entra ID Portal. ## Purpose This application is used to authorize end-to-end test scenarios. @@ -48,10 +48,10 @@ Example on how to run the script: ### Create this application from the portal (optional) -To create an application registration for automation, open the Azure Active Directory tenant for your TRE in the portal and navigate to "App Registrations". +To create an application registration for automation, open the Microsoft Entra ID tenant for your TRE in the portal and navigate to "App Registrations". Click "New registration" as shown in the image below. -![Screenshot of Azure portal showing "New registration" in Azure Active Directory](../../assets/tre-automation-new-app-registration.png) +![Screenshot of Azure portal showing "New registration" in Microsoft Entra ID](../../assets/tre-automation-new-app-registration.png) Enter a name for the application registration and click "Register". diff --git a/docs/tre-admins/identities/workspace.md b/docs/tre-admins/identities/workspace.md index 6f28293bd6..8bc5b1989a 100644 --- a/docs/tre-admins/identities/workspace.md +++ b/docs/tre-admins/identities/workspace.md @@ -25,7 +25,7 @@ This identity should only be used by the API Application. ## How to create There are two mechanisms for creating Workspace Applications -- Manually by your AAD Tenant Admin (default) +- Manually by your Microsoft Entra ID Tenant Admin (default) - Automatically by TRE. Please see this [guide](./application_admin.md) if you wish this to be automatic. !!! caution @@ -46,9 +46,9 @@ Example on how to run the script: | -------- | ----------- | | `--name` | The name of the application. This will be suffixed with 'API' by the script. | | `--ux-clientid` | This value is one of the outputs when you first ran the script. It is mandatory if you use admin-consent. | -| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires AAD admin privileges. | +| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires Microsoft Entra ID admin privileges. | | `--automation-clientid` | This is an optional parameter but will grant the Automation App (created in step 1) permission to the new workspace app. | -| `--application-admin-clientid` | This is a required parameter , and should be a client id that will be added to the Owners of the AAD Application so that it can be administered within TRE. | +| `--application-admin-clientid` | This is a required parameter , and should be a client id that will be added to the Owners of the Microsoft Entra ID Application so that it can be administered within TRE. | | `--reset-password` | Optional, default is 0. When run in a headless fashion, 1 is passed in to always reset the password. | @@ -64,4 +64,4 @@ If you do not wish to grant the Automation App permission to your workspace, jus |WORKSPACE_API_CLIENT_SECRET|The client secret|`./config.yaml`| ## Comments -When the Workspace AAD app is registered by running `make auth`, the `Workspace Scope Id` is the same as the Client Id. When the Workspace AAD app is created by the base workspace, the `Workspace Scope Id` will be in this format `api://_ws_` +When the Workspace Microsoft Entra ID app is registered by running `make auth`, the `Workspace Scope Id` is the same as the Client Id. When the Workspace Microsoft Entra ID app is created by the base workspace, the `Workspace Scope Id` will be in this format `api://_ws_` diff --git a/docs/tre-admins/setup-instructions/ad-tenant-choices.md b/docs/tre-admins/setup-instructions/ad-tenant-choices.md index 50eef29d25..94b600a08b 100644 --- a/docs/tre-admins/setup-instructions/ad-tenant-choices.md +++ b/docs/tre-admins/setup-instructions/ad-tenant-choices.md @@ -1,4 +1,4 @@ -# Azure Active Directory Tenant Choices +# Microsoft Entra ID Tenant Choices ## Dedicated Tenant for TRE @@ -10,13 +10,13 @@ Users from your corporate tenant can be guested into this new TRE tenant. ## Corporate Tenant -It is possible to use your corporate tenant for TRE. This does have the advantage of only managing a single tenant, but your AAD Tenant Admin must be aware of what TRE brings to your organization and must be prepared to carry out some admin tasks, like creating an AAD Application every time a new Workspace is created. +It is possible to use your corporate tenant for TRE. This does have the advantage of only managing a single tenant, but your Microsoft Entra ID Tenant Admin must be aware of what TRE brings to your organization and must be prepared to carry out some admin tasks, like creating an Microsoft Entra ID Application every time a new Workspace is created. [![TRE Tenant](../../assets/corp-tenant.png)](../../assets/corp-tenant.png) -## Create Dedicated Azure Active Directory Tenant +## Create Dedicated Microsoft Entra ID Tenant -Follow [this guide](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to create new dedicated tenant. +Follow [this guide](https://learn.microsoft.com/en-us/entra/fundamentals/create-new-tenant) to create new dedicated tenant. ## Next steps diff --git a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md index d089d1967d..07a231ef0b 100644 --- a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md +++ b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md @@ -92,8 +92,8 @@ In a previous [Setup Auth configuration](./setup-auth-entities.md) step authenti | Secret Name | Description | | -------- | ----------- | | `AAD_TENANT_ID` | Tenant id against which auth is performed. | - | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer AAD Applications for TRE | - | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer AAD Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer Microsoft Entra ID Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer Microsoft Entra ID Applications for TRE | | `TEST_ACCOUNT_CLIENT_ID`| This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `TEST_ACCOUNT_CLIENT_SECRET` | This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `API_CLIENT_ID` | API application (client) ID. | diff --git a/docs/tre-admins/setup-instructions/installing-base-workspace.md b/docs/tre-admins/setup-instructions/installing-base-workspace.md index 01a9350b3f..25caddc50c 100644 --- a/docs/tre-admins/setup-instructions/installing-base-workspace.md +++ b/docs/tre-admins/setup-instructions/installing-base-workspace.md @@ -29,7 +29,7 @@ As explained in the [auth guide](../auth.md), every workspace has a correspondin ``` !!! caution - If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Azure Active Directory tenant** in [Setup Auth configuration](setup-auth-entities.md) for more details. + If you're using a separate tenant for Microsoft Entra ID app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra ID tenant** in [Setup Auth configuration](setup-auth-entities.md) for more details. Running the script will report `workspace_api_client_id` and `workspace_api_client_secret` for the generated app. Add these under the authenrication section in `/config.yaml` so that automated testing will work. You also need to use `workspace_api_client_id` in the POST body below. diff --git a/docs/tre-admins/setup-instructions/prerequisites.md b/docs/tre-admins/setup-instructions/prerequisites.md index b4ac864188..78b6dbd47e 100644 --- a/docs/tre-admins/setup-instructions/prerequisites.md +++ b/docs/tre-admins/setup-instructions/prerequisites.md @@ -3,7 +3,7 @@ To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra ID](https://learn.microsoft.com/en-gb/entra/fundamentals/whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop) diff --git a/docs/tre-admins/setup-instructions/setup-auth-entities.md b/docs/tre-admins/setup-instructions/setup-auth-entities.md index dc4f91b91b..c1616c83cb 100644 --- a/docs/tre-admins/setup-instructions/setup-auth-entities.md +++ b/docs/tre-admins/setup-instructions/setup-auth-entities.md @@ -19,9 +19,9 @@ Next, you will set the configuration variables for the specific Azure TRE instan The rest of the variables can have their default values. -1. Decide on a name for your `tre_id` ID for the Azure TRE instance. The value will be used in various Azure resources and AAD application names. It **needs to be globally unique and less than 12 characters in length**. Use **only** lowercase alphanumerics. Choose wisely! +1. Decide on a name for your `tre_id` ID for the Azure TRE instance. The value will be used in various Azure resources and Microsoft Entra ID application names. It **needs to be globally unique and less than 12 characters in length**. Use **only** lowercase alphanumerics. Choose wisely! 1. Once you have decided on which AD Tenant paradigm, then you should be able to set `aad_tenant_id` in the authentication section in your `config.yaml` file. -1. Your AAD Tenant Admin can now use the terminal window in Visual Studio Code to execute the following script from within the development container to create all the AAD Applications that are used for TRE. The details of the script are covered in the [auth document](../auth.md). +1. Your Microsoft Entra ID Tenant Admin can now use the terminal window in Visual Studio Code to execute the following script from within the development container to create all the Microsoft Entra ID Applications that are used for TRE. The details of the script are covered in the [auth document](../auth.md). ```bash make auth @@ -33,7 +33,7 @@ Next, you will set the configuration variables for the specific Azure TRE instan In case you have several subscriptions and would like to change your default subscription use `az account set --subscription ` !!! note - The full functionality of the script requires directory admin privileges. You may need to contact your friendly Azure Active Directory admin to complete this step. The app registrations can be created manually in Azure Portal too. For more information, see [Authentication and authorization](../auth.md). + The full functionality of the script requires directory admin privileges. You may need to contact your friendly Microsoft Entra ID admin to complete this step. The app registrations can be created manually in Azure Portal too. For more information, see [Authentication and authorization](../auth.md). All other variables can have their default values for now. diff --git a/docs/tre-admins/setup-instructions/ui-install-base-workspace.md b/docs/tre-admins/setup-instructions/ui-install-base-workspace.md index 46d067ab13..25b4e2c213 100644 --- a/docs/tre-admins/setup-instructions/ui-install-base-workspace.md +++ b/docs/tre-admins/setup-instructions/ui-install-base-workspace.md @@ -57,7 +57,7 @@ As explained in the [auth guide](../auth.md), every workspace has a correspondin ``` !!! caution - If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Azure Active Directory tenant** in [Setup Auth configuration](./setup-auth-entities.md) for more details. + If you're using a separate tenant for Microsoft Entra ID app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra ID tenant** in [Setup Auth configuration](./setup-auth-entities.md) for more details. Running the script will report `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` for the generated app. Set these under authentication section in `config.yaml` so that automated testing will work. You also need to use `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` in the form. diff --git a/docs/tre-admins/setup-instructions/workflows.md b/docs/tre-admins/setup-instructions/workflows.md index 28db90d053..a432e90463 100644 --- a/docs/tre-admins/setup-instructions/workflows.md +++ b/docs/tre-admins/setup-instructions/workflows.md @@ -74,7 +74,7 @@ Configure the TRE API and Swagger UI repository secrets |
Secret name
| Description | | ----------- | ----------- | -| `AAD_TENANT_ID` | The tenant ID of the Azure AD. | +| `AAD_TENANT_ID` | The tenant ID of the Microsoft Entra ID. | | `SWAGGER_UI_CLIENT_ID` | The application (client) ID of the TRE Swagger UI app. | | `API_CLIENT_ID` | The application (client) ID of the TRE API app. | | `API_CLIENT_SECRET` | The application password (client secret) of the TRE API app. | diff --git a/docs/tre-developers/api.md b/docs/tre-developers/api.md index e35e0cd83d..06c2195aa6 100644 --- a/docs/tre-developers/api.md +++ b/docs/tre-developers/api.md @@ -144,7 +144,7 @@ make auth ``` Alternatively, in Azure Portal you can add the redirect URL to the App Registration. -Under AAD, find App Registrations, and find the App Registration with the ID shown in the error message. +Under Microsoft Entra ID, find App Registrations, and find the App Registration with the ID shown in the error message. There, go to Redirect URL and add the URL given to you by the error message (it will have a form of `https://${TRE_ID}.westeurope.cloudapp.azure.com/api/docs/oauth2-redirect`). diff --git a/docs/tre-developers/ui.md b/docs/tre-developers/ui.md index 433985875f..e9b4a04441 100644 --- a/docs/tre-developers/ui.md +++ b/docs/tre-developers/ui.md @@ -8,7 +8,7 @@ The UI is built upon several popular web frameworks: - Typescript - React Router v6 for client side routing - Fluent UI [Fluent UI Docs](https://developer.microsoft.com/en-us/fluentui#/controls/web) -- MSAL v2: AAD authentication [msal-react docs](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react) +- MSAL v2: Microsoft Entra ID authentication [msal-react docs](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react) ### Folder structure @@ -27,7 +27,7 @@ ui ### AuthN + AuthZ For further details on the auth setup, see [Auth](../tre-admins/auth.md). -As stated above, AAD is used for Authentication and Authorization. There are 3 AAD apps involved here: +As stated above, Microsoft Entra ID is used for Authentication and Authorization. There are 3 Microsoft Entra ID apps involved here: - **TRE UX**. This is the app that the user authenticates against. Once authenticated, the client will request an access token for the `TRE Api`. - **TRE Api**. In the access token response from this app we get the user's role membership for TRE-level roles (`TREAdmin` / `TREUser`). Based on these role memberships, aspects of the UI will be made available. If the user is in a `TREAdmin` role, they will see buttons to create workspaces for instance. When the user navigates into a Workspace, the client will request an access token for that `Workspace App`. @@ -39,7 +39,7 @@ From this access token we can find the Workspace-level roles the user is in (`Wo ### React Contexts The React Context API is a clean way to handle a limited amount of global state, and is used for a few scenarios in this project: - TRE Roles Context: A context provides details of the base TRE roles a user is in, which can be consumed anywhere throughout the app -- Workspace Context: Tracks the currently selected Workspace, and the roles the user is in for that Workspace. This context is used for nested components to be able to authenticate against the correct AAD App via `workspaceCtx.workspaceApplicationIdURI`. +- Workspace Context: Tracks the currently selected Workspace, and the roles the user is in for that Workspace. This context is used for nested components to be able to authenticate against the correct Microsoft Entra ID App via `workspaceCtx.workspaceApplicationIdURI`. - Create Form Context: A context to control the Create / Update form behaviour. - Notifications Context: Tracks all the in-progress operations currently running. For each operation, the Notifications panel also uses this context to broadcast Component 'actions' which are subscribed to by downstream components. This way, a resource component does not have to track it's own changes, and can be 'told' by the Notifications Context whether it should refresh / lock etc. diff --git a/docs/tre-templates/shared-services/gitea.md b/docs/tre-templates/shared-services/gitea.md index 173611a5ae..d15a69f02b 100644 --- a/docs/tre-templates/shared-services/gitea.md +++ b/docs/tre-templates/shared-services/gitea.md @@ -44,7 +44,7 @@ Gitea needs to be able to access the following resource outside the Azure TRE VN | Service Tag / Destination | Justification | | --- | --- | -| AzureActiveDirectory | Authorize the signed in user against Azure Active Directory. | +| AzureActiveDirectory | Authorize the signed in user against Microsoft Entra ID. | | AzureContainerRegistry | Pull the Gitea container image, as it is located in Azure Container Registry. | | (www.)github.com | Allows Gitea to mirror any repo on GitHub | diff --git a/docs/tre-templates/shared-services/nexus.md b/docs/tre-templates/shared-services/nexus.md index 2a9e437a10..6b67a15af4 100644 --- a/docs/tre-templates/shared-services/nexus.md +++ b/docs/tre-templates/shared-services/nexus.md @@ -63,7 +63,7 @@ Nexus Shared Service requires access to resources outside of the Azure TRE VNET. | Service Tag / Destination | Justification | | --- | --- | -| AzureActiveDirectory | Authorize the signed in user against Azure Active Directory. | +| AzureActiveDirectory | Authorize the signed in user against Microsoft Entra ID. | | AzureContainerRegistry | Pull the Nexus container image, as it is located in Azure Container Registry. | | pypi.org, *.pypi.org | Enables Nexus to "proxy" python packages to use inside of workspaces. | | repo.anaconda.com | Enables Nexus to "proxy" conda packages to use inside of workspaces. | @@ -87,10 +87,12 @@ Nexus Shared Service requires access to resources outside of the Azure TRE VNET. | Ubuntu Security Packages | apt | [http://security.ubuntu.com/ubuntu/] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/ubuntu-security/` | Provide access to Ubuntu Security apt packages on Ubuntu systems. | | Almalinux | yum | [https://repo.almalinux.org] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/almalinux` | Install Almalinux packages | | R-Proxy | r | [https://cran.r-project.org/] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/r-proxy` | Provide access to CRAN packages for R | +| R-Studio Download | raw | [https://download1.rstudio.org] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/r-studio-download` | Provide access to download R Studio | | Fedora Project | yum | [https://download-ib01.fedoraproject.org] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/fedoraproject` | Install Fedora Project Linux packages | | Microsoft Apt | apt | [https://packages.microsoft.com] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-apt` | Provide access to Microsoft Apt packages | | Microsoft Keys | raw | [https://packages.microsoft.com/keys/] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-keys` | Provide access to Microsoft keys | | Microsoft Yum | yum | [https://packages.microsoft.com/yumrepos] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-yum` | Provide access to Microsoft Yum packages | +| Microsoft Download | raw | [https://download.microsoft.com/download] | `https://nexus-{TRE_ID}.{LOCATION}.cloudapp.azure.com/repository/microsoft-download` | Provide access to Microsoft Downloads | ### Migrate from an existing V1 Nexus service (hosted on App Service) @@ -111,3 +113,18 @@ If you still have an existing Nexus installation based on App Service (from the The Nexus service checks Key Vault regularly for the latest certificate matching the name you passed on deploy (`nexus-ssl` by default). When approaching expiry, you can either provide an updated certificate into the TRE core KeyVault (with the name you specified when installing Nexus) if you brought your own, or if you used the certs shared service to generate one, just call the `renew` custom action on that service. This will generate a new certificate and persist it to the Key Vault, replacing the expired one. + +## Updating to v3.0.0 +The newest version of Nexus is a significant update for the service. +As a result, a new installation of Nexus will be necessary. + +We are currently in the process of developing an upgrade path for upcoming releases. + +## Using Docker Hub +When using Docker with a VM, the image URL should be constructed as follows: {NEXUS_URL}:{port}/docker-image + +```bash +sudo docker pull {NEXUS_URL}:8083/hello-world +``` + +the default port out of the box is 8083 \ No newline at end of file diff --git a/docs/tre-templates/user-resources/custom.md b/docs/tre-templates/user-resources/custom.md new file mode 100644 index 0000000000..9ff7131d73 --- /dev/null +++ b/docs/tre-templates/user-resources/custom.md @@ -0,0 +1,80 @@ +# Guacamole User Resources + +- linuxvm - a Linux-based virtual machine +- windowsvm - A Windows-based virtual machine + +## Customising the user resources + +The `guacamole-azure-linuxvm` and `guacamole-azure-windowsvm` folders follow a consistent layout. +To update one of these templates (or to create a new template based on these folders) to use different image details or VM sizes, there are a few files that need to be updated: + +| File | Description | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `porter.yaml` | This file describes the template and the name should be updated when creating a template based on the folder.
This file also contains a `custom` data section that describes the VM properties.
Additionally, the version needs to be updated to deploy an updated version | +| `template_schema.json` | This file controls the validation applied to the template, for example specifying the valid options for fields such as size and image | + +### Configuration + +In `porter.yaml`, the `custom` section contains a couple of sub-sections (shown below) + +```yaml +custom: + vm_sizes: + "2 CPU | 8GB RAM": Standard_D2s_v5 + "4 CPU | 16GB RAM": Standard_D4s_v5 + "8 CPU | 32GB RAM": Standard_D8s_v5 + "16 CPU | 64GB RAM": Standard_D16s_v5 + image_options: + "Ubuntu 22.04 LTS": + source_image_reference: + publisher: canonical + offer: 0001-com-ubuntu-server-jammy + sku: 22_04-lts-gen2 + version: latest + apt_sku: 22.04 + install_ui: true + conda_config: false + "Ubuntu 20.04 LTS": + source_image_reference: + publisher: canonical + offer: 0001-com-ubuntu-server-focal + sku: 20_04-lts-gen2 + version: latest + apt_sku: 20.04 + install_ui: true + conda_config: false + "Ubuntu 20.04 LTS Data Science VM": + source_image_reference: + publisher: microsoft-dsvm + offer: ubuntu-2004 + sku: 2004-gen2 + version: latest + apt_sku: 20.04 + install_ui: true + conda_config: true + # "Custom Image From Gallery": + # source_image_name: your-image + # install_ui: true + # conda_config: true +``` + +The `vm_sizes` section is a map of a custom SKU description to the SKU identifier. + +The `image_options` section defined the possible image choices for the template (note that the name of the image used here needs to be included in the corresponding enum in `template_schema.json`). + +Within the image definition in `image_options` there are a few properties that can be specified: + +| Name | Description | +| ------------------------ | -------------------------------------------------------------------------------------------------------- | +| `source_image_name` | Specify VM image to use by name (see notes below for identifying the image gallery containing the image) | +| `source_image_reference` | Specify VM image to use by `publisher`, `offer`, `sku` & `version` (e.g. for Azure Marketplace images) | +| `install_ui` | (Linux only) Set `true` to install desktop environment | +| `conda_config` | Set true to configure conda | + +When specifying images using `source_image_name`, the image must be stored in an [image gallery](https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery). +To enable re-using built user resource templates across environments where the image may vary, the image gallery is configured via the `RP_BUNDLE_VALUES` environment variable when deploying the TRE. +The `RP_BUNDLE_VALUES` variable is a JSON object, and the `image_gallery_id` property within it identifies the image gallery that contains the images specified by `source_image_name`: + +```bash +RP_BUNDLE_VALUES='{"image_gallery_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups//providers/Microsoft.Compute/galleries/"} +``` diff --git a/docs/tre-templates/user-resources/guacamole-linux-vm.md b/docs/tre-templates/user-resources/guacamole-linux-vm.md index 8cf7b55906..f0ebb090e8 100644 --- a/docs/tre-templates/user-resources/guacamole-linux-vm.md +++ b/docs/tre-templates/user-resources/guacamole-linux-vm.md @@ -7,3 +7,12 @@ It blocks all inbound and outbound traffic to the internet and allows only RDP c - [A base workspace bundle installed](../workspaces/base.md) - [A guacamole workspace service bundle installed](../workspace-services/guacamole.md) +- [A Nexus shared service has been deployed](../shared-services/nexus.md) + +## Notes +- Nexus is a prerequisite of installing the Linux VMs given the additional commands in the bootstrap scripts. +- In production we recommend using VM images to avoid transient issues downloading and installing packages. +- Snap hasn't been configured to work via the nexus proxy + +## Using Custom Images +For custom image usage, visit this [page](./custom.md). diff --git a/docs/tre-templates/workspace-services/gitea.md b/docs/tre-templates/workspace-services/gitea.md index 054e21bd67..9725cbb711 100644 --- a/docs/tre-templates/workspace-services/gitea.md +++ b/docs/tre-templates/workspace-services/gitea.md @@ -7,7 +7,7 @@ See: [https://gitea.io/](https://gitea.io) The Gitea worskpace service opens outbound access to: - AzureActiveDirectory -- Azure AD CDN - `https://aadcdn.msftauth.net` +- Microsoft Entra ID CDN - `https://aadcdn.msftauth.net` ## Prerequisites diff --git a/docs/tre-workspace-authors/authoring-workspace-templates.md b/docs/tre-workspace-authors/authoring-workspace-templates.md index d40105515f..76aa356cbd 100644 --- a/docs/tre-workspace-authors/authoring-workspace-templates.md +++ b/docs/tre-workspace-authors/authoring-workspace-templates.md @@ -27,9 +27,9 @@ The manifest of a workspace bundle is the `porter.yaml` file (see [Author Bundle A workspace bundle requires the following [credentials](https://porter.sh/author-bundles/#credentials) to provision resources in Azure: -* [Azure tenant ID](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) +* [Azure tenant ID](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) * Azure subscription ID -* The client ID of a [service principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) with privileges to provision resources +* The client ID of a [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) with privileges to provision resources * The client secret (password) of a service principal The credentials are provided as environment variables by the deployment runner. The bundle author must use the following environment variable names: diff --git a/docs/using-tre/local-development/local-development.md b/docs/using-tre/local-development/local-development.md index 2bda151098..4db16e676b 100644 --- a/docs/using-tre/local-development/local-development.md +++ b/docs/using-tre/local-development/local-development.md @@ -9,7 +9,7 @@ This guide will cover how to setup local development environment to add custom t To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra ID](https://learn.microsoft.com/en-gb/entra/fundamentals/whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop) diff --git a/e2e_tests/.env.sample b/e2e_tests/.env.sample index 96d5a61628..504651cfda 100644 --- a/e2e_tests/.env.sample +++ b/e2e_tests/.env.sample @@ -18,7 +18,7 @@ TEST_WORKSPACE_APP_SECRET= WORKSPACE_APP_SERVICE_PLAN_SKU="P1v2" TEST_WORKSPACE_ID= -TEST_AAD_WORKSPACE_ID=ID of pre-created AAD workspace> +TEST_AAD_WORKSPACE_ID=ID of pre-created Microsoft Entra ID workspace> # Run tests sequentially. Change this value if you want to run tests in parallel locally E2E_TESTS_NUMBER_PROCESSES=1 diff --git a/e2e_tests/test_performance.py b/e2e_tests/test_performance.py index 9f284fc235..6c6d836d9d 100644 --- a/e2e_tests/test_performance.py +++ b/e2e_tests/test_performance.py @@ -106,7 +106,7 @@ async def test_bulk_updates_to_ensure_each_resource_updated_in_series(verify) -> "properties": { "display_name": "Perf test VM", "description": "", - "os_image": "Ubuntu 18.04" + "os_image": "Ubuntu 22.04 LTS" } } diff --git a/templates/shared_services/sonatype-nexus-vm/porter.yaml b/templates/shared_services/sonatype-nexus-vm/porter.yaml index 307bee19bc..f46a419468 100644 --- a/templates/shared_services/sonatype-nexus-vm/porter.yaml +++ b/templates/shared_services/sonatype-nexus-vm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-sonatype-nexus -version: 2.8.13 +version: 3.0.0 description: "A Sonatype Nexus shared service" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/shared_services/sonatype-nexus-vm/scripts/nexus_realms_config.json b/templates/shared_services/sonatype-nexus-vm/scripts/nexus_realms_config.json index 51fa1053e0..eeb2530e36 100644 --- a/templates/shared_services/sonatype-nexus-vm/scripts/nexus_realms_config.json +++ b/templates/shared_services/sonatype-nexus-vm/scripts/nexus_realms_config.json @@ -1,5 +1,4 @@ [ - "NexusAuthenticatingRealm", - "NexusAuthorizingRealm", - "DockerToken" + "DockerToken", + "NexusAuthenticatingRealm" ] diff --git a/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/microsoft_download_conf.json b/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/microsoft_download_conf.json new file mode 100644 index 0000000000..a153c626a9 --- /dev/null +++ b/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/microsoft_download_conf.json @@ -0,0 +1,32 @@ +{ + "name": "microsoft-download", + "online": true, + "storage": { + "blobStoreName": "default", + "strictContentTypeValidation": true, + "write_policy": "ALLOW" + }, + "proxy": { + "remoteUrl": "https://download.microsoft.com/download", + "contentMaxAge": 1440, + "metadataMaxAge": 1440 + }, + "negativeCache": { + "enabled": true, + "timeToLive": 1440 + }, + "httpClient": { + "blocked": false, + "autoBlock": false, + "connection": { + "retries": 0, + "userAgentSuffix": "string", + "timeout": 60, + "enableCircularRedirects": false, + "enableCookies": false, + "useTrustStore": false + } + }, + "baseType": "raw", + "repoType": "proxy" + } \ No newline at end of file diff --git a/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/r_studio_download_conf.json b/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/r_studio_download_conf.json new file mode 100644 index 0000000000..264deeeb36 --- /dev/null +++ b/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/r_studio_download_conf.json @@ -0,0 +1,32 @@ +{ + "name": "r-studio-download", + "online": true, + "storage": { + "blobStoreName": "default", + "strictContentTypeValidation": true, + "write_policy": "ALLOW" + }, + "proxy": { + "remoteUrl": "https://download1.rstudio.org", + "contentMaxAge": 1440, + "metadataMaxAge": 1440 + }, + "negativeCache": { + "enabled": true, + "timeToLive": 1440 + }, + "httpClient": { + "blocked": false, + "autoBlock": false, + "connection": { + "retries": 0, + "userAgentSuffix": "string", + "timeout": 60, + "enableCircularRedirects": false, + "enableCookies": false, + "useTrustStore": false + } + }, + "baseType": "raw", + "repoType": "proxy" + } \ No newline at end of file diff --git a/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/snapcraft_conf.json b/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/snapcraft_conf.json new file mode 100644 index 0000000000..33019c0a48 --- /dev/null +++ b/templates/shared_services/sonatype-nexus-vm/scripts/nexus_repos_config/snapcraft_conf.json @@ -0,0 +1,32 @@ +{ + "name": "snapcraft", + "online": true, + "storage": { + "blobStoreName": "default", + "strictContentTypeValidation": true, + "write_policy": "ALLOW" + }, + "proxy": { + "remoteUrl": "https://snapcraftcontent.com", + "contentMaxAge": 1440, + "metadataMaxAge": 1440 + }, + "negativeCache": { + "enabled": true, + "timeToLive": 1440 + }, + "httpClient": { + "blocked": false, + "autoBlock": false, + "connection": { + "retries": 0, + "userAgentSuffix": "string", + "timeout": 60, + "enableCircularRedirects": false, + "enableCookies": false, + "useTrustStore": false + } + }, + "baseType": "raw", + "repoType": "proxy" + } \ No newline at end of file diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf b/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf index c0484c712f..67cae90039 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/locals.tf @@ -1,7 +1,7 @@ locals { core_vnet = "vnet-${var.tre_id}" core_resource_group_name = "rg-${var.tre_id}" - nexus_allowed_fqdns = "pypi.org,*.pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org,cran.r-project.org,cloud.r-project.org" + nexus_allowed_fqdns = "pypi.org,*.pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org,cran.r-project.org,cloud.r-project.org,download1.rstudio.org,*.snapcraftcontent.com,download.microsoft.com" nexus_allowed_fqdns_list = distinct(compact(split(",", replace(local.nexus_allowed_fqdns, " ", "")))) workspace_vm_allowed_fqdns = "r3.o.lencr.org,x1.c.lencr.org" workspace_vm_allowed_fqdns_list = distinct(compact(split(",", replace(local.workspace_vm_allowed_fqdns, " ", "")))) diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf index 27a6a3d04f..5d1ebdef11 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf @@ -83,6 +83,7 @@ resource "azurerm_user_assigned_identity" "nexus_msi" { location = data.azurerm_resource_group.rg.location resource_group_name = local.core_resource_group_name tags = local.tre_shared_service_tags + lifecycle { ignore_changes = [tags] } } @@ -112,7 +113,7 @@ resource "azurerm_linux_virtual_machine" "nexus" { source_image_reference { publisher = "Canonical" offer = "0001-com-ubuntu-server-jammy" - sku = "22_04-lts-gen2" + sku = "22_04-lts" version = "latest" } diff --git a/templates/workspace_services/guacamole/user_resources/README.md b/templates/workspace_services/guacamole/user_resources/README.md index c553e1673a..d0db21cb86 100644 --- a/templates/workspace_services/guacamole/user_resources/README.md +++ b/templates/workspace_services/guacamole/user_resources/README.md @@ -2,10 +2,9 @@ This folder contains user resources that can be deployed with the Guacamole workspace service: -- linuxvm - a Linux-based virtual machine (expects an Ubuntu 18.04-based VM) +- linuxvm - a Linux-based virtual machine - windowsvm - A Windows-based virtual machine - ## Customising the user resources The `guacamole-azure-linuxvm` and `guacamole-azure-windowsvm` folders follow a consistent layout. @@ -29,21 +28,32 @@ custom: "8 CPU | 32GB RAM": Standard_D8s_v5 "16 CPU | 64GB RAM": Standard_D16s_v5 image_options: - "Ubuntu 18.04": + "Ubuntu 22.04 LTS": source_image_reference: publisher: canonical - offer: ubuntuserver - sku: 18_04-lts-gen2 + offer: 0001-com-ubuntu-server-jammy + sku: 22_04-lts-gen2 version: latest + apt_sku: 22.04 install_ui: true conda_config: false - "Ubuntu 18.04 Data Science VM": + "Ubuntu 20.04 LTS": + source_image_reference: + publisher: canonical + offer: 0001-com-ubuntu-server-focal + sku: 20_04-lts-gen2 + version: latest + apt_sku: 20.04 + install_ui: true + conda_config: false + "Ubuntu 20.04 LTS Data Science VM": source_image_reference: publisher: microsoft-dsvm - offer: ubuntu-1804 - sku: 1804-gen2 + offer: ubuntu-2004 + sku: 2004-gen2 version: latest - install_ui: false + apt_sku: 20.04 + install_ui: true conda_config: true # "Custom Image From Gallery": # source_image_name: your-image @@ -68,8 +78,6 @@ When specifying images using `source_image_name`, the image must be stored in an To enable re-using built user resource templates across environments where the image may vary, the image gallery is configured via the `RP_BUNDLE_VALUES` environment variable when deploying the TRE. The `RP_BUNDLE_VALUES` variable is a JSON object, and the `image_gallery_id` property within it identifies the image gallery that contains the images specified by `source_image_name`: - ```bash RP_BUNDLE_VALUES='{"image_gallery_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups//providers/Microsoft.Compute/galleries/"} ``` - diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml index f36a668258..d73bb38d1c 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-guacamole-linuxvm -version: 0.6.9 +version: 1.0.0 description: "An Azure TRE User Resource Template for Guacamole (Linux)" dockerfile: Dockerfile.tmpl registry: azuretre @@ -14,20 +14,22 @@ custom: "8 CPU | 32GB RAM": Standard_D8s_v5 "16 CPU | 64GB RAM": Standard_D16s_v5 image_options: - "Ubuntu 18.04": + "Ubuntu 22.04 LTS": source_image_reference: publisher: canonical - offer: ubuntuserver - sku: 18_04-lts-gen2 + offer: 0001-com-ubuntu-server-jammy + sku: 22_04-lts-gen2 version: latest + apt_sku: 22.04 install_ui: true conda_config: false - "Ubuntu 18.04 Data Science VM": + "Ubuntu 20.04 LTS Data Science VM": source_image_reference: publisher: microsoft-dsvm - offer: ubuntu-1804 - sku: 1804-gen2 + offer: ubuntu-2004 + sku: 2004-gen2 version: latest + apt_sku: 20.04 install_ui: false conda_config: true # For information on using custom images, see README.me in the guacamole/user-resources folder @@ -36,7 +38,6 @@ custom: # install_ui: true # conda_config: true - credentials: - name: azure_tenant_id env: ARM_TENANT_ID @@ -91,7 +92,7 @@ parameters: default: "public" - name: os_image type: string - default: "Ubuntu 18.04 Data Science VM" + default: "Ubuntu 22.04 LTS Data Science VM" - name: vm_size type: string default: "2 CPU | 8GB RAM" diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/template_schema.json b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/template_schema.json index 9c7aec15a3..fc0bad231b 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/template_schema.json +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/template_schema.json @@ -16,8 +16,7 @@ "title": "Linux image", "description": "Select Linux image to use for VM", "enum": [ - "Ubuntu 18.04", - "Ubuntu 18.04 Data Science VM" + "Ubuntu 22.04 LTS" ] }, "vm_size": { diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/apt_sources_config.yml b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/apt_sources_config.yml index 22b3418d5b..35b5b5857b 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/apt_sources_config.yml +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/apt_sources_config.yml @@ -14,6 +14,8 @@ apt: deb [trusted=yes] $PRIMARY $RELEASE main restricted universe multiverse deb [trusted=yes] $PRIMARY $RELEASE-updates main restricted universe multiverse deb [trusted=yes] $SECURITY $RELEASE main restricted universe multiverse - deb [signed-by=/etc/apt/trusted.gpg.d/microsoft.gpg] ${nexus_proxy_url}/repository/microsoft-apt/ubuntu/18.04/prod $RELEASE main + deb [signed-by=/etc/apt/trusted.gpg.d/microsoft.gpg] ${nexus_proxy_url}/repository/microsoft-apt/ubuntu/${apt_sku}/prod $RELEASE main deb [signed-by=/etc/apt/trusted.gpg.d/microsoft.gpg] ${nexus_proxy_url}/repository/microsoft-apt/repos/edge stable main + deb [signed-by=/etc/apt/trusted.gpg.d/microsoft.gpg] ${nexus_proxy_url}/repository/microsoft-apt/repos/vscode stable main + deb [signed-by=/etc/apt/trusted.gpg.d/microsoft.gpg] ${nexus_proxy_url}/repository/microsoft-apt/repos/azure-cli $RELEASE main deb [signed-by=/etc/apt/trusted.gpg.d/docker-archive-keyring.gpg] ${nexus_proxy_url}/repository/docker/ $RELEASE stable diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/get_apt_keys.sh b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/get_apt_keys.sh index 5849eaede3..6e69009525 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/get_apt_keys.sh +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/get_apt_keys.sh @@ -6,6 +6,10 @@ set -o nounset # Uncomment this line to see each command for debugging (careful: this will show secrets!) # set -o xtrace +#remove key if they already exist +sudo rm -f /etc/apt/trusted.gpg.d/docker-archive-keyring.gpg || true +sudo rm -f /etc/apt/trusted.gpg.d/microsoft.gpg || true + # Get Docker Public key from Nexus curl -fsSL "${NEXUS_PROXY_URL}"/repository/docker-public-key/gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/docker-archive-keyring.gpg diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf index 247c4f77e0..8172ec77bb 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf @@ -110,6 +110,8 @@ data "template_file" "vm_config" { FILESHARE_NAME = var.shared_storage_access ? data.azurerm_storage_share.shared_storage[0].name : "" NEXUS_PROXY_URL = local.nexus_proxy_url CONDA_CONFIG = local.selected_image.conda_config ? 1 : 0 + VM_USER = random_string.username.result + APT_SKU = replace(local.apt_sku, ".", "") } } @@ -131,6 +133,7 @@ data "template_file" "apt_sources_config" { template = file("${path.module}/apt_sources_config.yml") vars = { nexus_proxy_url = local.nexus_proxy_url + apt_sku = local.apt_sku } } diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf index 43a6d5982b..e0281269fd 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf @@ -15,7 +15,6 @@ locals { tre_user_resource_id = var.tre_resource_id } nexus_proxy_url = "https://nexus-${data.azurerm_public_ip.app_gateway_ip.fqdn}" - # Load VM SKU/image details from porter.yaml porter_yaml = yamldecode(file("${path.module}/../porter.yaml")) vm_sizes = local.porter_yaml["custom"]["vm_sizes"] @@ -26,4 +25,5 @@ locals { # selected_image_source_refs is an array to enable easy use of a dynamic block selected_image_source_refs = lookup(local.selected_image, "source_image_reference", null) == null ? [] : [local.selected_image.source_image_reference] selected_image_source_id = lookup(local.selected_image, "source_image_name", null) == null ? null : "${var.image_gallery_id}/images/${local.selected_image.source_image_name}" + apt_sku = local.selected_image_source_refs[0]["apt_sku"] } diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/pypi_sources_config.sh b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/pypi_sources_config.sh index 6d70862655..9380cbc9e1 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/pypi_sources_config.sh +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/pypi_sources_config.sh @@ -1,5 +1,5 @@ #!/bin/bash -sudo tee /etc/pip.conf > dev/null <<'EOF' +sudo tee /etc/pip.conf > /dev/null <<'EOF' [global] index = ${nexus_proxy_url}/repository/pypi/pypi index-url = ${nexus_proxy_url}/repository/pypi/simple diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config.sh b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config.sh index 7db5f89b82..e88a523e5e 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config.sh +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config.sh @@ -2,32 +2,95 @@ set -o errexit set -o pipefail -# set -o nounset +set -o nounset # Uncomment this line to see each command for debugging (careful: this will show secrets!) -# set -o xtrace +set -o xtrace # Remove apt sources not included in sources.list file sudo rm -f /etc/apt/sources.list.d/* # Update apt packages from configured Nexus sources -sudo apt-get update - -# Install xrdp so Guacamole can connect via RDP -sudo apt-get install xrdp -y +echo "init_vm.sh: START" +sudo apt update || true +sudo apt upgrade -y +sudo apt install -y gnupg2 software-properties-common apt-transport-https wget dirmngr gdebi-core +sudo apt-get update || true + +## Desktop +echo "init_vm.sh: Desktop" +sudo systemctl start gdm3 || true +DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true +DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true dpkg-reconfigure gdm3 || true +sudo apt install -y xfce4 xfce4-goodies xorg dbus-x11 x11-xserver-utils +echo /usr/sbin/gdm3 > /etc/X11/default-display-manager + +## Install xrdp so Guacamole can connect via RDP +echo "init_vm.sh: xrdp" +sudo apt install -y xrdp xorgxrdp xfce4-session sudo adduser xrdp ssl-cert +sudo -u "${VM_USER}" -i bash -c 'echo xfce4-session > ~/.xsession' +sudo -u "${VM_USER}" -i bash -c 'echo xset s off >> ~/.xsession' +sudo -u "${VM_USER}" -i bash -c 'echo xset -dpms >> ~/.xsession' -# Install desktop environment if image doesn't have one already -if [ "${INSTALL_UI}" -eq 1 ]; then - sudo apt-get install xorg xfce4 xfce4-goodies dbus-x11 x11-xserver-utils -y - echo xfce4-session > ~/.xsession -fi +# Make sure xrdp service starts up with the system +sudo systemctl enable xrdp +sudo service xrdp restart + +## Python 3.8 and Jupyter +sudo apt install -y jupyter-notebook microsoft-edge-dev + +## VS Code +echo "init_vm.sh: VS Code" +sudo apt install -y code +sudo apt install -y gvfs-bin || true + +echo "init_vm.sh: Folders" +sudo mkdir -p /opt/vscode/user-data +sudo mkdir -p /opt/vscode/extensions + +# echo "init_vm.sh: azure-cli" +sudo apt install azure-cli -y + +# TODO: need to look at proxy extentions +## VSCode Extensions +# echo "init_vm.sh: VSCode extensions" +# code --extensions-dir="/opt/vscode/extensions" --user-data-dir="/opt/vscode/user-data" --install-extension ms-python.python +# code --extensions-dir="/opt/vscode/extensions" --user-data-dir="/opt/vscode/user-data" --install-extension REditorSupport.r +# code --extensions-dir="/opt/vscode/extensions" --user-data-dir="/opt/vscode/user-data" --install-extension RDebugger.r-debugger + +# Azure Storage Explorer +sudo apt install gnome-keyring dotnet-sdk-7.0 -y +wget -q ${NEXUS_PROXY_URL}/repository/microsoft-download/A/E/3/AE32C485-B62B-4437-92F7-8B6B2C48CB40/StorageExplorer-linux-x64.tar.gz -P /tmp +sudo mkdir /opt/storage-explorer +sudo tar xvf /tmp/StorageExplorer-linux-x64.tar.gz -C /opt/storage-explorer +sudo chmod +x /opt/storage-explorer/* + +sudo tee /usr/share/applications/storage-explorer.desktop << END +[Desktop Entry] +Name=Storage Explorer +Comment=Azure Storage Explorer +Exec=/opt/storage-explorer/StorageExplorer +Icon=/opt/storage-explorer/resources/app/out/app/icon.png +Terminal=false +Type=Application +StartupNotify=false +StartupWMClass=Code +Categories=Development; +END + +## R +echo "init_vm.sh: R Setup" +sudo apt install -y r-base + +# RStudio Desktop +echo "init_vm.sh: RStudio" +wget ${NEXUS_PROXY_URL}/repository/r-studio-download/electron/jammy/amd64/rstudio-2023.12.1-402-amd64.deb -P /tmp/2204 +wget ${NEXUS_PROXY_URL}/repository/r-studio-download/electron/focal/amd64/rstudio-2023.12.1-402-amd64.deb -P /tmp/2004 +sudo gdebi --non-interactive /tmp/${APT_SKU}/rstudio-2023.12.1-402-amd64.deb # Fix for blank screen on DSVM (/sh -> /bash due to conflict with profile.d scripts) sudo sed -i 's|!/bin/sh|!/bin/bash|g' /etc/xrdp/startwm.sh -# Make sure xrdp service starts up with the system -sudo systemctl enable xrdp - if [ "${SHARED_STORAGE_ACCESS}" -eq 1 ]; then # Install required packages sudo apt-get install autofs -y @@ -75,6 +138,7 @@ fi ### Anaconda Config if [ "${CONDA_CONFIG}" -eq 1 ]; then + echo "init_vm.sh: Anaconda" export PATH="/anaconda/condabin":$PATH export PATH="/anaconda/bin":$PATH export PATH="/anaconda/envs/py38_default/bin":$PATH @@ -85,11 +149,42 @@ if [ "${CONDA_CONFIG}" -eq 1 ]; then fi # Docker install and config +sudo apt-get remove -y moby-tini || true +sudo apt-get install -y r-base-core sudo apt-get install -y ca-certificates curl gnupg lsb-release -sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin jq +sudo apt-get install -y docker-compose-plugin docker-ce-cli containerd.io jq +sudo apt-get install -y docker-ce jq -n --arg proxy "${NEXUS_PROXY_URL}:8083" '{"registry-mirrors": [$proxy]}' > /etc/docker/daemon.json sudo systemctl daemon-reload sudo systemctl restart docker # R config sudo echo -e "local({\n r <- getOption(\"repos\")\n r[\"Nexus\"] <- \"""${NEXUS_PROXY_URL}\"/repository/r-proxy/\"\n options(repos = r)\n})" | sudo tee /etc/R/Rprofile.site + +# Jupiter Notebook Config +sudo sed -i -e 's/Terminal=true/Terminal=false/g' /usr/share/applications/jupyter-notebook.desktop + +# Default Browser +sudo update-alternatives --config x-www-browser + +## Cleanup +echo "init_vm.sh: Cleanup" +sudo shutdown -r now + +# Prevent screen timeout +echo "init_vm.sh: Preventing Timeout" +sudo touch /home/${VM_USER}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-screensaver.xml +sudo chmod 664 /home/${VM_USER}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-screensaver.xml +sudo chown ${VM_USER}:${VM_USER} /home/${VM_USER}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-screensaver.xml +sudo tee /home/${VM_USER}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-screensaver.xml << END + + + + + + + + + + +END diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config_byoi.sh b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config_byoi.sh new file mode 100644 index 0000000000..d63fe70bf2 --- /dev/null +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/vm_config_byoi.sh @@ -0,0 +1,78 @@ +#!/bin/bash + +set -o errexit +set -o pipefail +set -o nounset +# Uncomment this line to see each command for debugging (careful: this will show secrets!) +set -o xtrace + +# Remove apt sources not included in sources.list file +sudo rm -f /etc/apt/sources.list.d/* + +# Update apt packages from configured Nexus sources +echo "init_vm.sh: START" +sudo apt update || true +sudo apt upgrade -y +sudo apt install -y gnupg2 software-properties-common apt-transport-https wget dirmngr gdebi-core +sudo apt-get update || true + +## Install xrdp so Guacamole can connect via RDP +echo "init_vm.sh: xrdp" +sudo apt install -y xrdp xorgxrdp xfce4-session +sudo adduser xrdp ssl-cert +sudo -u "${VM_USER}" -i bash -c 'echo xfce4-session > ~/.xsession' +sudo -u "${VM_USER}" -i bash -c 'echo xset s off >> ~/.xsession' +sudo -u "${VM_USER}" -i bash -c 'echo xset -dpms >> ~/.xsession' + +# Make sure xrdp service starts up with the system +sudo systemctl enable xrdp +sudo service xrdp restart + +if [ "${SHARED_STORAGE_ACCESS}" -eq 1 ]; then + # Install required packages + sudo apt-get install autofs -y + + # Pass in required variables + storageAccountName="${STORAGE_ACCOUNT_NAME}" + storageAccountKey="${STORAGE_ACCOUNT_KEY}" + httpEndpoint="${HTTP_ENDPOINT}" + fileShareName="${FILESHARE_NAME}" + mntRoot="/fileshares" + credentialRoot="/etc/smbcredentials" + + mntPath="$mntRoot/$fileShareName" + # shellcheck disable=SC2308 + smbPath=$(echo "$httpEndpoint" | cut -c7-"$(expr length "$httpEndpoint")")$fileShareName + smbCredentialFile="$credentialRoot/$storageAccountName.cred" + + # Create required file paths + sudo mkdir -p "$mntPath" + sudo mkdir -p "/etc/smbcredentials" + sudo mkdir -p $mntRoot + + ### Auto FS to persist storage + # Create credential file + if [ ! -f "$smbCredentialFile" ]; then + echo "username=$storageAccountName" | sudo tee "$smbCredentialFile" > /dev/null + echo "password=$storageAccountKey" | sudo tee -a "$smbCredentialFile" > /dev/null + else + echo "The credential file $smbCredentialFile already exists, and was not modified." + fi + + # Change permissions on the credential file so only root can read or modify the password file. + sudo chmod 600 "$smbCredentialFile" + + # Configure autofs + echo "$fileShareName -fstype=cifs,rw,dir_mode=0777,credentials=$smbCredentialFile :$smbPath" | sudo tee /etc/auto.fileshares > /dev/null + echo "$mntRoot /etc/auto.fileshares --timeout=60" | sudo tee /etc/auto.master > /dev/null + + # Restart service to register changes + sudo systemctl restart autofs + + # Autofs mounts when accessed for 60 seconds. Folder created for constant visible mount + sudo ln -s "$mntPath" "/$fileShareName" +fi + +## Cleanup +echo "init_vm.sh: Cleanup" +sudo shutdown -r now diff --git a/templates/workspaces/airlock-import-review/.env.sample b/templates/workspaces/airlock-import-review/.env.sample index 68d0a40652..c89893b33f 100644 --- a/templates/workspaces/airlock-import-review/.env.sample +++ b/templates/workspaces/airlock-import-review/.env.sample @@ -4,14 +4,14 @@ ARM_TENANT_ID="__CHANGE_ME__" ARM_SUBSCRIPTION_ID="__CHANGE_ME__" AUTH_TENANT_ID="__CHANGE_ME__" -# These are passed in if Terraform will create the Workspace AAD Application +# These are passed in if Terraform will create the Workspace Microsoft Entra ID Application REGISTER_AAD_APPLICATION=true CREATE_AAD_GROUPS=true AUTH_CLIENT_ID="__CHANGE_ME__" AUTH_CLIENT_SECRET="__CHANGE_ME__" WORKSPACE_OWNER_OBJECT_ID="__CHANGE_ME__" -# These are passed in if you register the Workspace AAD Application before hand +# These are passed in if you register the Workspace Microsoft Entra ID Application before hand # REGISTER_AAD_APPLICATION=false # CLIENT_ID="__CHANGE_ME__" # CLIENT_SECRET="__CHANGE_ME__" diff --git a/templates/workspaces/base/.env.sample b/templates/workspaces/base/.env.sample index df96d05cc7..40de3a637f 100644 --- a/templates/workspaces/base/.env.sample +++ b/templates/workspaces/base/.env.sample @@ -4,14 +4,14 @@ ARM_TENANT_ID="__CHANGE_ME__" ARM_SUBSCRIPTION_ID="__CHANGE_ME__" AUTH_TENANT_ID="__CHANGE_ME__" -# These are passed in if Terraform will create the Workspace AAD Application +# These are passed in if Terraform will create the Workspace Microsoft Entra ID Application REGISTER_AAD_APPLICATION=true CREATE_AAD_GROUPS=true AUTH_CLIENT_ID="__CHANGE_ME__" AUTH_CLIENT_SECRET="__CHANGE_ME__" WORKSPACE_OWNER_OBJECT_ID="__CHANGE_ME__" -# These are passed in if you register the Workspace AAD Application before hand +# These are passed in if you register the Workspace Microsoft Entra ID Application before hand # REGISTER_AAD_APPLICATION=false # CLIENT_ID="__CHANGE_ME__" # CLIENT_SECRET="__CHANGE_ME__" diff --git a/templates/workspaces/unrestricted/.env.sample b/templates/workspaces/unrestricted/.env.sample index ba25f23336..42b235effd 100644 --- a/templates/workspaces/unrestricted/.env.sample +++ b/templates/workspaces/unrestricted/.env.sample @@ -4,14 +4,14 @@ ARM_TENANT_ID="__CHANGE_ME__" ARM_SUBSCRIPTION_ID="__CHANGE_ME__" AUTH_TENANT_ID="__CHANGE_ME__" -# These are passed in if Terraform will create the Workspace AAD Application +# These are passed in if Terraform will create the Workspace Microsoft Entra ID Application REGISTER_AAD_APPLICATION=true CREATE_AAD_GROUPS=true AUTH_CLIENT_ID="__CHANGE_ME__" AUTH_CLIENT_SECRET="__CHANGE_ME__" WORKSPACE_OWNER_OBJECT_ID="__CHANGE_ME__" -# These are passed in if you register the Workspace AAD Application before hand +# These are passed in if you register the Workspace Microsoft Entra ID Application before hand # REGISTER_AAD_APPLICATION=false # CLIENT_ID="__CHANGE_ME__" # CLIENT_SECRET="__CHANGE_ME__" diff --git a/ui/README.md b/ui/README.md index 9ec30ef5ba..b605e4bc71 100644 --- a/ui/README.md +++ b/ui/README.md @@ -7,7 +7,7 @@ The UI was built using Create React App and Microsoft Fluent UI. Further details ## Run the UI - Ensure `deploy_ui=false` is not set in your `./config.yaml` file - In the root of the repo, run `make tre-deploy`. This will provision the necessary resources in Azure, build and deploy the UI to Azure blob storage, behind the App Gateway used for the API. The deployment process will also create the necessary `config.json`, using the `config.source.json` as a template. -- In Azure AD, locate the TRE Client Apps app (possibly called Swagger App). In the Authentication section add reply URIs for: +- In Microsoft Entra ID, locate the TRE Client Apps app (possibly called Swagger App). In the Authentication section add reply URIs for: - `http://localhost:3000` (if wanting to run locally) - Your deployed App Url - `https://{TRE_ID}.{LOCATION}.cloudapp.azure.com`. diff --git a/ui/app/package.json b/ui/app/package.json index 259dd9fcb9..5d5966da33 100644 --- a/ui/app/package.json +++ b/ui/app/package.json @@ -1,6 +1,6 @@ { "name": "tre-ui", - "version": "0.5.21", + "version": "0.5.22", "private": true, "dependencies": { "@azure/msal-browser": "^2.35.0", diff --git a/ui/app/yarn.lock b/ui/app/yarn.lock index e95e023cc8..98157cef4c 100644 --- a/ui/app/yarn.lock +++ b/ui/app/yarn.lock @@ -3955,10 +3955,10 @@ cookie-signature@1.0.6: resolved "https://registry.yarnpkg.com/cookie-signature/-/cookie-signature-1.0.6.tgz#e303a882b342cc3ee8ca513a79999734dab3ae2c" integrity sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ== -cookie@0.5.0: - version "0.5.0" - resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.5.0.tgz#d1f5d71adec6558c58f389987c366aa47e994f8b" - integrity sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw== +cookie@0.6.0: + version "0.6.0" + resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.6.0.tgz#2798b04b071b0ecbff0dbb62a505a8efa4e19051" + integrity sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw== core-js-compat@^3.31.0, core-js-compat@^3.34.0: version "3.36.0" @@ -5141,16 +5141,16 @@ expect@^29.0.0: jest-util "^29.7.0" express@^4.17.3: - version "4.18.3" - resolved "https://registry.yarnpkg.com/express/-/express-4.18.3.tgz#6870746f3ff904dee1819b82e4b51509afffb0d4" - integrity sha512-6VyCijWQ+9O7WuVMTRBTl+cjNNIzD5cY5mQ1WM8r/LEkI2u8EYpOotESNwzNlyCn3g+dmjKYI6BmNneSr/FSRw== + version "4.19.2" + resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465" + integrity sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q== dependencies: accepts "~1.3.8" array-flatten "1.1.1" body-parser "1.20.2" content-disposition "0.5.4" content-type "~1.0.4" - cookie "0.5.0" + cookie "0.6.0" cookie-signature "1.0.6" debug "2.6.9" depd "2.0.0" @@ -5323,9 +5323,9 @@ flatted@^3.2.9: integrity sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw== follow-redirects@^1.0.0: - version "1.15.5" - resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.5.tgz#54d4d6d062c0fa7d9d17feb008461550e3ba8020" - integrity sha512-vSFWUON1B+yAw1VN4xMfxgn5fTUiaOzAJCKBwIIgT/+7CuGy9+r+5gITvP62j3RmaD5Ph65UaERdOSRGUzZtgw== + version "1.15.6" + resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.6.tgz#7f815c0cda4249c74ff09e95ef97c23b5fd0399b" + integrity sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA== for-each@^0.3.3: version "0.3.3" @@ -11320,9 +11320,9 @@ webidl-conversions@^6.1.0: integrity sha512-qBIvFLGiBpLjfwmYAaHPXsn+ho5xZnGvyGvsarywGNc8VyQJUMHJ8OBKGGrPER0okBeMDaan4mNBlgBROxuI8w== webpack-dev-middleware@^5.3.1: - version "5.3.3" - resolved "https://registry.yarnpkg.com/webpack-dev-middleware/-/webpack-dev-middleware-5.3.3.tgz#efae67c2793908e7311f1d9b06f2a08dcc97e51f" - integrity sha512-hj5CYrY0bZLB+eTO+x/j67Pkrquiy7kWepMHmUMoPsmcUaeEnQJqFzHJOyxgWlq746/wUuA64p9ta34Kyb01pA== + version "5.3.4" + resolved "https://registry.yarnpkg.com/webpack-dev-middleware/-/webpack-dev-middleware-5.3.4.tgz#eb7b39281cbce10e104eb2b8bf2b63fce49a3517" + integrity sha512-BVdTqhhs+0IfoeAf7EoH5WE+exCmqGerHfDM0IL096Px60Tq2Mn9MAbnaGUe6HiMa41KMCYF19gyzZmBcq/o4Q== dependencies: colorette "^2.0.10" memfs "^3.4.3"