BREAKING CHANGES & MIGRATIONS:
ENHANCEMENTS:
- Deny public access to TRE management storage account, and add private endpoint for TRE core #4353
BUG FIXES:
BREAKING CHANGES & MIGRATIONS:
- Workspace bundle uses infrastructure encryption on shared storage which will recreate storage share. Major verison increase will prevent upgrade, do not force the upgrade unless you are fully aware of the consequences.
ENHANCEMENTS:
- Core key vault firewall should not be set to "Allow public access from all networks" (#4250)
- Allow workspace App Service Plan SKU to be updated (#4331)
- Add core requests endpoint and UI to enable requests to be managed TRE wide. ([#2510])
- Remove public IP from TRE's firewall when forced tunneling is configured (#4346)
- Upgrade AzureRM Terraform provider from
3.117.0to4.14.0. ([#4255]) - Subnet definitions are now inline in the
azurerm_virtual_networkresource, and NSG associations are set usingsecurity_groupin each subnet block (no separateazurerm_subnet_network_security_group_associationneeded). ([#4255]) - Azure Cosmos DB should disable public network access (#4322)
- Add bundle target to Makefile for handling different bundle types in single command (#4372)
- Migrate UI to Vite build engine and update dependencies (#4368)
- Add Windows image field to the Admin VM template (#4274)
- Update TLS to the latest version for web apps / function apps (#4351)
- Set
stairlockpAirlock Processor storage account firewall to "Enabled from selected virtual networks and IP addresses" (#4386)
BUG FIXES:
- Fix upgrade when porter install has failed (#4338)
- Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state (#4294)
- Fix Cosmos DB local debugging configuration (#4340)
- Add firewall rules to upgrade steps for Guacamole service (#4343)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.5 |
| core | 0.12.3 |
| ui | 0.7.0 |
| tre-workspace-airlock-import-review | 0.14.3 |
| tre-workspace-base | 2.0.0 |
| tre-workspace-unrestricted | 0.13.3 |
| tre-shared-service-airlock-notifier | 1.0.8 |
| tre-shared-service-certs | 0.7.4 |
| tre-shared-service-firewall | 1.3.2 |
| tre-shared-service-gitea | 1.1.5 |
| tre-shared-service-cyclecloud | 0.7.2 |
| tre-shared-service-databricks-private-auth | 0.1.11 |
| tre-shared-service-admin-vm | 0.5.3 |
| tre-shared-service-sonatype-nexus | 3.3.2 |
| tre-workspace-service-mysql | 1.0.9 |
| tre-workspace-service-ohdsi | 0.3.3 |
| tre-user-resource-aml-compute-instance | 0.5.11 |
| tre-service-azureml | 0.9.2 |
| tre-service-guacamole-linuxvm | 1.2.8 |
| tre-service-guacamole-windowsvm | 1.2.10 |
| tre-service-guacamole-import-reviewvm | 0.3.2 |
| tre-service-guacamole-export-reviewvm | 0.2.2 |
| tre-service-guacamole | 0.12.9 |
| tre-workspace-service-health | 0.2.11 |
| tre-workspace-service-gitea | 1.2.3 |
| tre-service-databricks | 1.0.10 |
| tre-workspace-service-openai | 1.0.6 |
| tre-workspace-service-azuresql | 1.0.15 |
BREAKING CHANGES & MIGRATIONS:
- InnerEye and MLFlow bundles depreciated and removed from main. If you wish to update and deploy these workspace services they can be retrieved from release 0.19.1. (#4127)
- This release removed support for Porter v0.*. If you're upgrading from a much earlier version you can't go directly to this one. (#4228)
FEATURES:
- Add support for customer-managed keys encryption. Core support (#4141, #4144), Base workspace (#4161), other templates (#4145)
ENHANCEMENTS:
- Disable storage account cross tenant replication (#4116)
- Key Vaults should use RBAC instead of access policies for access control (#4000)
- Split log entries with [Log chunk X of Y] for better readability. (#3992)
- Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF (#4111)
- Update Terraform to use Azure AD authentication rather than storage account keys (#4103)
- Consolidate Terraform upgrade scripts (#4099)
- Storage accounts should use infrastructure encryption (#4001)
- Update obsolete Terraform properties (#4136)
- Update Guacamole version and dependencies (#4140)
- Update the Azure CLI version to 2.67.0 in dev container and vmss (#4157)
- Move Github PR bot commands into main documentation (#4167)
- Block Authentication with keys to CosmosDB SQL account (#4175)
- Change the way "inherited" workspaces retrieve the base workspace code (#4162)
- Add option to configure auto shutdown for Linux VM (#4186)
- Add ability to download VSCode Extensions ([#4187])
- Update Windows VM Images (#4198)
- Enhance DPI of Linux display ([#4200])
- Update Admin VM versions ([#4217])
- Update devcontainer/RP/API package versions: base image, docker, az cli, YQ (#4225)
- Purge container repos individually in when using
make tre-destroy(#4230) - Upgrade Python version from 3.8 to 3.12 (#3949)Upgrade Python version from 3.8 to 3.12 (#3949)
- Disable storage account key usage ([#4227])
- Update Guacamole dependencies ([#4232])
- Add option to force tunnel TRE's Firewall (#4237)
- Add EventGrid diagnostics to identify airlock issues (#4258)
- Disable local authentication in ServiceBus (#4259)
- Allow enablement of Secure Boot and vTPM for Guacamole VMs (#4235)
- Surface the server-layout parameter of Guacamole server-layout (#4234)
- Add encryption at host for VMs (#4263)
- Downgrade certs shared service App Gateway to Basic SKU (#4300)
- Airlock function host storage to use the user-assigned managed identity (#4276)
- Disable local authentication in EventGrid (#4254)
- Use user username as VM username rather than random ID (#4333)
BUG FIXES:
- Update KeyVault references in API to use the version so Terraform cascades the update (#4112)
- Template images are showing CVEs (#4153)
- Fix Dockerfile 'as' casting (#4170)
- Create policy to allow all user to configure color profiles to remove auth dialog. (#4184)
- Pre configure VS code option to prevent script failure (#4185)
- Increase size of Nexus VM, and derive Java VM memory limits from machine size (#4074)
- Enable symlinks to work on Linux VM shared storage (#4180)
- Upgrade aiohttp version for security fixes (#4197)
- Fix failing tests, .env missing and storage logs (#4207)
- Unable to delete virtual machines, add skip_shutdown_and_force_delete = true (#4135)
- Bump terraform version in windows VM template (#4212)
- Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitigate storage account deployment issue (#4004)
- Fix VM actions where Workspace shared storage doesn't allow shared key access (#4222)
- Fix public exposure in Guacamole service ([#4199])
- Fix Azure ML network tags to use name rather than ID ([#4151])
- Windows R version must be 4.1.2 otherwise post install script doesn't update package mirror URL (#4288)
- Recreate tre_output.json if empty. ([#4292])
- Ensure R directory is present before attempting to update package mirror URL (#4332)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.5 |
| core | 0.11.23 |
| ui | 0.6.3 |
| tre-shared-service-databricks-private-auth | 0.1.11 |
| tre-shared-service-gitea | 1.1.4 |
| tre-shared-service-sonatype-nexus | 3.3.2 |
| tre-shared-service-firewall | 1.3.0 |
| tre-shared-service-admin-vm | 0.5.2 |
| tre-shared-service-certs | 0.7.3 |
| tre-shared-service-airlock-notifier | 1.0.8 |
| tre-shared-service-cyclecloud | 0.7.2 |
| tre-workspace-airlock-import-review | 0.14.2 |
| tre-workspace-base | 1.9.2 |
| tre-workspace-unrestricted | 0.13.2 |
| tre-workspace-service-gitea | 1.2.2 |
| tre-workspace-service-mysql | 1.0.9 |
| tre-workspace-service-health | 0.2.11 |
| tre-workspace-service-openai | 1.0.6 |
| tre-service-azureml | 0.9.2 |
| tre-user-resource-aml-compute-instance | 0.5.11 |
| tre-service-databricks | 1.0.10 |
| tre-workspace-service-azuresql | 1.0.15 |
| tre-service-guacamole | 0.12.7 |
| tre-service-guacamole-export-reviewvm | 0.2.2 |
| tre-service-guacamole-linuxvm | 1.2.4 |
| tre-service-guacamole-import-reviewvm | 0.3.2 |
| tre-service-guacamole-windowsvm | 1.2.6 |
| tre-workspace-service-ohdsi | 0.3.2 |
BREAKING CHANGES & MIGRATIONS:
- Workspace creation blocked due to Azure API depreciation (#4095)
ENHANCEMENTS:
- Update Unrestricted and Airlock Import Review workspaces to be built off the Base workspace 0.19.0 (#4087)
- Update Release Docs (part of #2727)
- Add info regarding workspace limit into docs (#3920)
BUG FIXES:
- Add Snyk Security updates for September
- Workspace creation blocked due to Azure API depreciation (#4095)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.2 |
| core | 0.10.8 |
| ui | 0.5.28 |
| tre-service-guacamole-linuxvm | 1.0.3 |
| tre-service-guacamole-import-reviewvm | 0.2.9 |
| tre-service-guacamole-export-reviewvm | 0.1.9 |
| tre-service-guacamole-windowsvm | 1.0.1 |
| tre-service-guacamole | 0.10.9 |
| tre-service-databricks | 1.0.4 |
| tre-service-mlflow | 0.7.9 |
| tre-service-innereye | 0.6.5 |
| tre-workspace-service-ohdsi | 0.2.5 |
| tre-workspace-service-gitea | 1.0.5 |
| tre-workspace-service-mysql | 1.0.4 |
| tre-workspace-service-azuresql | 1.0.10 |
| tre-user-resource-aml-compute-instance | 0.5.7 |
| tre-service-azureml | 0.8.11 |
| tre-workspace-service-health | 0.2.6 |
| tre-workspace-service-openai | 1.0.1 |
| tre-workspace-airlock-import-review | 0.13.1 |
| tre-workspace-unrestricted | 0.12.1 |
| tre-workspace-base | 1.5.7 |
| tre-shared-service-cyclecloud | 0.6.3 |
| tre-shared-service-databricks-private-auth | 0.1.6 |
| tre-shared-service-sonatype-nexus | 3.0.1 |
| tre-shared-service-admin-vm | 0.4.4 |
| tre-shared-service-firewall | 1.2.1 |
| tre-shared-service-gitea | 1.0.3 |
| tre-shared-service-certs | 0.5.2 |
| tre-shared-service-airlock-notifier | 1.0.2 |
FEATURES:
ENHANCEMENTS:
- Add Case Study Docs (#1366)
- Ability to host TRE on a custom domain (#4014)
- Remove AppServiceFileAuditLogs diagnostic setting (#4033)
- Update to the Airlock Notifier Shared Service (#3909)
BUG FIXES:
- Removed 429 Error (Costs API) form presenting in UI (#3929)
- Fix numbering issue within
bug_report.mdtemplate (#4028) - Disable public network access to the API App Service (#3986)
- Fix Guacamole shared drive always enabled (#3885)
- Add Dependabot Security updates for July
- Update Docs to format emojis properly (#4027)
- Update API and Resource Processor opentelemetry versions (#4052)
- Fix broken links in new Case Study Docs
- Update Linux VM to stop screensaver locking out the user (#4065)
- Update .NET version on Linux VMs (#4067)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.1 |
| core | 0.10.6 |
| ui | 0.5.28 |
| tre-service-guacamole-linuxvm | 1.0.2 |
| tre-service-guacamole-import-reviewvm | 0.2.8 |
| tre-service-guacamole-export-reviewvm | 0.1.8 |
| tre-service-guacamole-windowsvm | 1.0.0 |
| tre-service-guacamole | 0.10.8 |
| tre-service-databricks | 1.0.3 |
| tre-service-mlflow | 0.7.8 |
| tre-service-innereye | 0.6.4 |
| tre-workspace-service-ohdsi | 0.2.4 |
| tre-workspace-service-gitea | 1.0.3 |
| tre-workspace-service-mysql | 1.0.2 |
| tre-workspace-service-azuresql | 1.0.9 |
| tre-user-resource-aml-compute-instance | 0.5.7 |
| tre-service-azureml | 0.8.10 |
| tre-workspace-service-health | 0.2.5 |
| tre-workspace-airlock-import-review | 0.12.16 |
| tre-workspace-unrestricted | 0.11.4 |
| tre-workspace-base | 1.5.4 |
| tre-shared-service-cyclecloud | 0.5.5 |
| tre-shared-service-databricks-private-auth | 0.1.5 |
| tre-shared-service-sonatype-nexus | 3.0.0 |
| tre-shared-service-admin-vm | 0.4.3 |
| tre-shared-service-firewall | 1.2.0 |
| tre-shared-service-gitea | 1.0.2 |
| tre-shared-service-certs | 0.5.1 |
| tre-shared-service-airlock-notifier | 1.0.1 |
BREAKING CHANGES & MIGRATIONS:
- Update Core Terraform Provider versions (#3919)
- Introduction of config value
enable_airlock_email_check, which defaults tofalse, this is a change in behaviour. If you require email addresses for users before an airlock request is created, set totrue. (#3904)
FEATURES:
ENHANCEMENTS:
- Additional DataBrick IPs added (#3901)
- Add KeyVault Purge Protection Variable (#3922)
- Update Guacamole Windows 11 VM Image to 2Win11-23h2-pro (#3995)
- Make check for email addresses prior to an airlock request being created optional. (#3904)
- Add Firewall SKU variable (#3961)
BUG FIXES:
- Update Guacamole Linux VM Images to Ubuntu 22.04 LTS. Part of (#3523)
- Update Nexus Shared Service with new proxies. Part of (#3523)
- Update to Resource Processor Image, now using Ubuntu 22.04 (jammy). Part of (#3523)
- Remove TLS1.0/1.1 support from Application Gateway (#3914)
- GitHub Actions version updates. (#3847)
- Add workaround to avoid name clashes for storage accounts(#3863)
- Resource processor fails to deploy first workspace on fresh TRE deployment (#3950)
- Dependency and Vulnerability updates
- Fix Weak hashes (#3931)
- Add lifecycle rule to MySQL resources to stop them recreating on
update(#3993) - Fixes broken links on 'Using the Azure TRE -> Custom Templates' page of documentation ([#4003])
- Fix 'Renew Lets Encrypt Certificates' GitHub Action (#3978)
- Add lifecycle rule to the Gitea Shared Service template for the MySQL resource to stop it recreating on
update(#4006)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.1 |
| core | 0.10.1 |
| ui | 0.5.24 |
| tre-service-guacamole-linuxvm | 1.0.0 |
| tre-service-guacamole-import-reviewvm | 0.2.8 |
| tre-service-guacamole-export-reviewvm | 0.1.8 |
| tre-service-guacamole-windowsvm | 1.0.0 |
| tre-service-guacamole | 0.10.7 |
| tre-service-databricks | 1.0.3 |
| tre-service-mlflow | 0.7.7 |
| tre-service-innereye | 0.6.4 |
| tre-workspace-service-ohdsi | 0.2.4 |
| tre-workspace-service-gitea | 1.0.2 |
| tre-workspace-service-mysql | 1.0.2 |
| tre-user-resource-aml-compute-instance | 0.5.7 |
| tre-service-azureml | 0.8.10 |
| tre-workspace-service-health | 0.2.5 |
| tre-workspace-airlock-import-review | 0.12.16 |
| tre-workspace-unrestricted | 0.11.4 |
| tre-workspace-base | 1.5.3 |
| tre-shared-service-cyclecloud | 0.5.5 |
| tre-shared-service-databricks-private-auth | 0.1.5 |
| tre-shared-service-sonatype-nexus | 3.0.0 |
| tre-shared-service-admin-vm | 0.4.3 |
| tre-shared-service-firewall | 1.2.0 |
| tre-shared-service-gitea | 1.0.1 |
| tre-shared-service-certs | 0.5.1 |
| tre-shared-service-airlock-notifier | 0.9.0 |
BREAKING CHANGES & MIGRATIONS:
- Update terraform MySQL resources to MySQL Flexible resources to fix depricating recources. (#3892) - Migration to new version of Gitea and MySQL, needs to be carried out manually, details to be included in a later release.
ENHANCEMENTS:
- Switch from OpenCensus to OpenTelemetry for logging (#3762)
- Extend PowerShell auto start script to start core VMs (#3811)
- Use managed identity for API connection to CosmosDB (#345)
- Switch to Structured Firewall Logs (#3816)
- Support for building core and workspace service bundles on arm64 platforms (#3823)
BUG FIXES:
- Fix issue with workspace menu not working correctly(#3819)
- Fix issue with connect button showing when no uri(#3820)
- Fix user resource upgrade validation: use the parent_service_template_name instead of the parent_resource_id. (#3824)
- Airlock: Creating an import/export request causes a routing error (#3830)
- Fix registration of templates with no 'authorizedRoles' or 'required' defined (#3849)
- Update terraform for services bus to move network rules into namespace resource to avoid depreciation warning, and update setup_local_debugging.sh to use network_rule_sets (#3858)
- Update terraform MySQL resources to MySQL Flexible resources to fix depricating recources. (#3892)
- Fix issue with firewall failing to deploy on a new TRE deploy (#3775)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.1 |
| core | 0.9.6 |
| ui | 0.5.21 |
| tre-service-guacamole-linuxvm | 0.6.9 |
| tre-service-guacamole-import-reviewvm | 0.2.8 |
| tre-service-guacamole-export-reviewvm | 0.1.8 |
| tre-service-guacamole-windowsvm | 0.7.9 |
| tre-service-guacamole | 0.10.6 |
| tre-service-databricks | 1.0.3 |
| tre-service-mlflow | 0.7.7 |
| tre-service-innereye | 0.6.4 |
| tre-workspace-service-ohdsi | 0.2.4 |
| tre-workspace-service-gitea | 1.0.1 |
| tre-workspace-service-mysql | 1.0.1 |
| tre-user-resource-aml-compute-instance | 0.5.7 |
| tre-service-azureml | 0.8.10 |
| tre-workspace-service-health | 0.2.5 |
| tre-workspace-airlock-import-review | 0.12.16 |
| tre-workspace-unrestricted | 0.11.4 |
| tre-workspace-base | 1.5.3 |
| tre-shared-service-cyclecloud | 0.5.5 |
| tre-shared-service-databricks-private-auth | 0.1.5 |
| tre-shared-service-sonatype-nexus | 2.8.13 |
| tre-shared-service-admin-vm | 0.4.3 |
| tre-shared-service-firewall | 1.1.7 |
| tre-shared-service-gitea | 1.0.1 |
| tre-shared-service-certs | 0.5.1 |
| tre-shared-service-airlock-notifier | 0.9.0 |
BREAKING CHANGES & MIGRATIONS:
To resolve the Airlock import issue described in (#3767), the new airlock import review template will need to be registered using make workspace_bundle BUNDLE=airlock-import-review. Any existing airlock import review workspaces will need to be upgraded.
Once you have upgraded the import review workspaces, delete the private endpoint, named pe-stg-import-inprogress-blob-* in the core resource group, and then run make deploy-core to reinstate the private endpoint and DNS records.
ENHANCEMENTS:
- Security updates aligning to Dependabot, MS Defender for Cloud and Synk (#3796)
BUG FIXES:
- Fix issue where updates fail as read only is not configured consistently on schema fields (#3691)
- When getting available address spaces allow those allocated to deleted workspaces to be reassigned (#3691)
- Update Python packages, and fix breaking changes (#3764)
- Enabling support for more than 20 users/groups in Workspace API (#3759)
- Airlock Import Review workspace uses dedicated DNS zone to prevent conflict with core (#3767)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.1 |
| core | 0.9.0 |
| ui | 0.5.17 |
| tre-workspace-base | 1.5.3 |
| tre-workspace-unrestricted | 0.11.4 |
| tre-workspace-airlock-import-review | 0.12.16 |
| tre-service-mlflow | 0.7.7 |
| tre-workspace-service-health | 0.2.5 |
| tre-service-databricks | 1.0.3 |
| tre-service-innereye | 0.6.4 |
| tre-workspace-service-gitea | 0.8.7 |
| tre-workspace-service-mysql | 0.4.5 |
| tre-workspace-service-ohdsi | 0.2.4 |
| tre-service-guacamole-linuxvm | 0.6.9 |
| tre-service-guacamole-export-reviewvm | 0.1.8 |
| tre-service-guacamole-windowsvm | 0.7.9 |
| tre-service-guacamole-import-reviewvm | 0.2.8 |
| tre-service-guacamole | 0.10.6 |
| tre-user-resource-aml-compute-instance | 0.5.7 |
| tre-service-azureml | 0.8.10 |
| tre-shared-service-cyclecloud | 0.5.5 |
| tre-shared-service-databricks-private-auth | 0.1.5 |
| tre-shared-service-gitea | 0.6.10 |
| tre-shared-service-airlock-notifier | 0.9.0 |
| tre-shared-service-admin-vm | 0.4.3 |
| tre-shared-service-certs | 0.5.1 |
| tre-shared-service-sonatype-nexus | 2.8.13 |
| tre-shared-service-firewall | 1.1.5 |
BUG FIXES:
- Remove .sh extension from nexus renewal script so CRON job executes (#3742)
- Upgrade porter version to v1.0.15 and on error getting porter outputs return dict (#3744)
- Fix notifications displaying workspace name rather than actual resource (#3746)
- Fix SecuredByRole fails if app roles are not loaded (#3752)
- Fix workspace not loading fails if operation or history roles are not loaded (#3755)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.1 |
| core | 0.8.9 |
| ui | 0.5.15 |
| tre-workspace-base | 1.5.0 |
| tre-workspace-unrestricted | 0.11.1 |
| tre-workspace-airlock-import-review | 0.12.7 |
| tre-service-mlflow | 0.7.7 |
| tre-workspace-service-health | 0.2.5 |
| tre-service-databricks | 1.0.3 |
| tre-service-innereye | 0.6.4 |
| tre-workspace-service-gitea | 0.8.7 |
| tre-workspace-service-mysql | 0.4.5 |
| tre-workspace-service-ohdsi | 0.2.4 |
| tre-service-guacamole-linuxvm | 0.6.9 |
| tre-service-guacamole-export-reviewvm | 0.1.8 |
| tre-service-guacamole-windowsvm | 0.7.9 |
| tre-service-guacamole-import-reviewvm | 0.2.8 |
| tre-service-guacamole | 0.10.5 |
| tre-user-resource-aml-compute-instance | 0.5.7 |
| tre-service-azureml | 0.8.10 |
| tre-shared-service-cyclecloud | 0.5.5 |
| tre-shared-service-databricks-private-auth | 0.1.5 |
| tre-shared-service-gitea | 0.6.10 |
| tre-shared-service-airlock-notifier | 0.9.0 |
| tre-shared-service-admin-vm | 0.4.3 |
| tre-shared-service-certs | 0.5.1 |
| tre-shared-service-sonatype-nexus | 2.8.13 |
| tre-shared-service-firewall | 1.1.5 |
BUG FIXES:
- SecuredByRole failing if roles are null (#3740)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.1 |
| core | 0.8.9 |
| ui | 0.5.11 |
| tre-workspace-base | 1.5.0 |
| tre-workspace-unrestricted | 0.11.1 |
| tre-workspace-airlock-import-review | 0.12.7 |
| tre-service-mlflow | 0.7.7 |
| tre-workspace-service-health | 0.2.5 |
| tre-service-databricks | 1.0.3 |
| tre-service-innereye | 0.6.4 |
| tre-workspace-service-gitea | 0.8.7 |
| tre-workspace-service-mysql | 0.4.5 |
| tre-workspace-service-ohdsi | 0.2.4 |
| tre-service-guacamole-linuxvm | 0.6.9 |
| tre-service-guacamole-export-reviewvm | 0.1.8 |
| tre-service-guacamole-windowsvm | 0.7.9 |
| tre-service-guacamole-import-reviewvm | 0.2.8 |
| tre-service-guacamole | 0.10.5 |
| tre-user-resource-aml-compute-instance | 0.5.7 |
| tre-service-azureml | 0.8.10 |
| tre-shared-service-cyclecloud | 0.5.5 |
| tre-shared-service-databricks-private-auth | 0.1.5 |
| tre-shared-service-gitea | 0.6.10 |
| tre-shared-service-airlock-notifier | 0.9.0 |
| tre-shared-service-admin-vm | 0.4.3 |
| tre-shared-service-certs | 0.5.1 |
| tre-shared-service-sonatype-nexus | 2.8.12 |
| tre-shared-service-firewall | 1.1.5 |
FEATURES:
ENHANCEMENTS:
- Reduce logging noise (#2135)
- Update workspace template to use Terraform's AzureRM 3.73 (#3715)
- Enable cost tags for workspace services and user resources (#2932)
BUG FIXES:
- Upgrade unresticted and airlock base template versions due to diagnostic settings retention period being depreciated (#3704)
- Enable TRE Admins to view workspace details when don't have a workspace role (#2363)
- Fix shared services list return restricted resource for admins causing issues with updates (#3716)
- Fix grey box appearing on resource card when costs are not available. (#3254)
- Fix notification panel not passing the workspace scope id to the API hence UI not updating (#3353)
- Fix issue with cost tags not displaying correctly for some user roles (#3721)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.1 |
| core | 0.8.9 |
| tre-workspace-base | 1.5.0 |
| tre-workspace-unrestricted | 0.11.1 |
| tre-workspace-airlock-import-review | 0.12.7 |
| tre-service-mlflow | 0.7.7 |
| tre-workspace-service-health | 0.2.5 |
| tre-service-databricks | 1.0.3 |
| tre-service-innereye | 0.6.4 |
| tre-workspace-service-gitea | 0.8.7 |
| tre-workspace-service-mysql | 0.4.5 |
| tre-workspace-service-ohdsi | 0.2.4 |
| tre-service-guacamole-linuxvm | 0.6.9 |
| tre-service-guacamole-export-reviewvm | 0.1.8 |
| tre-service-guacamole-windowsvm | 0.7.9 |
| tre-service-guacamole-import-reviewvm | 0.2.8 |
| tre-service-guacamole | 0.10.5 |
| tre-user-resource-aml-compute-instance | 0.5.7 |
| tre-service-azureml | 0.8.10 |
| tre-shared-service-cyclecloud | 0.5.5 |
| tre-shared-service-databricks-private-auth | 0.1.5 |
| tre-shared-service-gitea | 0.6.10 |
| tre-shared-service-airlock-notifier | 0.9.0 |
| tre-shared-service-admin-vm | 0.4.3 |
| tre-shared-service-certs | 0.5.1 |
| tre-shared-service-sonatype-nexus | 2.8.12 |
| tre-shared-service-firewall | 1.1.5 |
BUG FIXES:
- Fix firewall config related to Nexus so that
pypi.orgis added to the allow-list (#3694)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.1 |
| core | 0.8.6 |
| tre-workspace-base | 1.4.7 |
| tre-workspace-unrestricted | 0.10.4 |
| tre-workspace-airlock-import-review | 0.11.6 |
| tre-service-mlflow | 0.7.5 |
| tre-workspace-service-health | 0.2.4 |
| tre-service-databricks | 1.0.3 |
| tre-service-innereye | 0.6.4 |
| tre-workspace-service-gitea | 0.8.5 |
| tre-workspace-service-mysql | 0.4.4 |
| tre-workspace-service-ohdsi | 0.2.3 |
| tre-service-guacamole-linuxvm | 0.6.8 |
| tre-service-guacamole-export-reviewvm | 0.1.7 |
| tre-service-guacamole-windowsvm | 0.7.8 |
| tre-service-guacamole-import-reviewvm | 0.2.7 |
| tre-service-guacamole | 0.10.4 |
| tre-user-resource-aml-compute-instance | 0.5.7 |
| tre-service-azureml | 0.8.10 |
| tre-shared-service-cyclecloud | 0.5.4 |
| tre-shared-service-databricks-private-auth | 0.1.5 |
| tre-shared-service-gitea | 0.6.5 |
| tre-shared-service-airlock-notifier | 0.9.0 |
| tre-shared-service-admin-vm | 0.4.3 |
| tre-shared-service-certs | 0.5.1 |
| tre-shared-service-sonatype-nexus | 2.8.11 |
| tre-shared-service-firewall | 1.1.4 |
ENHANCEMENTS:
- Change Guacamole username claim to
preferred_username, so email not required (#3539) - Upgrade Ubuntu version for Sonatype Nexus VM to 22.04 LTS (#3523)
BUG FIXES:
- Add temporary workaround for when id with last 4 chars exists (#3667)
- Apply missing lifecycle blocks. (#3670)
- Outputs of type boolean are stored as strings (#3655)
- Add dependency on firewall deployment to rule collection (#3672)
- Check docker return code in set docker sock permissions file (#3674)
- Increase reliability of Nexus deployment ([#3642)
- Add firewall rule to allow airlock to download functions runtime (#3682)
- Update dev container so doesn't try to create new group with clashing ID, only updates user ID (#3682)
- Remove diagnostic settings retention period as has been depreciated (#3682)
- Added missing region entries in
databricks-udr.json([#3688)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.1 |
| core | 0.8.6 |
| tre-workspace-base | 1.4.7 |
| tre-workspace-unrestricted | 0.10.4 |
| tre-workspace-airlock-import-review | 0.11.6 |
| tre-service-mlflow | 0.7.5 |
| tre-workspace-service-health | 0.2.4 |
| tre-service-databricks | 1.0.3 |
| tre-service-innereye | 0.6.4 |
| tre-workspace-service-gitea | 0.8.5 |
| tre-workspace-service-mysql | 0.4.4 |
| tre-workspace-service-ohdsi | 0.2.3 |
| tre-service-guacamole-linuxvm | 0.6.8 |
| tre-service-guacamole-export-reviewvm | 0.1.7 |
| tre-service-guacamole-windowsvm | 0.7.8 |
| tre-service-guacamole-import-reviewvm | 0.2.7 |
| tre-service-guacamole | 0.10.4 |
| tre-user-resource-aml-compute-instance | 0.5.7 |
| tre-service-azureml | 0.8.10 |
| tre-shared-service-cyclecloud | 0.5.4 |
| tre-shared-service-databricks-private-auth | 0.1.5 |
| tre-shared-service-gitea | 0.6.5 |
| tre-shared-service-airlock-notifier | 0.9.0 |
| tre-shared-service-admin-vm | 0.4.3 |
| tre-shared-service-certs | 0.5.1 |
| tre-shared-service-sonatype-nexus | 2.8.10 |
| tre-shared-service-firewall | 1.1.4 |
BUG FIXES:
- Custom actions fail on resources with a pipeline (#3646)
- Fix ability to debug resource processor locally (#3426)
- Upgrade airlock and unrestricted workspaces to base workspace version 0.12.0 (#3659)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.1 |
| core | 0.8.3 |
| tre-workspace-base | 1.4.4 |
| tre-workspace-unrestricted | 0.10.2 |
| tre-workspace-airlock-import-review | 0.11.2 |
| tre-service-mlflow | 0.7.2 |
| tre-workspace-service-health | 0.2.1 |
| tre-service-databricks | 1.0.0 |
| tre-service-innereye | 0.6.1 |
| tre-workspace-service-gitea | 0.8.2 |
| tre-workspace-service-mysql | 0.4.1 |
| tre-workspace-service-ohdsi | 0.2.0 |
| tre-service-guacamole-linuxvm | 0.6.5 |
| tre-service-guacamole-export-reviewvm | 0.1.4 |
| tre-service-guacamole-windowsvm | 0.7.5 |
| tre-service-guacamole-import-reviewvm | 0.2.4 |
| tre-service-guacamole | 0.9.4 |
| tre-user-resource-aml-compute-instance | 0.5.4 |
| tre-service-azureml | 0.8.7 |
| tre-shared-service-cyclecloud | 0.5.1 |
| tre-shared-service-databricks-private-auth | 0.1.2 |
| tre-shared-service-gitea | 0.6.2 |
| tre-shared-service-airlock-notifier | 0.9.0 |
| tre-shared-service-admin-vm | 0.4.0 |
| tre-shared-service-certs | 0.5.1 |
| tre-shared-service-sonatype-nexus | 2.5.3 |
| tre-shared-service-firewall | 1.1.1 |
FEATURES:
- OHDSI workspace service (#3562)
ENHANCEMENTS:
- Workspace networking peering sync is handled natively by Terraform (#3534)
- Use SMTP built in connector vs API connector in Airlock Notifier (#3572)
- Update Guacamole dependencies (#3602)
BUG FIXES:
- Nexus might fail to deploy due to wrong identity used in key-vault extension (#3492)
- Airlock notifier needs SCM basic-auth enabled to install (#3509)
- Databricks fails to deploy in East US (#3515)
load_env.shis able to use an equal=sign in values (#3535)- Make AML route names unique (#3546)
- Azure ML connection URI is an object, not string (#3486)
- Update key in Linux VM deploy script (#3434)
- Add missing
azure_environmentporter parameters (#3549) - Fix airlock_notifier not getting the right smtp password (#3561)
- Fix issue when deleting failed resources gives no steps (#3567)
- Fix airlock_notifier not getting the right smtp password (#3565)
- Fix issues with networking dependencies and AMPLS deployment (#3433)
- Update CLI install method to fix dependency issue (#3601)
- Update Databricks UDRs for west europe and switch to DFS private endpoint. ([#3582)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.1 |
| core | 0.8.2 |
| tre-workspace-base | 1.4.4 |
| tre-workspace-airlock-import-review | 0.10.1 |
| tre-workspace-unrestricted | 0.9.0 |
| tre-workspace-service-gitea | 0.8.1 |
| tre-service-guacamole | 0.9.3 |
| tre-service-guacamole-windowsvm | 0.7.5 |
| tre-service-guacamole-import-reviewvm | 0.2.4 |
| tre-service-guacamole-linuxvm | 0.6.5 |
| tre-service-guacamole-export-reviewvm | 0.1.4 |
| tre-workspace-service-health | 0.2.1 |
| tre-workspace-service-ohdsi | 0.2.0 |
| tre-service-azureml | 0.8.7 |
| tre-user-resource-aml-compute-instance | 0.5.4 |
| tre-service-mlflow | 0.7.1 |
| tre-service-databricks | 1.0.0 |
| tre-workspace-service-mysql | 0.4.1 |
| tre-service-innereye | 0.6.1 |
| tre-shared-service-cyclecloud | 0.5.1 |
| tre-shared-service-airlock-notifier | 0.9.0 |
| tre-shared-service-gitea | 0.6.1 |
| tre-shared-service-certs | 0.5.0 |
| tre-shared-service-databricks-private-auth | 0.1.1 |
| tre-shared-service-admin-vm | 0.4.0 |
| tre-shared-service-sonatype-nexus | 2.5.2 |
| tre-shared-service-firewall | 1.1.1 |
ENHANCEMENTS:
BUG FIXES:
- AML workspace service fails to install and puts firewall into failed state (#3448)
- Nexus fails to install due to
az loginand firewall rules (#3453)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.1 |
| core | 0.8.1 |
| tre-workspace-base | 1.2.3 |
| tre-workspace-unrestricted | 0.9.0 |
| tre-workspace-airlock-import-review | 0.10.1 |
| tre-service-mlflow | 0.7.1 |
| tre-workspace-service-health | 0.2.1 |
| tre-service-databricks | 0.2.1 |
| tre-service-innereye | 0.6.1 |
| tre-workspace-service-gitea | 0.8.1 |
| tre-workspace-service-mysql | 0.4.1 |
| tre-service-guacamole-linuxvm | 0.6.5 |
| tre-service-guacamole-export-reviewvm | 0.1.4 |
| tre-service-guacamole-windowsvm | 0.7.4 |
| tre-service-guacamole-import-reviewvm | 0.2.4 |
| tre-service-guacamole | 0.9.0 |
| tre-user-resource-aml-compute-instance | 0.5.4 |
| tre-service-azureml | 0.8.2 |
| tre-shared-service-cyclecloud | 0.5.1 |
| tre-shared-service-databricks-private-auth | 0.1.1 |
| tre-shared-service-gitea | 0.6.1 |
| tre-shared-service-airlock-notifier | 0.5.0 |
| tre-shared-service-admin-vm | 0.4.0 |
| tre-shared-service-certs | 0.5.0 |
| tre-shared-service-sonatype-nexus | 2.5.0 |
| tre-shared-service-firewall | 1.1.1 |
BREAKING CHANGES & MIGRATIONS:
- A migration for OperationSteps in Operation objects was added (#3358)
- Some Github secrets have moved to be environment variables -
LOCATIONand a few optional others will need to be redefined as listed here (#3084)
FEATURES:
- (UI) Added upgrade button to resources that have pending template upgrades (#3387)
- Enable deployment to Azure US Government Cloud (#3128)
ENHANCEMENTS:
- Added 'availableUpgrades' field to Resources in GET/GET all Resources endpoints. The field indicates whether there are template versions that a resource can be upgraded to #3234
- Update Porter (1.0.11), Docker (23.0.3), Terraform (1.4.5) (#3430)
- Build, publish and register Databricks bundles in workflow (#3447)
BUG FIXES:
- Fix ENABLE_SWAGGER configuration being ignored in CI (#3355)
- Set yq output format when reading a json file (#3441)
- Set
{}as the workflow default forRP_BUNDLE_VALUESparameter (#3444)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.5.1 |
| core | 0.8.1 |
| tre-shared-service-admin-vm | 0.4.0 |
| tre-shared-service-airlock-notifier | 0.5.0 |
| tre-shared-service-certs | 0.5.0 |
| tre-shared-service-cyclecloud | 0.5.1 |
| tre-shared-service-databricks-private-auth | 0.1.1 |
| tre-shared-service-firewall | 1.1.0 |
| tre-shared-service-gitea | 0.6.1 |
| tre-shared-service-sonatype-nexus | 2.4.0 |
| tre-service-azureml | 0.8.1 |
| tre-user-resource-aml-compute-instance | 0.5.4 |
| tre-service-databricks | 0.2.1 |
| tre-workspace-service-gitea | 0.8.1 |
| tre-service-guacamole | 0.8.4 |
| tre-service-guacamole-export-reviewvm | 0.1.4 |
| tre-service-guacamole-import-reviewvm | 0.2.4 |
| tre-service-guacamole-linuxvm | 0.6.5 |
| tre-service-guacamole-windowsvm | 0.7.4 |
| tre-workspace-service-health | 0.2.1 |
| tre-service-innereye | 0.6.1 |
| tre-service-mlflow | 0.7.1 |
| tre-workspace-service-mysql | 0.4.1 |
| tre-workspace-airlock-import-review | 0.10.1 |
| tre-workspace-base | 1.2.3 |
| tre-workspace-unrestricted | 0.9.0 |
BREAKING CHANGES & MIGRATIONS:
-
Move to Azure Firewall Policy (#3107). This is a major version for the firewall shared service and will fail to automatically upgrade. You should follow these steps to complete it:
-
Let the system try to do the upgrade (via CI or
make all). It will fail but it's fine since now we have the new version published and registered. -
Make a temporary network change with either of the following options:
- Azure Portal: find your TRE resource group and select the route table resource (named
rt-YOUR_TRE_ID). In the overview screen, find theResourceProcessorSubnet(should be last in the subnet list), click on the...and selectDissociate. - Azure CLI:
az network vnet subnet update --resource-group rg-YOUR_TRE_ID --vnet-name vnet-YOUR_TRE_ID --name ResourceProcessorSubnet --remove routeTable
- Azure Portal: find your TRE resource group and select the route table resource (named
-
Issue a patch API request to
force-updatethe firewall to its new version.One way to accomplish this is with the Swagger endpoint (/api/docs).
If this endpoint is not working in your deployment - include
enable_swaggerin yourconfig.yaml(see the sample file), or temporarily activate it via the API resource on azure (namedapi-YOUR_TRE-ID) -> Configuration ->ENABLE_SWAGGERitem.
⚠️ Any custom rules you have added manually will be lost and you'll need to add them back after the upgrade has been completed. -
FEATURES:
- Add Azure Databricks as workspace service (#1857)
- (UI) Added the option to upload/download files to airlock requests via Azure CLI (#3196)
ENHANCEMENTS:
- Add support for referencing IP Groups from the Core Resource Group in firewall rules created via the pipeline (#3089)
- Support for Azure Firewall Basic SKU (#3107). This SKU doesn't support deallocation and for most non 24/7 scenarios will be more expensive than the Standard SKU.
- Update Azure Machine Learning Workspace Service to support "no public IP" compute. This is a full rework so upgrades of existing Azure ML Workspace Service deployments are not supported. Requires
v0.8.0or later of the TRE project. (#3052) - Move non-core DNS zones out of the network module to reduce dependencies (#3119)
- Review VMs are being cleaned up when an Airlock request is canceled (#3130)
- Sample queries to investigate logs of the core TRE applications (#3151)
- Remove support of docker-in-docker for templates/bundles (#3180)
- API runs with gunicorn and uvicorn workers (as recommended) (#3178)
- Upgrade core components and key templates to Terraform AzureRM (#3185)
BUG FIXES:
- Reauth CLI if TRE endpoint has changed (#3137)
- Added Migration for Airlock requests that were created prior to version 0.5.0 (#3152)
- Temporarily use the remote bundle for
check-paramstarget (#3149) - Workspace module dependency to resolve AnotherOperationInProgress errors (#3194)
- Skip Certs shared service E2E on Friday & Saturday due to LetsEncrypt limits (#3203)
- Create Workspace AppInsights via AzAPI provider due to an issue with AzureRM (#3207)
- 'Workspace Owner' is now able to access Airlock request's SAS URL even if the request is not in review (#3208)
- Ignore changes in log_analytics_destination_type to prevent redundant updates (#3217)
- Add Databricks private authentication shared service for SSO (#3201)
- Remove auth private endpoint from databricks workspace service (3199)
- Fix DNS conflict in airlock-review workspace that could make the entire airlock module inoperable (#3215)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.4.5 |
| core | 0.7.4 |
| tre-shared-service-admin-vm | 0.3.0 |
| tre-shared-service-airlock-notifier | 0.4.0 |
| tre-shared-service-certs | 0.4.0 |
| tre-shared-service-cyclecloud | 0.4.0 |
| tre-shared-service-firewall | 1.0.0 |
| tre-shared-service-gitea | 0.5.0 |
| tre-shared-service-sonatype-nexus | 2.3.0 |
| tre-service-azureml | 0.7.26 |
| tre-user-resource-aml-compute-instance | 0.5.3 |
| tre-service-databricks | 0.1.72 |
| tre-workspace-service-gitea | 0.7.0 |
| tre-service-guacamole | 0.7.1 |
| tre-service-guacamole-export-reviewvm | 0.1.2 |
| tre-service-guacamole-import-reviewvm | 0.2.2 |
| tre-service-guacamole-linuxvm | 0.6.2 |
| tre-service-guacamole-windowsvm | 0.7.2 |
| tre-workspace-service-health | 0.1.1 |
| tre-service-innereye | 0.5.0 |
| tre-service-mlflow | 0.6.4 |
| tre-workspace-service-mysql | 0.3.3 |
| tre-workspace-airlock-import-review | 0.8.1 |
| tre-workspace-base | 1.1.0 |
| tre-workspace-unrestricted | 0.8.1 |
BREAKING CHANGES & MIGRATIONS:
- The model for
reviewUserResourcesin airlock requests has changed from being a list to a dictionary. A migration has been added to update your existing requests automatically; please make sure you run the migrations as part of updating your API and UI.- Note that any in-flight requests that have review resources deployed will show
UNKNOWN[i]for the user key of that resource and in the UI users will be prompted to deploy a new resource. #2883
- Note that any in-flight requests that have review resources deployed will show
- Env files consolidation (#2944) - The files /templates/core/.env, /devops/.env, /devops/auth.env are no longer used. The settings and configuration that they contain has been consolidated into a single file config.yaml that lives in the root folder of the project. Use the script devops/scripts/env_to_yaml_config.sh to migrate /templates/core/.env, /devops/.env, and /devops/auth.env to the new config.yaml file.
- Upgrade to Porter v1 (#3014). You should upgrade all custom template definitions and rebuild them.
FEATURES:
- Support review VMs for multiple reviewers for each airlock request #2883
- Add Azure Health Data Services as workspace services #3051
ENHANCEMENTS:
- Remove Porter's Docker mixin as it's not in use (#2889)
- Enable properties defined within the API to be overridden by the bundle template - enables default values to be set. (#2576)
- Support template version update (#2908)
- Update docker base images to bullseye (#2946
- Support updating the firewall when installing via makefile/CICD (#2942)
- Add the ability for workspace services to request additional address spaces from a workspace (#2902)
- Airlock processor function and api app service work with http2
- Added the option to disable Swagger (#2981)
- Serverless CosmosDB for new deployments to reduce cost (#3029)
- Adding disable_download and disable_upload properties for guacamole (#2967)
- Upgrade Guacamole dependencies (#3053)
- Lint TRE cost tags per entity type (workspace, shared service, etc.) (#3061)
- Validate required secrets have value (#3073)
- Airlock processor unit-tests uses pytest (#3026)
BUG FIXES:
- Private endpoints for AppInsights are now provisioning successfully and consistently (#2841)
- Enable upgrade step of base workspace (#2899)
- Fix get shared service by template name to filter by active service only (#2947)
- Fix untagged cost reporting reader role assignment (#2951)
- Remove Guacamole's firewall rule on uninstall (#2958)
- Fix KeyVault purge error on MLFlow uninstall (#3082)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.4.4 |
| core | 0.5.2 |
| tre-shared-service-admin-vm | 0.3.0 |
| tre-shared-service-airlock-notifier | 0.3.0 |
| tre-shared-service-certs | 0.3.1 |
| tre-shared-service-cyclecloud | 0.4.0 |
| tre-shared-service-firewall | 0.7.0 |
| tre-shared-service-gitea | 0.5.0 |
| tre-shared-service-sonatype-nexus | 2.3.0 |
| tre-service-azureml | 0.6.0 |
| tre-user-resource-aml-compute-instance | 0.5.0 |
| tre-workspace-service-gitea | 0.7.0 |
| tre-service-guacamole | 0.7.0 |
| tre-service-guacamole-export-reviewvm | 0.1.0 |
| tre-service-guacamole-import-reviewvm | 0.2.0 |
| tre-service-guacamole-linuxvm | 0.6.1 |
| tre-service-guacamole-windowsvm | 0.6.0 |
| tre-workspace-service-health | 0.1.0 |
| tre-service-innereye | 0.5.0 |
| tre-service-mlflow | 0.6.0 |
| tre-workspace-service-mysql | 0.3.1 |
| tre-workspace-airlock-import-review | 0.6.0 |
| tre-workspace-base | 0.8.1 |
| tre-workspace-unrestricted | 0.6.0 |
BREAKING CHANGES & MIGRATIONS:
- The airlock request object has changed. Make sure you have ran the DB migration step after deploying the new API image and UI (which runs automatically in
make all/make tre-deploybut can be manually invoked withmake db-migrate) so that existing requests in your DB are migrated to the new model. - Also the model for creating new airlock requests with the API has changed slightly; this is updated in the UI and CLI but if you have written custom tools ensure you POST to
/requestswith the following model:
{
"type": "'import' or 'export'",
"title": "a request title",
"businessJustification": "some business justification"
}- Fields in AirlockNotification event have changed without backward compatibility. If Airlock Notifier shared service is deployed, it needs to be re-deployed. Any other consumers of AirlockNotification event need to be updated. For more details, see #2798
FEATURES:
- Display workspace and shared services total costs for admin role in UI #2738
- Automatically validate all resources have tre_id tag via TFLint #2774
- Add metadata endpoint and simplify
treCLI login (also adds API version to UI) (#2794) - Support workspaces with multiple address spaces #2808
- Updated resource card in UI with visual improvements, disabled state badge and resource ID in info popout (#2846)
- Add health information for backend services to UI info popout in footer (#2846)
ENHANCEMENTS:
- Renamed several airlock fields to make them more descriptive and added a createdBy field. Included migration for backwards compatibility #2779
- Show error message when Review VMs are not configured in the current workspace
- CLI: Add missing endpoints and minor bug fixes (#2784)
- Airlock Notifier: Provide a link to request in the UI in the email (#2754)
- Add additional fields for Airlock Notification event (#2798)
- Fail firewall database migration if there's no firewall deployed (#2792)
- Added optional parameter to allow a client to retrieve a template by name and version (#2802)
- Added support for
allOfusage in Resource Templates - both across the API and the UI. This allows a template author to specify certain fields as being conditionally present / conditionally required, and means we can tidy up some of the resource creation forms substantially (#2795). - As part of the above change, the
auto_createstring passed to theclient_idfield in each Workspace template has now moved to anauth_typeenum field, where the user can select the authentication type from a dropdown. - Adds extra dns zones and links into core network (#2828).
- Add UI version to its footer card (#2849).
- Use
log_category_typesinazurerm_monitor_diagnostic_categoriesto remove deprecation warning (#2855). - Gitea workspace bundle has a number of updates as detailed in PR (#2862).
BUG FIXES:
- Show the correct createdBy value for airlock requests in UI and in API queries (#2779)
- Fix deployment of Airlock Notifier (#2745)
- Fix Nexus bootstrapping firewall race condition (#2811)
- Handle unsupported azure subscriptions in cost reporting (#2823)
- Redact secrets in conditional or nested properties (#2854)
- Fix missing ID parameter in Certs bundle (#2841)
- Fix ML Flow deployment issues and update version (#2865)
- Handle 429 TooManyRequests and 503 ServiceUnavailable which might return from Azure Cost Management in TRE Cost API (#2835)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.4.2 |
| core | 0.4.43 |
| tre-workspace-base | 0.5.1 |
| tre-workspace-unrestricted | 0.5.0 |
| tre-workspace-airlock-import-review | 0.5.0 |
| tre-service-mlflow | 0.4.0 |
| tre-service-innereye | 0.4.0 |
| tre-workspace-service-gitea | 0.6.0 |
| tre-workspace-service-mysql | 0.2.0 |
| tre-service-guacamole-linuxvm | 0.5.2 |
| tre-service-guacamole-export-reviewvm | 0.0.6 |
| tre-service-guacamole-windowsvm | 0.5.2 |
| tre-service-guacamole-import-reviewvm | 0.1.3 |
| tre-service-guacamole | 0.5.0 |
| tre-user-resource-aml-compute-instance | 0.4.1 |
| tre-service-azureml | 0.5.6 |
| tre-shared-service-cyclecloud | 0.3.0 |
| tre-shared-service-gitea | 0.4.0 |
| tre-shared-service-airlock-notifier | 0.2.3 |
| tre-shared-service-admin-vm | 0.2.0 |
| tre-shared-service-certs | 0.2.2 |
| tre-shared-service-sonatype-nexus | 2.2.3 |
| tre-shared-service-firewall | 0.6.2 |
FEATURES:
- Added filtering and sorting to Airlock UI (#2511)
- Added title field to Airlock requests (#2503)
- New Create Review VM functionality for Airlock Reviews (#2738 & #2737)
ENHANCEMENTS:
- Add cran support to nexus, open port 80 for the workspace nsg and update the firewall config to allow let's encrypt CRLs (#2694)
- Upgrade GitHub Actions versions (#2731)
- Install TRE CLI inside the devcontainer image (rather than via a post-create step) (#2757)
- Upgrade Terraform to 1.3.2 (#2758)
treCLI: addedrawoutput option, improvedairlock-requestshandling, more consistent exit codes on error, added examples to CLI README.md
BUG FIXES:
- Pin Porter's plugin/mixin versions used (#2762)
- Fix issues with AML workspace service deployment (#2768)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.4.2 |
| core | 0.4.37 |
| tre-workspace-base | 0.4.2 |
| tre-workspace-unrestricted | 0.2.0 |
| tre-workspace-airlock-import-review | 0.4.0 |
| tre-service-mlflow | 0.4.0 |
| tre-service-innereye | 0.4.0 |
| tre-workspace-service-gitea | 0.5.0 |
| tre-workspace-service-mysql | 0.2.0 |
| tre-service-guacamole-linuxvm | 0.5.2 |
| tre-service-guacamole-export-reviewvm | 0.0.6 |
| tre-service-guacamole-windowsvm | 0.5.2 |
| tre-service-guacamole-import-reviewvm | 0.1.3 |
| tre-service-guacamole | 0.5.0 |
| tre-user-resource-aml-compute-instance | 0.4.1 |
| tre-service-azureml | 0.5.6 |
| tre-shared-service-cyclecloud | 0.3.0 |
| tre-shared-service-gitea | 0.4.0 |
| tre-shared-service-airlock-notifier | 0.2.2 |
| tre-shared-service-admin-vm | 0.2.0 |
| tre-shared-service-certs | 0.2.0 |
| tre-shared-service-sonatype-nexus | 2.2.2 |
| tre-shared-service-firewall | 0.6.1 |
BUG FIXES:
- Fix shared service 409 installation issue when in status other than deployed (#2725)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.4.2 |
| core | 0.4.36 |
| tre-workspace-base | 0.4.0 |
| tre-workspace-unrestricted | 0.2.0 |
| tre-workspace-airlock-import-review | 0.4.0 |
| tre-service-mlflow | 0.4.0 |
| tre-service-innereye | 0.4.0 |
| tre-workspace-service-gitea | 0.5.0 |
| tre-workspace-service-mysql | 0.2.0 |
| tre-service-guacamole-linuxvm | 0.5.1 |
| tre-service-guacamole-export-reviewvm | 0.0.4 |
| tre-service-guacamole-windowsvm | 0.5.1 |
| tre-service-guacamole-import-reviewvm | 0.1.1 |
| tre-service-guacamole | 0.5.0 |
| tre-user-resource-aml-compute-instance | 0.4.1 |
| tre-service-azureml | 0.5.1 |
| tre-shared-service-cyclecloud | 0.3.0 |
| tre-shared-service-gitea | 0.4.0 |
| tre-shared-service-airlock-notifier | 0.2.0 |
| tre-shared-service-admin-vm | 0.2.0 |
| tre-shared-service-certs | 0.2.0 |
| tre-shared-service-sonatype-nexus | 2.2.0 |
| tre-shared-service-firewall | 0.6.1 |
BREAKING CHANGES & MIGRATIONS:
- GitHub Actions deployments use a single ACR instead of two. GitHub secrets might need updating, see PR for details. (#2654)
- Align GitHub Action secret names. Existing GitHub environments must be updated, see PR for details. (#2655)
- Add workspace creator as an owner of the workspace enterprise application (#2627). Migration if the
AUTO_WORKSPACE_APP_REGISTRATIONis set, theDirectory.Read.AllMS Graph API permission permission needs granting to the Application Registration identified byAPPLICATION_ADMIN_CLIENT_ID. - Add support for setting AppService plan SKU in GitHub Actions. Previous environment variable names of
API_APP_SERVICE_PLAN_SKU_SIZEandAPP_SERVICE_PLAN_SKUhave been renamed toCORE_APP_SERVICE_PLAN_SKUandWORKSPACE_APP_SERVICE_PLAN_SKU(#2684) - Reworked how status update messages are handled by the API, to enforce ordering and run the queue subscription in a dedicated thread. Since sessions are now enabled for the status update queue, a
tre-deployis required, which will re-create the queue. (#2700) - Guacamole user-resource templates have been updated. VM SKU and image details are now specified in
porter.yaml. SeeREADME.mdin the guacamoleuser-resourcesfolder for details. deploy_shared_services.shnow uses thetreCLI. Ensure that your CI/CD environment installs the CLI ((cd cli && make install-cli))- UI: Moved from React Context API to React-Redux (with Redux Toolkit) to manage the global operations (notifications) state
FEATURES:
- Add Import Review Workspace (#2498)
- Restrict resource templates to specific roles (#2600)
- Import review user resource template (#2601)
- Export review user resource template (#2602)
- Airlock Manager can use user resources (#2499)
- Users only see templates they are authorized to use (#2640)
- Guacamole user-resource templates now have support for custom VM images from image galleries (#2634)
- Add initial
treCLI (2537)
ENHANCEMENTS:
- Cancelling an Airlock request triggers deletion of the request container and files (#2584)
- Airlock requests with status "blocked_by_scan" have the reason for being blocked by the malware scanner in the status_message field (#2666)
- Move admin-vm from core to a shared service (#2624)
- Remove obsolete docker environment variables (#2675)
- Using Porter's Terraform mixin 1.0.0-rc.1 where mirror in done internally (#2677)
- Airlock function internal storage is accessed with private endpoints (#2679)
BUG FIXES:
- Resource processor error on deploying user-resource: TypeError: 'NoneType' object is not iterable (#2569)
- Update Porter and Terraform mixin versions (#2639)
- Airlock Manager should have permissions to get SAS token (#2502)
- Terraform unmarshal errors in
migrate.sh(#2673)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.4.2 |
| core | 0.4.36 |
| porter-hello | 0.1.0 |
| tre-workspace-base | 0.4.0 |
| tre-workspace-unrestricted | 0.2.0 |
| tre-workspace-airlock-import-review | 0.4.0 |
| tre-service-mlflow | 0.4.0 |
| tre-service-innereye | 0.4.0 |
| tre-workspace-service-gitea | 0.5.0 |
| tre-workspace-service-mysql | 0.2.0 |
| tre-service-guacamole-linuxvm | 0.5.1 |
| tre-service-guacamole-export-reviewvm | 0.0.4 |
| tre-service-guacamole-windowsvm | 0.5.1 |
| tre-service-guacamole-import-reviewvm | 0.1.1 |
| tre-service-guacamole | 0.5.0 |
| tre-user-resource-aml-compute-instance | 0.4.1 |
| tre-service-azureml | 0.5.1 |
| tre-shared-service-cyclecloud | 0.3.0 |
| tre-shared-service-gitea | 0.4.0 |
| tre-shared-service-airlock-notifier | 0.2.0 |
| tre-shared-service-admin-vm | 0.2.0 |
| tre-shared-service-certs | 0.2.0 |
| tre-shared-service-sonatype-nexus | 2.2.0 |
| tre-shared-service-firewall | 0.6.1 |
BREAKING CHANGES & MIGRATIONS:
FEATURES:
ENHANCEMENTS:
- Adding Log Analytics & Antimalware VM extensions (#2520)
- Block anonymous access to 2 storage accounts (#2524)
- Gitea shared service support app-service standard SKUs (#2523)
- Keyvault diagnostic settings in base workspace (#2521)
- Airlock requests contain a field with information about the files that were submitted (#2504)
- UI - Operations and notifications stability improvements ([#2530)
- UI - Initial implementation of Workspace Airlock Request View (#2512)
- Add ability to automatically create Azure AD groups for each application role. Requires API version 0.4.30 or later (#2532)
- Add
is_exposed_externallyoption to Azure ML Workspace Service (#2548) - Azure ML workspace service assigns Azure ML Data Scientist role to Workspace Researchers (#2539)
- UI is deployed by default (#2554)
- Remove manual/makefile option to install Gitea/Nexus (#2573)
- Exact Terraform provider versions in bundles (#2579)
- Stabilize E2E tests by issuing the access token prior using it, hence, reducing the change of expired token (#2572)
BUG FIXES:
- API health check is also returned by accessing the root path at / (#2469)
- Temporary disable AppInsight's private endpoint in base workspace (#2543)
- Resource Processor execution optimization (
porter show) for long-standing services (#2542) - Move AML Compute deployment to use AzApi Terraform Provider (#2555)
- Invalid token exceptions in the API app are caught, throwing 401 instead of 500 Internal server error (#2572)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.4.0 |
| core | 0.4.23 |
| tre-workspace-base | 0.3.28 |
| tre-workspace-unrestricted | 0.1.9 |
| tre-service-mlflow | 0.3.7 |
| tre-service-innereye | 0.3.5 |
| tre-workspace-service-gitea | 0.3.8 |
| tre-workspace-service-mysql | 0.1.2 |
| tre-service-guacamole-linuxvm | 0.4.14 |
| tre-service-guacamole-windowsvm | 0.4.8 |
| tre-service-guacamole | 0.4.5 |
| tre-user-resource-aml-compute-instance | 0.3.2 |
| tre-service-azureml | 0.4.8 |
| tre-shared-service-cyclecloud | 0.2.6 |
| tre-shared-service-gitea | 0.3.14 |
| tre-shared-service-airlock-notifier | 0.1.2 |
| tre-shared-service-certs | 0.1.3 |
| tre-shared-service-sonatype-nexus | 2.1.6 |
| tre-shared-service-firewall | 0.4.3 |
BREAKING CHANGES & MIGRATIONS:
- API identity is only assigned Virtual Machine Contributor on the workspace level (#2398). Review the PR for migration steps.
FEATURES:
- MySQL workspace service (#2476)
ENHANCEMENTS:
- 'CreationTime' field was added to Airlock requests (#2432)
- Bundles mirror Terraform plugins when built (#2446)
- 'Get all Airlock requests' endpoint supports filtering (#2433)
- API uses user delegation key when generating SAS token for airlock requests (#2460)
- Longer docker caching in Resource Processor (#2486)
- Remove AppInsights Profiler support in base workspace bundle and deploy with native Terraform resources (#2478)
BUG FIXES:
- Azure monitor resourced provided by Terraform and don't allow ingestion over internet (#2375)
- Enable route table on the Airlock Processor subnet (#2414)
- Support for Standard app service plan SKUs (#2415)
- Fix Azure ML Workspace deletion (#2452)
- Get all pages in MS Graph queries (#2492)
COMPONENTS:
| name | version |
|---|---|
| devops | 0.4.0 |
| core | 0.4.18 |
| tre-workspace-base | 0.3.25 |
| tre-service-mlflow | 0.3.5 |
| tre-service-innereye | 0.3.3 |
| tre-workspace-service-gitea | 0.3.6 |
| tre-workspace-service-mysql | 0.1.0 |
| tre-service-guacamole-linuxvm | 0.4.11 |
| tre-service-guacamole-windowsvm | 0.4.4 |
| tre-service-guacamole | 0.4.3 |
| tre-user-resource-aml-compute-instance | 0.3.1 |
| tre-service-azureml | 0.4.3 |
| tre-shared-service-cyclecloud | 0.2.4 |
| tre-shared-service-gitea | 0.3.11 |
| tre-shared-service-airlock-notifier | 0.1.0 |
| tre-shared-service-certs | 0.1.2 |
| tre-shared-service-sonatype-nexus | 2.1.4 |
| tre-shared-service-firewall | 0.4.2 |
| tre-shared-service-nexus | 0.3.6 |
BREAKING CHANGES & MIGRATIONS:
- Guacamole workspace service configures firewall requirements with deployment pipeline (#2371). Migration is manual - update the templateVersion of
tre-shared-service-firewallin Cosmos to0.4.0in order to use this capability. - Workspace now has an AirlockManager role that has the permissions to review airlock requests (#2349).
FEATURES:
ENHANCEMENTS:
- Guacamole logs are sent to Application Insights (#2376)
make tre-start/stoprun in parallel which saves ~5 minutes (#2394)- Airlock requests that fail move to status "Failed" (#2268)
BUG FIXES:
- Airlock processor creates SAS tokens with user delegated key (#2382)
- Script updates to work with deployment repo structure (#2385)
FEATURES:
- Cost reporting APIs
- Airlock - data import/export
- UI
- Nexus v2 to support Docker repositories
- Auto create application registration when creating a base workspace
- Centrally manage the firewall share service state to enable other services to ask for rule changes
Many more enhancements are listed on the release page