From 0ec539a88b83ea6e02a1eb53f66fe8f5c2f41e7e Mon Sep 17 00:00:00 2001
From: Jonny Rylands <jonnyry@users.noreply.github.com>
Date: Tue, 25 Feb 2025 10:44:23 +0000
Subject: [PATCH] Set `stairlockp` Airlock Processor storage account firewall
 to "Enabled from selected virtual networks and IP addresses" (#4400)

---
 CHANGELOG.md                                | 1 +
 core/terraform/airlock/airlock_processor.tf | 6 ++++++
 core/version.txt                            | 2 +-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0f8aab111..3b5da97ea 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,6 +25,7 @@ ENHANCEMENTS:
 * Migrate UI to Vite build engine and update dependencies ([#4368](https://github.com/microsoft/AzureTRE/pull/4368))
 * Add Windows image field to the Admin VM template ([#4274](https://github.com/microsoft/AzureTRE/pull/4274))
 * Update TLS to the latest version for web apps / function apps ([#4351](https://github.com/microsoft/AzureTRE/issues/4351))
+* Set `stairlockp` Airlock Processor storage account firewall to "Enabled from selected virtual networks and IP addresses" ([#4386](https://github.com/microsoft/AzureTRE/issues/4386))
 
 BUG FIXES:
 * Fix upgrade when porter install has failed ([#4338](https://github.com/microsoft/AzureTRE/pull/4338))
diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
index d293927ea..bd7bfd253 100644
--- a/core/terraform/airlock/airlock_processor.tf
+++ b/core/terraform/airlock/airlock_processor.tf
@@ -22,8 +22,14 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
   cross_tenant_replication_enabled = false
   local_user_enabled               = false
   shared_access_key_enabled        = false
+  public_network_access_enabled    = true
   tags                             = var.tre_core_tags
 
+  network_rules {
+    default_action = var.enable_local_debugging ? "Allow" : "Deny"
+    bypass         = ["AzureServices"]
+  }
+
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
diff --git a/core/version.txt b/core/version.txt
index 6dd4954d0..8e377d6b3 100644
--- a/core/version.txt
+++ b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.12.4"
+__version__ = "0.12.5"