Disable local authentication between Airlock Processor and Azure Serv…

…ice Bus in Function Binding (#4277) * Support managed identity authentication in azure function binding between airlock and service bus queue * Disable service bus local authentication
microsoft · Feb 8, 2025 · 133746a · 133746a
1 parent a73cf2f
commit 133746a
Show file tree

Hide file tree

Showing 13 changed files with 49 additions and 22 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -34,13 +34,15 @@ ENHANCEMENTS:
 * Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)])
 * Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237))
 * Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258))
+* Disable local authentication in ServiceBus ([#4259](https://github.com/microsoft/AzureTRE/issues/4259))
 * Allow enablement of Secure Boot and vTPM for Guacamole VMs ([#4235](https://github.com/microsoft/AzureTRE/issues/4235))
 * Surface the server-layout parameter of Guacamole [server-layout](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings) ([#4234](https://github.com/microsoft/AzureTRE/issues/4234))
 * Add encryption at host for VMs ([#4263](https://github.com/microsoft/AzureTRE/pull/4263))
 * Downgrade certs shared service App Gateway to Basic SKU ([#4300](https://github.com/microsoft/AzureTRE/issues/4300))
 * Airlock function host storage to use the user-assigned managed identity ([#4276](https://github.com/microsoft/AzureTRE/issues/4276))
 * Disable local authentication in EventGrid ([#4254](https://github.com/microsoft/AzureTRE/issues/4254))
 
+
 BUG FIXES:
 * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))
 * Template images are showing CVEs ([#4153](https://github.com/microsoft/AzureTRE/issues/4153))

diff --git a/airlock_processor/BlobCreatedTrigger/function.json b/airlock_processor/BlobCreatedTrigger/function.json
@@ -8,7 +8,9 @@
       "direction": "in",
       "topicName": "%BLOB_CREATED_TOPIC_NAME%",
       "subscriptionName": "%TOPIC_SUBSCRIPTION_NAME%",
-      "connection": "SB_CONNECTION_STRING"
+      "connection": "%SERVICEBUS_CONNECTION_NAME%",
+      "accessRights": "listen",
+      "autoComplete": true
     },
     {
       "type": "eventGrid",

diff --git a/airlock_processor/DataDeletionTrigger/function.json b/airlock_processor/DataDeletionTrigger/function.json
@@ -7,7 +7,9 @@
       "type": "serviceBusTrigger",
       "direction": "in",
       "queueName": "%AIRLOCK_DATA_DELETION_QUEUE_NAME%",
-      "connection": "SB_CONNECTION_STRING"
+      "connection": "%SERVICEBUS_CONNECTION_NAME%",
+      "accessRights": "listen",
+      "autoComplete": true
     }
   ]
 }
diff --git a/airlock_processor/ScanResultTrigger/function.json b/airlock_processor/ScanResultTrigger/function.json
@@ -7,7 +7,9 @@
       "type": "serviceBusTrigger",
       "direction": "in",
       "queueName": "%AIRLOCK_SCAN_RESULT_QUEUE_NAME%",
-      "connection": "SB_CONNECTION_STRING"
+      "connection": "%SERVICEBUS_CONNECTION_NAME%",
+      "accessRights": "listen",
+      "autoComplete": true
     },
     {
       "type": "eventGrid",

diff --git a/airlock_processor/StatusChangedQueueTrigger/function.json b/airlock_processor/StatusChangedQueueTrigger/function.json
@@ -6,7 +6,9 @@
       "type": "serviceBusTrigger",
       "direction": "in",
       "queueName": "%AIRLOCK_STATUS_CHANGED_QUEUE_NAME%",
-      "connection": "SB_CONNECTION_STRING"
+      "connection": "%SERVICEBUS_CONNECTION_NAME%",
+      "accessRights": "listen",
+      "autoComplete": true
     },
     {
       "type": "eventGrid",

diff --git a/airlock_processor/_version.py b/airlock_processor/_version.py
@@ -1 +1 @@
-__version__ = "0.8.1"
+__version__ = "0.8.2"
diff --git a/airlock_processor/host.json b/airlock_processor/host.json
@@ -8,7 +8,7 @@
       }
     }
   },
-  "extensionBundle": {
+"extensionBundle": {
     "id": "Microsoft.Azure.Functions.ExtensionBundle",
     "version": "[4.0.0, 5.0.0)"
   }

diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
@@ -66,21 +66,32 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
   }
 
   app_settings = {
-    "SB_CONNECTION_STRING"                = var.airlock_servicebus.default_primary_connection_string
-    "BLOB_CREATED_TOPIC_NAME"             = azurerm_servicebus_topic.blob_created.name
-    "TOPIC_SUBSCRIPTION_NAME"             = azurerm_servicebus_subscription.airlock_processor.name
-    "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = false
-    "AIRLOCK_STATUS_CHANGED_QUEUE_NAME"   = local.status_changed_queue_name
-    "AIRLOCK_SCAN_RESULT_QUEUE_NAME"      = local.scan_result_queue_name
-    "AIRLOCK_DATA_DELETION_QUEUE_NAME"    = local.data_deletion_queue_name
-    "ENABLE_MALWARE_SCANNING"             = var.enable_malware_scanning
-    "ARM_ENVIRONMENT"                     = var.arm_environment
-    "MANAGED_IDENTITY_CLIENT_ID"          = azurerm_user_assigned_identity.airlock_id.client_id
-    "TRE_ID"                              = var.tre_id
-    "WEBSITE_CONTENTOVERVNET"             = 1
-    "STORAGE_ENDPOINT_SUFFIX"             = module.terraform_azurerm_environment_configuration.storage_suffix
-    "AzureWebJobsStorage__clientId"       = azurerm_user_assigned_identity.airlock_id.client_id
-    "AzureWebJobsStorage__credential"     = "managedidentity"
+    "SERVICEBUS_CONNECTION_NAME"                              = local.servicebus_connection
+    "${local.servicebus_connection}__tenantId"                = azurerm_user_assigned_identity.airlock_id.tenant_id
+    "${local.servicebus_connection}__clientId"                = azurerm_user_assigned_identity.airlock_id.client_id
+    "${local.servicebus_connection}__credential"              = "managedidentity"
+    "${local.servicebus_connection}__fullyQualifiedNamespace" = var.airlock_servicebus_fqdn
+
+    "BLOB_CREATED_TOPIC_NAME"                    = azurerm_servicebus_topic.blob_created.name
+    "TOPIC_SUBSCRIPTION_NAME"                    = azurerm_servicebus_subscription.airlock_processor.name
+    "EVENT_GRID_STEP_RESULT_TOPIC_URI_SETTING"   = azurerm_eventgrid_topic.step_result.endpoint
+    "EVENT_GRID_STEP_RESULT_TOPIC_KEY_SETTING"   = azurerm_eventgrid_topic.step_result.primary_access_key
+    "EVENT_GRID_DATA_DELETION_TOPIC_URI_SETTING" = azurerm_eventgrid_topic.data_deletion.endpoint
+    "EVENT_GRID_DATA_DELETION_TOPIC_KEY_SETTING" = azurerm_eventgrid_topic.data_deletion.primary_access_key
+    "WEBSITES_ENABLE_APP_SERVICE_STORAGE"        = false
+    "AIRLOCK_STATUS_CHANGED_QUEUE_NAME"          = local.status_changed_queue_name
+    "AIRLOCK_SCAN_RESULT_QUEUE_NAME"             = local.scan_result_queue_name
+    "AIRLOCK_DATA_DELETION_QUEUE_NAME"           = local.data_deletion_queue_name
+    "ENABLE_MALWARE_SCANNING"                    = var.enable_malware_scanning
+    "ARM_ENVIRONMENT"                            = var.arm_environment
+    "MANAGED_IDENTITY_CLIENT_ID"                 = azurerm_user_assigned_identity.airlock_id.client_id
+    "TRE_ID"                                     = var.tre_id
+    "WEBSITE_CONTENTOVERVNET"                    = 1
+    "STORAGE_ENDPOINT_SUFFIX"                    = module.terraform_azurerm_environment_configuration.storage_suffix
+
+    "TOPIC_SUBSCRIPTION_NAME"         = azurerm_servicebus_subscription.airlock_processor.name
+    "AzureWebJobsStorage__clientId"   = azurerm_user_assigned_identity.airlock_id.client_id
+    "AzureWebJobsStorage__credential" = "managedidentity"
 
     "EVENT_GRID_STEP_RESULT_CONNECTION"                           = local.step_result_eventgrid_connection
     "${local.step_result_eventgrid_connection}__topicEndpointUri" = azurerm_eventgrid_topic.step_result.endpoint

diff --git a/core/terraform/airlock/locals.tf b/core/terraform/airlock/locals.tf
@@ -61,6 +61,7 @@ locals {
     azurerm_storage_account.sa_export_approved.id
   ]
 
+  servicebus_connection              = "SERVICEBUS_CONNECTION"
   step_result_eventgrid_connection   = "EVENT_GRID_STEP_RESULT_CONNECTION"
   data_deletion_eventgrid_connection = "EVENT_GRID_DATA_DELETION_CONNECTION"
 }
diff --git a/core/terraform/airlock/variables.tf b/core/terraform/airlock/variables.tf
@@ -62,6 +62,9 @@ variable "airlock_servicebus" {
     default_primary_connection_string = string
   })
 }
+variable "airlock_servicebus_fqdn" {
+  type = string
+}
 variable "tre_core_tags" {
   type = map(string)
 }

diff --git a/core/terraform/main.tf b/core/terraform/main.tf
@@ -132,6 +132,7 @@ module "airlock_resources" {
   airlock_app_service_plan_sku          = var.core_app_service_plan_sku
   airlock_processor_subnet_id           = module.network.airlock_processor_subnet_id
   airlock_servicebus                    = azurerm_servicebus_namespace.sb
+  airlock_servicebus_fqdn               = azurerm_servicebus_namespace.sb.endpoint
   applicationinsights_connection_string = module.azure_monitor.app_insights_connection_string
   enable_malware_scanning               = var.enable_airlock_malware_scanning
   arm_environment                       = var.arm_environment

diff --git a/core/terraform/servicebus.tf b/core/terraform/servicebus.tf
@@ -5,6 +5,7 @@ resource "azurerm_servicebus_namespace" "sb" {
   sku                          = "Premium"
   premium_messaging_partitions = "1"
   capacity                     = "1"
+  local_auth_enabled           = false
   tags                         = local.tre_core_tags
 
   # Block public access

diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.11.22"
+__version__ = "0.11.23"