diff --git a/CHANGELOG.md b/CHANGELOG.md index 1f5501078f..11b92d2d74 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,7 @@ ENHANCEMENTS: * Allow enablement of Secure Boot and vTPM for Guacamole VMs ([#4235](https://github.com/microsoft/AzureTRE/issues/4235)) * Surface the server-layout parameter of Guacamole [server-layout](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings) ([#4234](https://github.com/microsoft/AzureTRE/issues/4234)) * Add encryption at host for VMs ([#4263](https://github.com/microsoft/AzureTRE/pull/4263)) +* Airlock function host storage to use the user-assigned managed identity ([#4276](https://github.com/microsoft/AzureTRE/issues/4276)) BUG FIXES: * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112)) @@ -54,7 +55,6 @@ BUG FIXES: * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222)) * Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)]) * Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)]) -* Fix dev container build failure on missing mount directories, add copilot extensions, and CI fixes ([#4290](https://github.com/microsoft/AzureTRE/pull/4290)) COMPONENTS: diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf index 80a6968e97..a95bf54eaa 100644 --- a/core/terraform/airlock/airlock_processor.tf +++ b/core/terraform/airlock/airlock_processor.tf @@ -21,9 +21,8 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" { allow_nested_items_to_be_public = false cross_tenant_replication_enabled = false local_user_enabled = false - # Function Host Storage doesn't seem to be able to use a User Managed ID, which is why we continue to use a key. - shared_access_key_enabled = true - tags = var.tre_core_tags + shared_access_key_enabled = false + tags = var.tre_core_tags dynamic "identity" { for_each = var.enable_cmk_encryption ? [1] : [] @@ -57,9 +56,7 @@ resource "azurerm_linux_function_app" "airlock_function_app" { ftp_publish_basic_authentication_enabled = false webdeploy_publish_basic_authentication_enabled = false storage_account_name = azurerm_storage_account.sa_airlock_processor_func_app.name - - # Function Host Storage doesn't seem to be able to use a User Managed ID, which is why we continue to use a key. - storage_account_access_key = azurerm_storage_account.sa_airlock_processor_func_app.primary_access_key + storage_uses_managed_identity = true tags = var.tre_core_tags @@ -86,6 +83,8 @@ resource "azurerm_linux_function_app" "airlock_function_app" { "TRE_ID" = var.tre_id "WEBSITE_CONTENTOVERVNET" = 1 "STORAGE_ENDPOINT_SUFFIX" = module.terraform_azurerm_environment_configuration.storage_suffix + "AzureWebJobsStorage__clientId" = azurerm_user_assigned_identity.airlock_id.client_id + "AzureWebJobsStorage__credential" = "managedidentity" } site_config { diff --git a/core/terraform/airlock/identity.tf b/core/terraform/airlock/identity.tf index 9711f19ab6..7f452ebdbb 100644 --- a/core/terraform/airlock/identity.tf +++ b/core/terraform/airlock/identity.tf @@ -52,3 +52,11 @@ resource "azurerm_role_assignment" "api_sa_data_contributor" { role_definition_name = "Storage Blob Data Contributor" principal_id = var.api_principal_id } + +# Permissions needed for the Function Host to work correctly. +resource "azurerm_role_assignment" "function_host_storage" { + for_each = toset(["Storage Account Contributor", "Storage Blob Data Owner", "Storage Queue Data Contributor"]) + scope = azurerm_storage_account.sa_airlock_processor_func_app.id + role_definition_name = each.value + principal_id = azurerm_user_assigned_identity.airlock_id.principal_id +} diff --git a/core/version.txt b/core/version.txt index 318bf6c824..a43ff2b5d7 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.19" +__version__ = "0.11.20"