Merge branch 'core-network-subnets-change' of https://github.com/micr…

…osoft/AzureTRE into test-core-subnets-refactor
microsoft · Feb 9, 2025 · 4e1bdf2 · 4e1bdf2
2 parents 0f648af + a624f15
commit 4e1bdf2
Show file tree

Hide file tree

Showing 10 changed files with 130 additions and 96 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,9 +1,19 @@
 <!-- markdownlint-disable MD041 -->
-## 0.20.0 (Unreleased)
+## 0.21.0 (Unreleased)
 
 **BREAKING CHANGES & MIGRATIONS**:
-* InnerEye and MLFlow bundles depreciated and removed from main. If you wish to update and deploy these worksapce services they can be retrieved from release 0.19.1. ([#4127](https://github.com/microsoft/AzureTRE/issues/4127))
-* This released removed support for Porter v0.*. If you're upgrading from a much earlier verion you can't go directly to this one. ([#4228](https://github.com/microsoft/AzureTRE/issues/4228))
+
+ENHANCEMENTS:
+
+BUG FIXES:
+
+COMPONENTS:
+
+## 0.20.0 (Feburary 9, 2025)
+
+**BREAKING CHANGES & MIGRATIONS**:
+* InnerEye and MLFlow bundles depreciated and removed from main. If you wish to update and deploy these workspace services they can be retrieved from release 0.19.1. ([#4127](https://github.com/microsoft/AzureTRE/issues/4127))
+* This release removed support for Porter v0.*. If you're upgrading from a much earlier version you can't go directly to this one. ([#4228](https://github.com/microsoft/AzureTRE/issues/4228))
 
 FEATURES:
 * Add support for customer-managed keys encryption. Core support ([#4141](https://github.com/microsoft/AzureTRE/issues/4142), [#4144](https://github.com/microsoft/AzureTRE/issues/4144)), Base workspace ([#4161](https://github.com/microsoft/AzureTRE/pull/4161)), other templates ([#4145](https://github.com/microsoft/AzureTRE/issues/4145))
@@ -55,7 +65,7 @@ BUG FIXES:
 * Fix failing tests, .env missing and storage logs ([#4207](https://github.com/microsoft/AzureTRE/issues/4207))
 * Unable to delete virtual machines, add skip_shutdown_and_force_delete = true ([#4135](https://github.com/microsoft/AzureTRE/issues/4135))
 * Bump terraform version in windows VM template ([#4212](https://github.com/microsoft/AzureTRE/issues/4212))
-* Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitiagte storage account deployment issue ([#4004](https://github.com/microsoft/AzureTRE/issues/4004))
+* Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitigate storage account deployment issue ([#4004](https://github.com/microsoft/AzureTRE/issues/4004))
 * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222))
 * Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)])
 * Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)])
@@ -67,6 +77,37 @@ BUG FIXES:
 
 COMPONENTS:
 
+| name | version |
+| ----- | ----- |
+| devops | 0.5.5 |
+| core | 0.11.23 |
+| ui | 0.6.3 |
+| tre-shared-service-databricks-private-auth | 0.1.11 |
+| tre-shared-service-gitea | 1.1.4 |
+| tre-shared-service-sonatype-nexus | 3.3.2 |
+| tre-shared-service-firewall | 1.3.0 |
+| tre-shared-service-admin-vm | 0.5.2 |
+| tre-shared-service-certs | 0.7.3 |
+| tre-shared-service-airlock-notifier | 1.0.8 |
+| tre-shared-service-cyclecloud | 0.7.2 |
+| tre-workspace-airlock-import-review | 0.14.2 |
+| tre-workspace-base | 1.9.2 |
+| tre-workspace-unrestricted | 0.13.2 |
+| tre-workspace-service-gitea | 1.2.2 |
+| tre-workspace-service-mysql | 1.0.9 |
+| tre-workspace-service-health | 0.2.11 |
+| tre-workspace-service-openai | 1.0.6 |
+| tre-service-azureml | 0.9.2 |
+| tre-user-resource-aml-compute-instance | 0.5.11 |
+| tre-service-databricks | 1.0.10 |
+| tre-workspace-service-azuresql | 1.0.15 |
+| tre-service-guacamole | 0.12.7 |
+| tre-service-guacamole-export-reviewvm | 0.2.2 |
+| tre-service-guacamole-linuxvm | 1.2.4 |
+| tre-service-guacamole-import-reviewvm | 0.3.2 |
+| tre-service-guacamole-windowsvm | 1.2.6 |
+| tre-workspace-service-ohdsi | 0.3.2 |
+
 ## 0.19.1
 
 **BREAKING CHANGES & MIGRATIONS**:
@@ -82,6 +123,7 @@ BUG FIXES:
 * Workspace creation blocked due to Azure API depreciation ([#4095](https://github.com/microsoft/AzureTRE/issues/4095))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.2 |
@@ -140,6 +182,7 @@ BUG FIXES:
 * Update .NET version on Linux VMs ([#4067](https://github.com/microsoft/AzureTRE/issues/4067))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -203,6 +246,7 @@ BUG FIXES:
 * Add lifecycle rule to the Gitea Shared Service template for the MySQL resource to stop it recreating on `update` ([#4006](https://github.com/microsoft/AzureTRE/issues/4006))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -257,6 +301,7 @@ BUG FIXES:
 * Fix issue with firewall failing to deploy on a new TRE deploy ([#3775](https://github.com/microsoft/AzureTRE/issues/3775))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -306,6 +351,7 @@ BUG FIXES:
 * Airlock Import Review workspace uses dedicated DNS zone to prevent conflict with core ([#3767](https://github.com/microsoft/AzureTRE/pull/3767))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -348,6 +394,7 @@ BUG FIXES:
 * Fix workspace not loading fails if operation or history roles are not loaded  ([#3755](https://github.com/microsoft/AzureTRE/issues/3755))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -386,6 +433,7 @@ BUG FIXES:
 * SecuredByRole failing if roles are null ([#3740](https://github.com/microsoft/AzureTRE/issues/3740  ))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -435,6 +483,7 @@ BUG FIXES:
 * Fix issue with cost tags not displaying correctly for some user roles ([#3721](https://github.com/microsoft/AzureTRE/issues/3721))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -471,6 +520,7 @@ BUG FIXES:
 * Fix firewall config related to Nexus so that `pypi.org` is added to the allow-list  ([#3694](https://github.com/microsoft/AzureTRE/issues/3694))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -520,6 +570,7 @@ BUG FIXES:
 * Added missing region entries in `databricks-udr.json` ([[#3688](https://github.com/microsoft/AzureTRE/pull/3688))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -559,6 +610,7 @@ BUG FIXES:
 * Upgrade airlock and unrestricted workspaces to base workspace version 0.12.0 ([#3659](https://github.com/microsoft/AzureTRE/pull/3659))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -618,6 +670,7 @@ BUG FIXES:
 
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -659,6 +712,7 @@ BUG FIXES:
 * Nexus fails to install due to `az login` and firewall rules ([#3453](https://github.com/microsoft/AzureTRE/issues/3453))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.5.1 |
@@ -861,6 +915,7 @@ BUG FIXES:
 * Fix KeyVault purge error on MLFlow uninstall ([#3082](https://github.com/microsoft/AzureTRE/pull/3082))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.4.4 |
@@ -937,6 +992,7 @@ BUG FIXES:
 * Handle 429 TooManyRequests and 503 ServiceUnavailable which might return from Azure Cost Management in TRE Cost API ([#2835](https://github.com/microsoft/AzureTRE/issues/2835))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.4.2 |
@@ -984,6 +1040,7 @@ BUG FIXES:
 * Fix issues with AML workspace service deployment ([#2768](https://github.com/microsoft/AzureTRE/pull/2768))
 
 COMPONENTS:
+
 | name | version |
 | ----- | ----- |
 | devops | 0.4.2 |

diff --git a/core/terraform/cosmos_mongo.tf b/core/terraform/cosmos_mongo.tf
@@ -6,7 +6,7 @@ resource "azurerm_cosmosdb_account" "mongo" {
   kind                       = "MongoDB"
   automatic_failover_enabled = false
   mongo_server_version       = 4.2
-  ip_range_filter            = toset(var.enable_local_debugging ? concat(split(",", local.azure_portal_cosmos_ips), [local.myip]) : split(",", local.azure_portal_cosmos_ips))
+  ip_range_filter            = local.cosmos_ip_filter_set
 
   capabilities {
     name = "EnableServerless"

diff --git a/core/terraform/locals.tf b/core/terraform/locals.tf
@@ -14,7 +14,20 @@ locals {
   docker_registry_server = data.azurerm_container_registry.mgmt_acr.login_server
 
   # https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#allow-requests-from-the-azure-portal
-  azure_portal_cosmos_ips = "104.42.195.92,40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26"
+
+  azure_portal_cosmos_ips_list = [
+    "104.42.195.92",
+    "40.76.54.131",
+    "52.176.6.30",
+    "52.169.50.45",
+    "52.187.184.26"
+  ]
+
+  cosmos_ip_filter_set = toset(
+    var.enable_local_debugging
+    ? concat(local.azure_portal_cosmos_ips_list, [local.myip])
+    : local.azure_portal_cosmos_ips_list
+  )
 
   # we define some zones in core despite not used by the core infra because
   # it's the easier way to make them available to other services in the system.

diff --git a/core/terraform/migrate.sh b/core/terraform/migrate.sh
@@ -5,14 +5,25 @@ set -o pipefail
 set -o nounset
 # set -o xtrace
 
-# Configure AzureRM provider to user Azure AD to connect to storage accounts
+get_resource_id() {
+  local json_data="$1"
+  local resource_addr="$2"
+  echo "$json_data" | jq -r --arg addr "$resource_addr" '
+    def walk_resources:
+      (.resources[]?),
+      (.child_modules[]? | walk_resources);
+    .values.root_module | walk_resources | select(.address==$addr) | .values.id
+  '
+}
+
+# Configure AzureRM provider to use Azure AD to connect to storage accounts
 export ARM_STORAGE_USE_AZUREAD=true
 
-# Configure AzureRM backend to user Azure AD to connect to storage accounts
+# Configure AzureRM backend to use Azure AD to connect to storage accounts
 export ARM_USE_AZUREAD=true
 export ARM_USE_OIDC=true
 
-# This variables are loaded in for us
+# These variables are loaded in for us
 # shellcheck disable=SC2154
 terraform init -input=false -backend=true -reconfigure \
     -backend-config="resource_group_name=${TF_VAR_mgmt_resource_group_name}" \
@@ -24,30 +35,11 @@ echo "*** Migrating TF Resources... ***"
 
 terraform refresh
 
-# 1. Check we have a root_module in state
-# 2. Grab the Resource ID
-# 3. Delete the old resource from state
-# 4. Import the new resource type in using the existing Azure Resource ID
-
+# get TF state in JSON
 terraform_show_json=$(terraform show -json)
 
-# example migration
-# # azurerm_app_service_plan -> azurerm_service_plan
-# core_app_service_plan_id=$(echo "${terraform_show_json}" \
-#   | jq -r 'select(.values.root_module.resources != null) | .values.root_module.resources[] | select(.address=="azurerm_app_service_plan.core") | .values.id')
-# if [ -n "${core_app_service_plan_id}" ]; then
-#   echo "Migrating ${core_app_service_plan_id}"
-#   terraform state rm azurerm_app_service_plan.core
-#   if [[ $(az resource list --query "[?id=='${core_app_service_plan_id}'] | length(@)") == 0 ]];
-#   then
-#     echo "The resource doesn't exist on Azure. Skipping importing it back to state."
-#   else
-#     terraform import azurerm_service_plan.core "${core_app_service_plan_id}"
-#   fi
-# fi
-
-# List of NSG association resource addresses to remove.
-declare -a NSG_ASSOC_RESOURCES=(
+# List of resource addresses to remove.
+declare -a RESOURCES_TO_REMOVE=(
   "module.network.azurerm_subnet_network_security_group_association.bastion"
   "module.network.azurerm_subnet_network_security_group_association.app_gw"
   "module.network.azurerm_subnet_network_security_group_association.shared"
@@ -57,28 +49,6 @@ declare -a NSG_ASSOC_RESOURCES=(
   "module.network.azurerm_subnet_network_security_group_association.airlock_notification"
   "module.network.azurerm_subnet_network_security_group_association.airlock_storage"
   "module.network.azurerm_subnet_network_security_group_association.airlock_events"
-  "module.network.azurerm_subnet_network_security_group_association.firewall_management"
-)
-
-echo "*** Removing NSG Associations ***"
-
-for resource in "${NSG_ASSOC_RESOURCES[@]}"; do
-  resource_id=$(echo "${terraform_show_json}" | jq -r --arg addr "$resource" '
-    def walk_resources:
-      (.resources[]? ),
-      (.child_modules[]? | walk_resources);
-    .values.root_module | walk_resources | select(.address==$addr) | .values.id
-  ')
-
-  if [ -n "$resource_id" ] && [ "$resource_id" != "null" ]; then
-    echo "Removing NSG association: ${resource} (id: ${resource_id})"
-    terraform state rm "$resource"
-  else
-    echo "NSG association resource not found in state: ${resource}"
-  fi
-done
-
-declare -a old_subnet_resources=(
   "module.network.azurerm_subnet.bastion"
   "module.network.azurerm_subnet.azure_firewall"
   "module.network.azurerm_subnet.app_gw"
@@ -92,47 +62,36 @@ declare -a old_subnet_resources=(
   "module.network.azurerm_subnet.firewall_management"
 )
 
-echo "*** Removing Subnets ***"
+migration_is_needed=0
+for resource in "${RESOURCES_TO_REMOVE[@]}"; do
+  resource_id=$(get_resource_id "${terraform_show_json}" "$resource")
+  if [ -n "$resource_id" ] && [ "$resource_id" != "null" ]; then
+    migration_is_needed=1
+    break
+  fi
+done
 
-for resource in "${old_subnet_resources[@]}"; do
-  resource_id=$(echo "${terraform_show_json}" | jq -r --arg addr "$resource" '
-    def walk_resources:
-      (.resources[]? ),
-      (.child_modules[]? | walk_resources);
-    .values.root_module | walk_resources | select(.address==$addr) | .values.id
-  ')
+if [ "$migration_is_needed" -eq 0 ]; then
+  echo "No old resources found in the state, skipping migration."
+  exit 0
+fi
 
+# remove resources from state
+for resource in "${RESOURCES_TO_REMOVE[@]}"; do
+  resource_id=$(get_resource_id "${terraform_show_json}" "$resource")
   if [ -n "$resource_id" ] && [ "$resource_id" != "null" ]; then
-    echo "Removing subnet: ${resource} (id: ${resource_id})"
     terraform state rm "$resource"
   else
-    echo "Subnet resource not found in state: ${resource}"
+    echo "Resource that supposed to be removed not found in state: ${resource}"
   fi
 done
 
-echo "*** Removing VNet ***"
-
+# remove & import VNet
 vnet_address="module.network.azurerm_virtual_network.core"
-vnet_id=$(echo "${terraform_show_json}" | jq -r --arg addr "$vnet_address" '
-  def walk_resources:
-    (.values.root_module.resources[]?),
-    (.values.root_module.child_modules[]? | .resources[]?);
-  walk_resources | select(.address == $addr) | .values.id
-')
-
+vnet_id=$(get_resource_id "${terraform_show_json}" "$vnet_address" "vnet")
 if [ -n "${vnet_id}" ] && [ "${vnet_id}" != "null" ]; then
-  echo "Removing VNet from state: ${vnet_address} (ID: ${vnet_id})"
   terraform state rm "${vnet_address}"
-else
-  echo "VNet resource not found in state: ${vnet_address}"
-fi
-
-
-echo "*** Re-importing VNet ***"
-
-if [ -n "${vnet_id}" ] && [ "${vnet_id}" != "null" ]; then
-  echo "Importing VNet with ID: ${vnet_id} into new resource address: ${vnet_address}"
   terraform import "${vnet_address}" "${vnet_id}"
 else
-  echo "No VNet ID found; skipping re-import of VNet."
+  echo "VNet resource not found in state: ${vnet_address}"
 fi
diff --git a/core/terraform/network/locals.tf b/core/terraform/network/locals.tf
@@ -32,4 +32,6 @@ locals {
     "privatelink.queue.core.windows.net",
     "privatelink.table.core.windows.net"
   ])
+
+  subnet_ids_map = { for s in azurerm_virtual_network.core.subnet : s.name => s.id }
 }