Merge branch 'main' into marrobi/move-to-vite

CHANGELOG.md

@@ -14,9 +14,12 @@ ENHANCEMENTS:
 * Add bundle target to Makefile for handling different bundle types in single command ([#4372](https://github.com/microsoft/AzureTRE/issues/4372))
 * Migrate UI to Vite build engine and update dependencies ([#4368](https://github.com/microsoft/AzureTRE/pull/4368))
 * Add Windows image field to the Admin VM template ([#4274](https://github.com/microsoft/AzureTRE/pull/4274))
+* Update TLS to the latest version for web apps / function apps (([#4351](https://github.com/microsoft/AzureTRE/issues/4351))
 
 BUG FIXES:
 * Fix upgrade when porter install has failed ([#4338](https://github.com/microsoft/AzureTRE/pull/4338))
+* Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state ([#4294](https://github.com/microsoft/AzureTRE/issues/4294)])
+* Fix Cosmos DB local debugging configuration ([#4340](https://github.com/microsoft/AzureTRE/pull/4340))
 
 COMPONENTS:
 

api_app/_version.py

@@ -1 +1 @@
-__version__ = "0.21.0"
+__version__ = "0.21.1"

api_app/api/dependencies/database.py

@@ -1,7 +1,6 @@
 from azure.cosmos.aio import CosmosClient, DatabaseProxy, ContainerProxy
-from azure.mgmt.cosmosdb.aio import CosmosDBManagementClient
 
-from core.config import MANAGED_IDENTITY_CLIENT_ID, STATE_STORE_ENDPOINT, STATE_STORE_KEY, STATE_STORE_SSL_VERIFY, SUBSCRIPTION_ID, RESOURCE_MANAGER_ENDPOINT, CREDENTIAL_SCOPES, RESOURCE_GROUP_NAME, COSMOSDB_ACCOUNT_NAME, STATE_STORE_DATABASE
+from core.config import STATE_STORE_ENDPOINT, STATE_STORE_KEY, STATE_STORE_SSL_VERIFY, STATE_STORE_DATABASE
 from core.credentials import get_credential_async
 from services.logging import logger
 
@@ -27,53 +26,32 @@ def __init__(cls):
     async def _connect_to_db(cls) -> CosmosClient:
         logger.debug(f"Connecting to {STATE_STORE_ENDPOINT}")
 
-        credential = await get_credential_async()
-        if MANAGED_IDENTITY_CLIENT_ID:
-            logger.debug("Connecting with managed identity")
-            cosmos_client = CosmosClient(
-                url=STATE_STORE_ENDPOINT,
-                credential=credential
-            )
-        else:
+        if STATE_STORE_KEY:
             logger.debug("Connecting with key")
-            primary_master_key = await cls._get_store_key(credential)
-
             if STATE_STORE_SSL_VERIFY:
                 logger.debug("Connecting with SSL verification")
                 cosmos_client = CosmosClient(
                     url=STATE_STORE_ENDPOINT,
-                    credential=primary_master_key
+                    credential=STATE_STORE_KEY
                 )
             else:
                 logger.debug("Connecting without SSL verification")
                 # ignore TLS (setup is a pain) when using local Cosmos emulator.
                 cosmos_client = CosmosClient(
                     url=STATE_STORE_ENDPOINT,
-                    credential=primary_master_key,
+                    credential=STATE_STORE_KEY,
                     connection_verify=False
                 )
-        logger.debug("Connection established")
-        return cosmos_client
-
-    @classmethod
-    async def _get_store_key(cls, credential) -> str:
-        logger.debug("Getting store key")
-        if STATE_STORE_KEY:
-            primary_master_key = STATE_STORE_KEY
         else:
-            async with CosmosDBManagementClient(
-                credential,
-                subscription_id=SUBSCRIPTION_ID,
-                base_url=RESOURCE_MANAGER_ENDPOINT,
-                credential_scopes=CREDENTIAL_SCOPES
-            ) as cosmosdb_mng_client:
-                database_keys = await cosmosdb_mng_client.database_accounts.list_keys(
-                    resource_group_name=RESOURCE_GROUP_NAME,
-                    account_name=COSMOSDB_ACCOUNT_NAME,
-                )
-                primary_master_key = database_keys.primary_master_key
+            logger.debug("Connecting with managed identity")
+            credential = await get_credential_async()
+            cosmos_client = CosmosClient(
+                url=STATE_STORE_ENDPOINT,
+                credential=credential
+            )
 
-        return primary_master_key
+        logger.debug("Connection established")
+        return cosmos_client
 
     @classmethod
     async def get_container_proxy(cls, container_name) -> ContainerProxy:

api_app/tests_ma/conftest.py

@@ -578,7 +578,6 @@ def simple_pipeline_step() -> PipelineStep:
 @pytest_asyncio.fixture(autouse=True)
 async def no_database():
     with patch('api.dependencies.database.get_credential_async', return_value=AsyncMock()), \
-         patch('api.dependencies.database.CosmosDBManagementClient', return_value=AsyncMock()), \
-         patch('api.dependencies.database.CosmosClient', return_value=AsyncMock(spec=CosmosClient)) as cosmos_client_mock:
+            patch('api.dependencies.database.CosmosClient', return_value=AsyncMock(spec=CosmosClient)) as cosmos_client_mock:
         cosmos_client_mock.return_value.get_database_client.return_value = AsyncMock(spec=DatabaseProxy)
         yield Database()

core/terraform/airlock/airlock_processor.tf

@@ -111,6 +111,7 @@ resource "azurerm_linux_function_app" "airlock_function_app" {
     container_registry_use_managed_identity       = true
     vnet_route_all_enabled                        = true
     ftps_state                                    = "Disabled"
+    minimum_tls_version                           = "1.3"
 
     application_stack {
       docker {

core/terraform/airlock/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.117"
+      version = ">= 4.14.0"
     }
     azapi = {
       source  = "Azure/azapi"

core/terraform/api-webapp.tf

@@ -83,7 +83,7 @@ resource "azurerm_linux_web_app" "api" {
     vnet_route_all_enabled                        = true
     container_registry_use_managed_identity       = true
     container_registry_managed_identity_client_id = azurerm_user_assigned_identity.id.client_id
-    minimum_tls_version                           = "1.2"
+    minimum_tls_version                           = "1.3"
     ftps_state                                    = "Disabled"
 
     application_stack {

core/version.txt

@@ -1 +1 @@
-__version__ = "0.12.2"
+__version__ = "0.12.3"

devops/scripts/setup_local_debugging.sh

@@ -91,6 +91,19 @@ az role assignment create \
     --assignee "${LOGGED_IN_OBJECT_ID}" \
     --scope "${STATE_STORE_RESOURCE_ID}"
 
+ROLE_DEFINITION_ID=$(az cosmosdb sql role definition list \
+    --resource-group "${RESOURCE_GROUP_NAME}" \
+    --account-name "${COSMOSDB_ACCOUNT_NAME}" \
+    --query "[?roleName=='Cosmos DB Built-in Data Contributor'].id" \
+    --output tsv)
+
+az cosmosdb sql role assignment create \
+    --resource-group "${RESOURCE_GROUP_NAME}" \
+    --account-name "${COSMOSDB_ACCOUNT_NAME}" \
+    --role-definition-id "${ROLE_DEFINITION_ID}" \
+    --principal-id "${LOGGED_IN_OBJECT_ID}" \
+    --scope "${STATE_STORE_RESOURCE_ID}"
+
 az role assignment create \
     --role "Contributor" \
     --assignee "${LOGGED_IN_OBJECT_ID}" \

templates/shared_services/certs/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-certs
-version: 0.7.3
+version: 0.7.4
 description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt"
 registry: azuretre
 dockerfile: Dockerfile.tmpl
@@ -88,6 +88,7 @@ install:
         - name: storage_account_name
         - name: resource_group_name
         - name: keyvault_name
+        - name: password_name
   - az:
       description: "Set Azure Cloud Environment"
       arguments:
@@ -114,6 +115,7 @@ install:
         resource_group_name: ${ bundle.outputs.resource_group_name }
         keyvault_name: ${ bundle.outputs.keyvault_name }
         cert_name: ${ bundle.parameters.cert_name }
+        password_name: ${ bundle.outputs.password_name }
   - az:
       description: "Stop application gateway"
       arguments:
@@ -167,6 +169,7 @@ renew:
         - name: storage_account_name
         - name: resource_group_name
         - name: keyvault_name
+        - name: password_name
   - az:
       description: "Set Azure Cloud Environment"
       arguments:
@@ -202,6 +205,7 @@ renew:
         resource_group_name: ${ bundle.outputs.resource_group_name }
         keyvault_name: ${ bundle.outputs.keyvault_name }
         cert_name: ${ bundle.parameters.cert_name }
+        password_name: ${ bundle.outputs.password_name }
   - az:
       description: "Stop application gateway"
       arguments:

templates/shared_services/certs/scripts/letsencrypt.sh

@@ -29,6 +29,10 @@ while [ "$1" != "" ]; do
         shift
         cert_name=$1
         ;;
+    --password_name)
+        shift
+        password_name=$1
+        ;;
     *)
         echo "Unexpected argument: '$1'"
         usage
@@ -122,8 +126,8 @@ sid=$(az keyvault certificate import \
     --password "${CERT_PASSWORD}" \
     | jq -r '.sid')
 
-echo "Saving certificate password to KV with key ${cert_name}-password"
-az keyvault secret set --name "${cert_name}"-password \
+echo "Saving certificate password to KV with key ${password_name}"
+az keyvault secret set --name "$password_name" \
   --vault-name "${keyvault_name}" \
   --value "${CERT_PASSWORD}"
 

templates/shared_services/certs/terraform/certificate.tf

@@ -36,3 +36,18 @@ resource "azurerm_key_vault_certificate" "tlscert" {
   }
 
 }
+
+# pre-create in advance of the real password being created
+# so if there is a deleted secret it will be recovered
+#
+resource "azurerm_key_vault_secret" "cert_password" {
+  name         = local.password_name
+  value        = "0000000000"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+  tags         = local.tre_shared_service_tags
+
+  # The password will get replaced with a real one, so we don't want Terraform to try and revert it.
+  lifecycle {
+    ignore_changes = all
+  }
+}

templates/shared_services/certs/terraform/locals.tf

@@ -26,4 +26,5 @@ locals {
 
   cmk_name                 = "tre-encryption-${var.tre_id}"
   encryption_identity_name = "id-encryption-${var.tre_id}"
+  password_name            = "${var.cert_name}-password"
 }

templates/shared_services/certs/terraform/outputs.tf

@@ -17,3 +17,7 @@ output "resource_group_name" {
 output "keyvault_name" {
   value = data.azurerm_key_vault.key_vault.name
 }
+
+output "password_name" {
+  value = local.password_name
+}

templates/shared_services/gitea/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-gitea
-version: 1.1.4
+version: 1.1.5
 description: "A Gitea shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/shared_services/gitea/terraform/gitea-webapp.tf

@@ -66,7 +66,7 @@ resource "azurerm_linux_web_app" "gitea" {
     container_registry_managed_identity_client_id = azurerm_user_assigned_identity.gitea_id.client_id
     ftps_state                                    = "Disabled"
     always_on                                     = true
-    minimum_tls_version                           = "1.2"
+    minimum_tls_version                           = "1.3"
     vnet_route_all_enabled                        = true
 
     application_stack {
@@ -129,11 +129,14 @@ resource "azurerm_monitor_diagnostic_setting" "webapp_gitea" {
   target_resource_id         = azurerm_linux_web_app.gitea.id
   log_analytics_workspace_id = data.azurerm_log_analytics_workspace.tre.id
 
-  dynamic "log" {
-    for_each = data.azurerm_monitor_diagnostic_categories.webapp.log_category_types
+  dynamic "enabled_log" {
+    for_each = [
+      for category in data.azurerm_monitor_diagnostic_categories.webapp.log_category_types :
+      category if contains(local.webapp_diagnostic_categories_enabled, category)
+    ]
     content {
-      category = log.value
-      enabled  = contains(local.webapp_diagnostic_categories_enabled, log.value) ? true : false
+      category = enabled_log.value
+
     }
   }
 

templates/shared_services/gitea/terraform/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "=3.117.0"
+      version = "=4.14.0"
     }
     local = {
       source  = "hashicorp/local"

templates/workspace_services/gitea/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-service-gitea
-version: 1.2.2
+version: 1.2.3
 description: "A Gitea workspace service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/workspace_services/gitea/terraform/gitea-webapp.tf

@@ -76,7 +76,7 @@ resource "azurerm_linux_web_app" "gitea" {
     container_registry_managed_identity_client_id = azurerm_user_assigned_identity.gitea_id.client_id
     ftps_state                                    = "Disabled"
     always_on                                     = true
-    minimum_tls_version                           = "1.2"
+    minimum_tls_version                           = "1.3"
     vnet_route_all_enabled                        = true
 
     application_stack {
@@ -138,11 +138,13 @@ resource "azurerm_monitor_diagnostic_setting" "gitea" {
   target_resource_id         = azurerm_linux_web_app.gitea.id
   log_analytics_workspace_id = data.azurerm_log_analytics_workspace.tre.id
 
-  dynamic "log" {
-    for_each = data.azurerm_monitor_diagnostic_categories.gitea.log_category_types
+  dynamic "enabled_log" {
+    for_each = [
+      for category in data.azurerm_monitor_diagnostic_categories.gitea.log_category_types :
+      category if contains(local.web_app_diagnostic_categories_enabled, category)
+    ]
     content {
-      category = log.value
-      enabled  = contains(local.web_app_diagnostic_categories_enabled, log.value) ? true : false
+      category = enabled_log.value
     }
   }