User username as VM username rather than random ID (#4333)

CHANGELOG.md

@@ -66,6 +66,7 @@ ENHANCEMENTS:
 * Downgrade certs shared service App Gateway to Basic SKU ([#4300](https://github.com/microsoft/AzureTRE/issues/4300))
 * Airlock function host storage to use the user-assigned managed identity ([#4276](https://github.com/microsoft/AzureTRE/issues/4276))
 * Disable local authentication in EventGrid ([#4254](https://github.com/microsoft/AzureTRE/issues/4254))
+* Use user username as VM username rather than random ID ([#4333](https://github.com/microsoft/AzureTRE/pull/4333))
 
 
 BUG FIXES:

resource_processor/_version.py

@@ -1 +1 @@
-__version__ = "0.12.1"
+__version__ = "0.12.2"

resource_processor/helpers/commands.py

@@ -146,6 +146,8 @@ def get_special_porter_param_value(config, parameter_name: str, msg_body):
         return msg_body.get("workspaceId")  # not included in all messages
     if parameter_name == "parent_service_id":
         return msg_body.get("parentWorkspaceServiceId")  # not included in all messages
+    if parameter_name == "owner_id":
+        return msg_body.get("ownerId")  # not included in all messages
     if (value := config["bundle_params"].get(parameter_name.lower())) is not None:
         return value
     # Parameters that relate to the cloud type

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-linuxvm
-version: 1.2.4
+version: 1.2.8
 description: "An Azure TRE User Resource Template for Guacamole (Linux)"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -42,6 +42,13 @@ credentials:
     env: ARM_CLIENT_ID
   - name: azure_client_secret
     env: ARM_CLIENT_SECRET
+  # Credentials for interacting with the AAD Auth tenant
+  - name: auth_client_id
+    env: AUTH_CLIENT_ID
+  - name: auth_client_secret
+    env: AUTH_CLIENT_SECRET
+  - name: auth_tenant_id
+    env: AUTH_TENANT_ID
 
 parameters:
   - name: workspace_id
@@ -110,6 +117,8 @@ parameters:
   - name: shared_storage_name
     type: string
     default: "vm-shared-storage"
+  - name: owner_id
+    type: string
   - name: enable_cmk_encryption
     type: boolean
     default: false
@@ -161,11 +170,15 @@ install:
         shared_storage_access: ${ bundle.parameters.shared_storage_access }
         shared_storage_name: ${ bundle.parameters.shared_storage_name }
         image_gallery_id: ${ bundle.parameters.image_gallery_id }
+        owner_id: ${ bundle.parameters.owner_id }
         enable_shutdown_schedule: ${ bundle.parameters.enable_shutdown_schedule }
         shutdown_time: ${ bundle.parameters.shutdown_time }
         shutdown_timezone: ${ bundle.parameters.shutdown_timezone }
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
+        auth_client_id: ${ bundle.credentials.auth_client_id }
+        auth_client_secret: ${ bundle.credentials.auth_client_secret }
+        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -192,11 +205,15 @@ upgrade:
         shared_storage_access: ${ bundle.parameters.shared_storage_access }
         shared_storage_name: ${ bundle.parameters.shared_storage_name }
         image_gallery_id: ${ bundle.parameters.image_gallery_id }
+        owner_id: ${ bundle.parameters.owner_id }
         enable_shutdown_schedule: ${ bundle.parameters.enable_shutdown_schedule }
         shutdown_time: ${ bundle.parameters.shutdown_time }
         shutdown_timezone: ${ bundle.parameters.shutdown_timezone }
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
+        auth_client_id: ${ bundle.credentials.auth_client_id }
+        auth_client_secret: ${ bundle.credentials.auth_client_secret }
+        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -235,11 +252,15 @@ uninstall:
         shared_storage_access: ${ bundle.parameters.shared_storage_access }
         shared_storage_name: ${ bundle.parameters.shared_storage_name }
         image_gallery_id: ${ bundle.parameters.image_gallery_id }
+        owner_id: ${ bundle.parameters.owner_id }
         enable_shutdown_schedule: ${ bundle.parameters.enable_shutdown_schedule }
         shutdown_time: ${ bundle.parameters.shutdown_time }
         shutdown_timezone: ${ bundle.parameters.shutdown_timezone }
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
+        auth_client_id: ${ bundle.credentials.auth_client_id }
+        auth_client_secret: ${ bundle.credentials.auth_client_secret }
+        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/template_schema.json

@@ -12,6 +12,20 @@
     "WorkspaceOwner", "WorkspaceResearcher"
   ],
   "properties": {
+    "display_name": {
+      "type": "string",
+      "title": "Display name for the VM",
+      "description": "The display name of the VM.",
+      "default": "My Linux VM",
+      "updateable": true
+    },
+    "description": {
+      "type": "string",
+      "title": "Description of the VM",
+      "description": "Describe what this VM is used for.",
+      "default": "I will use this VM for research.",
+      "updateable": true
+    },
     "os_image": {
       "$id": "#/properties/os_image",
       "type": "string",

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/data.tf

@@ -70,3 +70,7 @@ data "azurerm_storage_account" "stg" {
   name                = local.storage_name
   resource_group_name = data.azurerm_resource_group.ws.name
 }
+
+data "azuread_user" "user" {
+  object_id = var.owner_id
+}

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf

@@ -12,16 +12,6 @@ resource "azurerm_network_interface" "internal" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "random_string" "username" {
-  length      = 4
-  upper       = true
-  lower       = true
-  numeric     = true
-  min_numeric = 1
-  min_lower   = 1
-  special     = false
-}
-
 resource "random_password" "password" {
   length           = 16
   lower            = true
@@ -42,7 +32,7 @@ resource "azurerm_linux_virtual_machine" "linuxvm" {
   network_interface_ids           = [azurerm_network_interface.internal.id]
   size                            = local.vm_sizes[var.vm_size]
   disable_password_authentication = false
-  admin_username                  = random_string.username.result
+  admin_username                  = local.admin_username
   admin_password                  = random_password.password.result
   encryption_at_host_enabled      = true
   secure_boot_enabled             = local.secure_boot_enabled
@@ -78,7 +68,7 @@ resource "azurerm_linux_virtual_machine" "linuxvm" {
   # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive
   # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed)
   #
-  lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] }
+  lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled, admin_username] }
 }
 
 resource "azurerm_disk_encryption_set" "linuxvm_disk_encryption" {
@@ -132,14 +122,14 @@ data "template_file" "vm_config" {
     FILESHARE_NAME        = var.shared_storage_access ? var.shared_storage_name : ""
     NEXUS_PROXY_URL       = local.nexus_proxy_url
     CONDA_CONFIG          = local.selected_image.conda_config ? 1 : 0
-    VM_USER               = random_string.username.result
+    VM_USER               = local.admin_username
     APT_SKU               = replace(local.apt_sku, ".", "")
   }
 }
 
 resource "azurerm_key_vault_secret" "linuxvm_password" {
   name         = local.vm_password_secret_name
-  value        = "${random_string.username.result}\n${random_password.password.result}"
+  value        = "${local.admin_username}\n${random_password.password.result}"
   key_vault_id = data.azurerm_key_vault.ws.id
   tags         = local.tre_user_resources_tags
 

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf

@@ -7,12 +7,19 @@ locals {
   vm_name                        = "linuxvm${local.short_service_id}"
   keyvault_name                  = lower("kv-${substr(local.workspace_resource_name_suffix, -20, -1)}")
   storage_name                   = lower(replace("stg${substr(local.workspace_resource_name_suffix, -8, -1)}", "-", ""))
-  vm_password_secret_name        = "${local.vm_name}-admin-credentials"
+  admin_username = (
+    length(data.azuread_user.user.mail) > 0 && strcontains(data.azuread_user.user.user_principal_name, "#EXT#") ?
+    substr(element(split("@", data.azuread_user.user.mail), 0), 0, 20) :
+    substr(element(split("#EXT#", element(split("@", data.azuread_user.user.user_principal_name), 0)), 0), 0, 20)
+  )
+  vm_password_secret_name = "${local.vm_name}-admin-credentials"
   tre_user_resources_tags = {
     tre_id                   = var.tre_id
     tre_workspace_id         = var.workspace_id
     tre_workspace_service_id = var.parent_service_id
     tre_user_resource_id     = var.tre_resource_id
+    tre_user_id              = var.owner_id
+    tre_user_username        = data.azuread_user.user.user_principal_name
   }
   nexus_proxy_url = "https://nexus-${data.azurerm_public_ip.app_gateway_ip.fqdn}"
   # Load VM SKU/image details from porter.yaml

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/main.tf

@@ -13,6 +13,10 @@ terraform {
       source  = "hashicorp/random"
       version = "=3.4.3"
     }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "3.1.0"
+    }
   }
   backend "azurerm" {
   }
@@ -21,6 +25,10 @@ terraform {
 
 provider "azurerm" {
   features {
+    virtual_machine {
+      skip_shutdown_and_force_delete = true
+      delete_os_disk_on_deletion     = true
+    }
     key_vault {
       # Don't purge on destroy (this would fail due to purge protection being enabled on keyvault)
       purge_soft_delete_on_destroy               = false
@@ -37,3 +45,8 @@ provider "azurerm" {
   storage_use_azuread = true
 }
 
+provider "azuread" {
+  client_id     = var.auth_client_id
+  client_secret = var.auth_client_secret
+  tenant_id     = var.auth_tenant_id
+}

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/outputs.tf

@@ -15,7 +15,7 @@ output "connection_uri" {
 }
 
 output "vm_username" {
-  value = random_string.username.result
+  value = local.admin_username
 }
 
 output "vm_password_secret_name" {

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/variables.tf

@@ -26,6 +26,9 @@ variable "image_gallery_id" {
   type    = string
   default = ""
 }
+variable "owner_id" {
+  type = string
+}
 variable "enable_shutdown_schedule" {
   type    = bool
   default = false
@@ -44,3 +47,15 @@ variable "enable_cmk_encryption" {
 variable "key_store_id" {
   type = string
 }
+variable "auth_tenant_id" {
+  type        = string
+  description = "Used to authenticate into the AAD Tenant to create the AAD App"
+}
+variable "auth_client_id" {
+  type        = string
+  description = "Used to authenticate into the AAD Tenant to create the AAD App"
+}
+variable "auth_client_secret" {
+  type        = string
+  description = "Used to authenticate into the AAD Tenant to create the AAD App"
+}

templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-windowsvm
-version: 1.2.6
+version: 1.2.10
 description: "An Azure TRE User Resource Template for Guacamole (Windows 10)"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -39,7 +39,7 @@ custom:
         sku: winserver-2019
         version: latest
       conda_config: true
-      secure_boot_enabled: false  # dsvm-win-2019 is not a gen2 image
+      secure_boot_enabled: false # dsvm-win-2019 is not a gen2 image
       vtpm_enabled: false
     # For information on using custom images, see README.me in the guacamole/user-resources folder
     # "Custom Image From Gallery":
@@ -57,6 +57,13 @@ credentials:
     env: ARM_CLIENT_ID
   - name: azure_client_secret
     env: ARM_CLIENT_SECRET
+  # Credentials for interacting with the AAD Auth tenant
+  - name: auth_client_id
+    env: AUTH_CLIENT_ID
+  - name: auth_client_secret
+    env: AUTH_CLIENT_SECRET
+  - name: auth_tenant_id
+    env: AUTH_TENANT_ID
 
 parameters:
   - name: workspace_id
@@ -106,6 +113,8 @@ parameters:
   - name: shared_storage_name
     type: string
     default: "vm-shared-storage"
+  - name: owner_id
+    type: string
   - name: arm_environment
     type: string
   - name: enable_cmk_encryption
@@ -159,8 +168,12 @@ install:
         shared_storage_access: ${ bundle.parameters.shared_storage_access }
         shared_storage_name: ${ bundle.parameters.shared_storage_name }
         image_gallery_id: ${ bundle.parameters.image_gallery_id }
+        owner_id: ${ bundle.parameters.owner_id }
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
+        auth_client_id: ${ bundle.credentials.auth_client_id }
+        auth_client_secret: ${ bundle.credentials.auth_client_secret }
+        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -187,8 +200,12 @@ upgrade:
         shared_storage_access: ${ bundle.parameters.shared_storage_access }
         shared_storage_name: ${ bundle.parameters.shared_storage_name }
         image_gallery_id: ${ bundle.parameters.image_gallery_id }
+        owner_id: ${ bundle.parameters.owner_id }
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
+        auth_client_id: ${ bundle.credentials.auth_client_id }
+        auth_client_secret: ${ bundle.credentials.auth_client_secret }
+        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -227,8 +244,12 @@ uninstall:
         shared_storage_access: ${ bundle.parameters.shared_storage_access }
         shared_storage_name: ${ bundle.parameters.shared_storage_name }
         image_gallery_id: ${ bundle.parameters.image_gallery_id }
+        owner_id: ${ bundle.parameters.owner_id }
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
+        auth_client_id: ${ bundle.credentials.auth_client_id }
+        auth_client_secret: ${ bundle.credentials.auth_client_secret }
+        auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"