updated azurerm provider and added the changes. Still cant removed wo…

…rkspaces. may need to look at the script approch again.

CHANGELOG.md

@@ -14,11 +14,12 @@ ENHANCEMENTS:
 * Add bundle target to Makefile for handling different bundle types in single command ([#4372](https://github.com/microsoft/AzureTRE/issues/4372))
 * Migrate UI to Vite build engine and update dependencies ([#4368](https://github.com/microsoft/AzureTRE/pull/4368))
 * Add Windows image field to the Admin VM template ([#4274](https://github.com/microsoft/AzureTRE/pull/4274))
-* Update TLS to the latest version for web apps / function apps (([#4351](https://github.com/microsoft/AzureTRE/issues/4351))
+* Update TLS to the latest version for web apps / function apps ([#4351](https://github.com/microsoft/AzureTRE/issues/4351))
+* Added backup vault to base workspace & updated Azurerm provider to match core. ([[#4362](https://github.com/microsoft/AzureTRE/issues/4362)])
 
 BUG FIXES:
 * Fix upgrade when porter install has failed ([#4338](https://github.com/microsoft/AzureTRE/pull/4338))
-* Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state ([#4294](https://github.com/microsoft/AzureTRE/issues/4294)])
+* Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state ([#4294](https://github.com/microsoft/AzureTRE/issues/4294))
 * Fix Cosmos DB local debugging configuration ([#4340](https://github.com/microsoft/AzureTRE/pull/4340))
 
 COMPONENTS:

templates/workspaces/base/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-base
-version: 2.0.11
+version: 2.0.12
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -234,9 +234,6 @@ install:
         key_store_id: ${ bundle.parameters.key_store_id }
         storage_account_redundancy: ${ bundle.parameters.storage_account_redundancy }
         enable_backup: ${ bundle.parameters.enable_backup }
-        backup_vault_fileshare_backup_policy_name: ${ bundle.parameters.backup_vault_fileshare_backup_policy_name }
-        backup_vault_vm_backup_policy_name: ${ bundle.parameters.backup_vault_vm_backup_policy_name }
-        backup_vault_name: ${ bundle.parameters.backup_vault_name }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -286,9 +283,6 @@ upgrade:
         key_store_id: ${ bundle.parameters.key_store_id }
         storage_account_redundancy: ${ bundle.parameters.storage_account_redundancy }
         enable_backup: ${ bundle.parameters.enable_backup }
-        backup_vault_fileshare_backup_policy_name: ${ bundle.parameters.backup_vault_fileshare_backup_policy_name }
-        backup_vault_vm_backup_policy_name: ${ bundle.parameters.backup_vault_vm_backup_policy_name }
-        backup_vault_name: ${ bundle.parameters.backup_vault_name }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -361,9 +355,6 @@ uninstall:
         key_store_id: ${ bundle.parameters.key_store_id }
         storage_account_redundancy: ${ bundle.parameters.storage_account_redundancy }
         enable_backup: ${ bundle.parameters.enable_backup }
-        backup_vault_fileshare_backup_policy_name: ${ bundle.parameters.backup_vault_fileshare_backup_policy_name }
-        backup_vault_vm_backup_policy_name: ${ bundle.parameters.backup_vault_vm_backup_policy_name }
-        backup_vault_name: ${ bundle.parameters.backup_vault_name }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"

templates/workspaces/base/terraform/aad/providers.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.117.0"
+      version = "=4.14.0"
     }
     azuread = {
       source  = "hashicorp/azuread"

templates/workspaces/base/terraform/airlock/providers.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.117.0"
+      version = "=4.14.0"
     }
   }
 }

templates/workspaces/base/terraform/api-permissions.tf

@@ -21,15 +21,4 @@ resource "azurerm_role_assignment" "api_reader" {
   principal_id         = data.azurerm_user_assigned_identity.api_id.principal_id
 }
 
-# adds the needed permissions to the API to manage the backup and site recovery
-resource "azurerm_role_assignment" "backup_contributor" {
-  scope                = azurerm_resource_group.ws.id
-  role_definition_name = "Backup Contributor"
-  principal_id         = data.azurerm_user_assigned_identity.api_id.principal_id
-}
 
-resource "azurerm_role_assignment" "site_recover_contributor" {
-  scope                = azurerm_resource_group.ws.id
-  role_definition_name = "Site Recovery Contributor"
-  principal_id         = data.azurerm_user_assigned_identity.api_id.principal_id
-}

templates/workspaces/base/terraform/azure-monitor/providers.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.117.0"
+      version = "=4.14.0"
     }
 
     azapi = {

templates/workspaces/base/terraform/backup/providers.tf

@@ -3,20 +3,11 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.117.0"
+      version = "=4.14.0"
     }
     random = {
       source  = "hashicorp/random"
       version = ">= 3.1.0"
     }
   }
 }
-
-
-provider "azurerm" {
-  features {
-     recovery_services_vault {
-       purge_protected_items_from_vault_on_destroy = true
-     }
-  }
-}

templates/workspaces/base/terraform/network/network.tf

@@ -14,7 +14,7 @@ resource "azurerm_subnet" "services" {
   resource_group_name  = var.ws_resource_group_name
   address_prefixes     = [local.services_subnet_address_prefix]
   # notice that private endpoints do not adhere to NSG rules
-  private_endpoint_network_policies_enabled     = false
+  private_endpoint_network_policies             = "Disabled"
   private_link_service_network_policies_enabled = true
 }
 
@@ -24,7 +24,7 @@ resource "azurerm_subnet" "webapps" {
   resource_group_name  = var.ws_resource_group_name
   address_prefixes     = [local.webapps_subnet_address_prefix]
   # notice that private endpoints do not adhere to NSG rules
-  private_endpoint_network_policies_enabled     = false
+  private_endpoint_network_policies             = "Disabled"
   private_link_service_network_policies_enabled = true
 
   delegation {

templates/workspaces/base/terraform/network/providers.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">=3.117.0"
+      version = "=4.14.0"
     }
   }
 }

templates/workspaces/base/terraform/providers.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "=3.117.0"
+      version = "=4.14.0"
     }
     azuread = {
       source  = "hashicorp/azuread"
@@ -31,6 +31,10 @@ provider "azurerm" {
       recover_soft_deleted_certificates = true
       recover_soft_deleted_keys         = true
     }
+    recovery_service {
+      vm_backup_stop_protection_and_retain_data_on_destroy    = false
+      purge_protected_items_from_vault_on_destroy             = true
+    }
   }
   storage_use_azuread = true
 }

templates/workspaces/base/terraform/storage.tf

@@ -36,7 +36,7 @@ resource "azurerm_storage_account" "stg" {
 # Using AzAPI as AzureRM uses shared account key for Azure files operations
 resource "azapi_resource" "shared_storage" {
   type      = "Microsoft.Storage/storageAccounts/fileServices/shares@2023-05-01"
-  name      = var.shared_storage_name
+  name      = local.shared_storage_name
   parent_id = "${azurerm_storage_account.stg.id}/fileServices/default"
   body = jsonencode({
     properties = {