diff --git a/CHANGELOG.md b/CHANGELOG.md index c596b48c02..fd7bc28a81 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,11 +14,12 @@ ENHANCEMENTS: * Add bundle target to Makefile for handling different bundle types in single command ([#4372](https://github.com/microsoft/AzureTRE/issues/4372)) * Migrate UI to Vite build engine and update dependencies ([#4368](https://github.com/microsoft/AzureTRE/pull/4368)) * Add Windows image field to the Admin VM template ([#4274](https://github.com/microsoft/AzureTRE/pull/4274)) -* Update TLS to the latest version for web apps / function apps (([#4351](https://github.com/microsoft/AzureTRE/issues/4351)) +* Update TLS to the latest version for web apps / function apps ([#4351](https://github.com/microsoft/AzureTRE/issues/4351)) +* Added backup vault to base workspace & updated Azurerm provider to match core. ([[#4362](https://github.com/microsoft/AzureTRE/issues/4362)]) BUG FIXES: * Fix upgrade when porter install has failed ([#4338](https://github.com/microsoft/AzureTRE/pull/4338)) -* Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state ([#4294](https://github.com/microsoft/AzureTRE/issues/4294)]) +* Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state ([#4294](https://github.com/microsoft/AzureTRE/issues/4294)) * Fix Cosmos DB local debugging configuration ([#4340](https://github.com/microsoft/AzureTRE/pull/4340)) COMPONENTS: diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index 655a7d3708..bf9a4c0977 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-base -version: 2.0.11 +version: 2.0.12 description: "A base Azure TRE workspace" dockerfile: Dockerfile.tmpl registry: azuretre @@ -234,9 +234,6 @@ install: key_store_id: ${ bundle.parameters.key_store_id } storage_account_redundancy: ${ bundle.parameters.storage_account_redundancy } enable_backup: ${ bundle.parameters.enable_backup } - backup_vault_fileshare_backup_policy_name: ${ bundle.parameters.backup_vault_fileshare_backup_policy_name } - backup_vault_vm_backup_policy_name: ${ bundle.parameters.backup_vault_vm_backup_policy_name } - backup_vault_name: ${ bundle.parameters.backup_vault_name } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -286,9 +283,6 @@ upgrade: key_store_id: ${ bundle.parameters.key_store_id } storage_account_redundancy: ${ bundle.parameters.storage_account_redundancy } enable_backup: ${ bundle.parameters.enable_backup } - backup_vault_fileshare_backup_policy_name: ${ bundle.parameters.backup_vault_fileshare_backup_policy_name } - backup_vault_vm_backup_policy_name: ${ bundle.parameters.backup_vault_vm_backup_policy_name } - backup_vault_name: ${ bundle.parameters.backup_vault_name } backendConfig: use_azuread_auth: "true" use_oidc: "true" @@ -361,9 +355,6 @@ uninstall: key_store_id: ${ bundle.parameters.key_store_id } storage_account_redundancy: ${ bundle.parameters.storage_account_redundancy } enable_backup: ${ bundle.parameters.enable_backup } - backup_vault_fileshare_backup_policy_name: ${ bundle.parameters.backup_vault_fileshare_backup_policy_name } - backup_vault_vm_backup_policy_name: ${ bundle.parameters.backup_vault_vm_backup_policy_name } - backup_vault_name: ${ bundle.parameters.backup_vault_name } backendConfig: use_azuread_auth: "true" use_oidc: "true" diff --git a/templates/workspaces/base/terraform/.terraform.lock.hcl b/templates/workspaces/base/terraform/.terraform.lock.hcl index 8a229681d9..e01a2a6b3f 100644 --- a/templates/workspaces/base/terraform/.terraform.lock.hcl +++ b/templates/workspaces/base/terraform/.terraform.lock.hcl @@ -6,7 +6,6 @@ provider "registry.terraform.io/azure/azapi" { constraints = ">= 1.15.0, 1.15.0" hashes = [ "h1:Y7ruMuPh8UJRTRl4rm+cdpGtmURx2taqiuqfYaH3o48=", - "h1:gIOgxVmFSxHrR+XOzgUEA+ybOmp8kxZlZH3eYeB/eFI=", "zh:0627a8bc77254debc25dc0c7b62e055138217c97b03221e593c3c56dc7550671", "zh:2fe045f07070ef75d0bec4b0595a74c14394daa838ddb964e2fd23cc98c40c34", "zh:343009f39c957883b2c06145a5954e524c70f93585f943f1ea3d28ef6995d0d0", @@ -43,28 +42,28 @@ provider "registry.terraform.io/hashicorp/azuread" { } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.117.0" - constraints = ">= 3.117.0, 3.117.0" + version = "4.14.0" + constraints = "4.14.0" hashes = [ - "h1:Ynfg+Iy7x6K8M6W1AhqXCe3wkoiqIQhROlca7C3KC3w=", - "zh:2e25f47492366821a786762369f0e0921cc9452d64bfd5075f6fdfcf1a9c6d70", - "zh:41eb34f2f7469bf3eb1019dfb0e7fc28256f809824016f4f8b9d691bf473b2ac", - "zh:48bb9c87b3d928da1abc1d3db75453c9725de4674c612daf3800160cc7145d30", - "zh:5d6b0de0bbd78943fcc65c53944ef4496329e247f434c6eab86ed051c5cea67b", - "zh:78c9f6fdb1206a89cf0e6706b4f46178169a93b6c964a4cad8a321058ccbd9b4", - "zh:793b702c352589d4360b580d4a1cf654a7439d2ad6bdb7bfea91de07bc4b0fac", - "zh:7ed687ff0a5509463a592f97431863574fe5cc80a34e395be06766215b8c6285", - "zh:955ba18789bd15592824eb426a8d0f38595bd09fffc6939c1c58933489c1a71e", - "zh:bf5949a55be0714cd9c8815d472eae4baa48ba06d0f6bf2b96775869acda8a54", - "zh:da5d31f635abd2c645ffc76d6176d73f646128e73720cc368247cc424975c127", - "zh:eed5a66d59883c9c56729b0a964a2b60d758ea7489ef3e920a6fbd48518ce5f5", + "h1:FYZ9qh8i3X2gDmUTe1jJ/VzdSyjGjVmhBzv2R8D6CBo=", + "zh:05aaea16fc5f27b14d9fbad81654edf0638949ed3585576b2219c76a2bee095a", + "zh:065ce6ed16ba3fa7efcf77888ea582aead54e6a28f184c6701b73d71edd64bb0", + "zh:3c0cd17c249d18aa2e0120acb5f0c14810725158b379a67fec1331110e7c50df", + "zh:5a3ba3ffb2f1ce519fe3bf84a7296aa5862c437c70c62f0b0a5293bea9f2d01c", + "zh:7a8e9d72fa2714f4d567270b1761d4b4e788de7c15dada7db0cf0e29933185a2", + "zh:a11e190073f31c1238c15af29b9162e0f4564f6b0cd0310a3fa94102738450dc", + "zh:a5c004114410cc6dcb8fed584c9f3b84283b58025b0073a7e88d2bdb27840dfa", + "zh:a674a41db118e244eda7591e455d2ec338626664e0856e4125e909eb038f78db", + "zh:b5139010e4cbb2cb1a27c775610593c1c8063d3a7c82b00a65006509c434df2f", + "zh:cbb031223ccd8b099ac4d19b92641142f330b90f2fc6452843e445bae28f832c", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f7e7db1b94082a4ac3d4af3dabe7bbd335e1679305bf8e29d011f0ee440724ca", ] } provider "registry.terraform.io/hashicorp/random" { version = "3.3.2" - constraints = "~> 3.3.0" + constraints = ">= 3.1.0, ~> 3.3.0" hashes = [ "h1:H5V+7iXol/EHB2+BUMzGlpIiCOdV74H8YjzCxnSAWcg=", "zh:038293aebfede983e45ee55c328e3fde82ae2e5719c9bd233c324cfacc437f9c", diff --git a/templates/workspaces/base/terraform/aad/providers.tf b/templates/workspaces/base/terraform/aad/providers.tf index 4cf4c2b88a..7a31f12bb1 100644 --- a/templates/workspaces/base/terraform/aad/providers.tf +++ b/templates/workspaces/base/terraform/aad/providers.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 3.117.0" + version = "=4.14.0" } azuread = { source = "hashicorp/azuread" diff --git a/templates/workspaces/base/terraform/airlock/providers.tf b/templates/workspaces/base/terraform/airlock/providers.tf index 3bc52af981..eaa776f219 100644 --- a/templates/workspaces/base/terraform/airlock/providers.tf +++ b/templates/workspaces/base/terraform/airlock/providers.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 3.117.0" + version = "=4.14.0" } } } diff --git a/templates/workspaces/base/terraform/api-permissions.tf b/templates/workspaces/base/terraform/api-permissions.tf index 1d5c427759..82b1fb7f98 100644 --- a/templates/workspaces/base/terraform/api-permissions.tf +++ b/templates/workspaces/base/terraform/api-permissions.tf @@ -21,15 +21,4 @@ resource "azurerm_role_assignment" "api_reader" { principal_id = data.azurerm_user_assigned_identity.api_id.principal_id } -# adds the needed permissions to the API to manage the backup and site recovery -resource "azurerm_role_assignment" "backup_contributor" { - scope = azurerm_resource_group.ws.id - role_definition_name = "Backup Contributor" - principal_id = data.azurerm_user_assigned_identity.api_id.principal_id -} -resource "azurerm_role_assignment" "site_recover_contributor" { - scope = azurerm_resource_group.ws.id - role_definition_name = "Site Recovery Contributor" - principal_id = data.azurerm_user_assigned_identity.api_id.principal_id -} diff --git a/templates/workspaces/base/terraform/azure-monitor/providers.tf b/templates/workspaces/base/terraform/azure-monitor/providers.tf index 073110f2d1..92e7dad7e2 100644 --- a/templates/workspaces/base/terraform/azure-monitor/providers.tf +++ b/templates/workspaces/base/terraform/azure-monitor/providers.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 3.117.0" + version = "=4.14.0" } azapi = { diff --git a/templates/workspaces/base/terraform/backup/providers.tf b/templates/workspaces/base/terraform/backup/providers.tf index 5ea0d8fe92..c7a0b571d4 100644 --- a/templates/workspaces/base/terraform/backup/providers.tf +++ b/templates/workspaces/base/terraform/backup/providers.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">= 3.117.0" + version = "=4.14.0" } random = { source = "hashicorp/random" @@ -11,12 +11,3 @@ terraform { } } } - - -provider "azurerm" { - features { - recovery_services_vault { - purge_protected_items_from_vault_on_destroy = true - } - } -} diff --git a/templates/workspaces/base/terraform/network/network.tf b/templates/workspaces/base/terraform/network/network.tf index bc9e5fadb3..e311809382 100644 --- a/templates/workspaces/base/terraform/network/network.tf +++ b/templates/workspaces/base/terraform/network/network.tf @@ -14,7 +14,7 @@ resource "azurerm_subnet" "services" { resource_group_name = var.ws_resource_group_name address_prefixes = [local.services_subnet_address_prefix] # notice that private endpoints do not adhere to NSG rules - private_endpoint_network_policies_enabled = false + private_endpoint_network_policies = "Disabled" private_link_service_network_policies_enabled = true } @@ -24,7 +24,7 @@ resource "azurerm_subnet" "webapps" { resource_group_name = var.ws_resource_group_name address_prefixes = [local.webapps_subnet_address_prefix] # notice that private endpoints do not adhere to NSG rules - private_endpoint_network_policies_enabled = false + private_endpoint_network_policies = "Disabled" private_link_service_network_policies_enabled = true delegation { diff --git a/templates/workspaces/base/terraform/network/providers.tf b/templates/workspaces/base/terraform/network/providers.tf index 2817aac3ab..e0bf9b3bf2 100644 --- a/templates/workspaces/base/terraform/network/providers.tf +++ b/templates/workspaces/base/terraform/network/providers.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = ">=3.117.0" + version = "=4.14.0" } } } diff --git a/templates/workspaces/base/terraform/providers.tf b/templates/workspaces/base/terraform/providers.tf index e541b4a4c8..bb19c1d77b 100644 --- a/templates/workspaces/base/terraform/providers.tf +++ b/templates/workspaces/base/terraform/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "=3.117.0" + version = "=4.14.0" } azuread = { source = "hashicorp/azuread" @@ -31,6 +31,10 @@ provider "azurerm" { recover_soft_deleted_certificates = true recover_soft_deleted_keys = true } + recovery_service { + vm_backup_stop_protection_and_retain_data_on_destroy = false + purge_protected_items_from_vault_on_destroy = true + } } storage_use_azuread = true } diff --git a/templates/workspaces/base/terraform/storage.tf b/templates/workspaces/base/terraform/storage.tf index 75f34786de..35eb471271 100644 --- a/templates/workspaces/base/terraform/storage.tf +++ b/templates/workspaces/base/terraform/storage.tf @@ -36,7 +36,7 @@ resource "azurerm_storage_account" "stg" { # Using AzAPI as AzureRM uses shared account key for Azure files operations resource "azapi_resource" "shared_storage" { type = "Microsoft.Storage/storageAccounts/fileServices/shares@2023-05-01" - name = var.shared_storage_name + name = local.shared_storage_name parent_id = "${azurerm_storage_account.stg.id}/fileServices/default" body = jsonencode({ properties = {