Skip to content

Commit a262883

Browse files
authored
Merge branch 'main' into marrobi/fix-firewall-rules
2 parents 80de1a6 + b416bd7 commit a262883

File tree

197 files changed

+11379
-14348
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

197 files changed

+11379
-14348
lines changed

.devcontainer/devcontainer.json

Lines changed: 7 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -44,20 +44,13 @@
4444
// Set *default* container specific settings.json values on container create.
4545
"settings": {
4646
"terminal.integrated.defaultProfile.linux": "bash",
47+
"editor.formatOnPaste": true,
48+
"editor.formatOnSave": true,
4749
"python.pythonPath": "/usr/local/bin/python",
48-
"python.linting.enabled": true,
49-
"python.linting.pylintEnabled": false,
50-
"python.linting.flake8Enabled": true,
5150
"python.formatting.provider": "black",
5251
"python.formatting.autopep8Path": "/usr/local/py-utils/bin/autopep8",
5352
"python.formatting.blackPath": "/usr/local/py-utils/bin/black",
5453
"python.formatting.yapfPath": "/usr/local/py-utils/bin/yapf",
55-
"python.linting.banditPath": "/usr/local/py-utils/bin/bandit",
56-
"python.linting.flake8Path": "/usr/local/py-utils/bin/flake8",
57-
"python.linting.mypyPath": "/usr/local/py-utils/bin/mypy",
58-
"python.linting.pycodestylePath": "/usr/local/py-utils/bin/pycodestyle",
59-
"python.linting.pydocstylePath": "/usr/local/py-utils/bin/pydocstyle",
60-
"python.linting.pylintPath": "/usr/local/py-utils/bin/pylint",
6154
"python.testing.unittestEnabled": false,
6255
"python.testing.pytestEnabled": true,
6356
"python.testing.pytestArgs": [
@@ -275,6 +268,8 @@
275268
"extensions": [
276269
"ms-python.python",
277270
"ms-python.pylance",
271+
"ms-python.flake8",
272+
"nwgh.bandit",
278273
"hashicorp.terraform",
279274
"github.vscode-pull-request-github",
280275
"gitHub.copilot",
@@ -294,5 +289,7 @@
294289
],
295290
// Run commands after the container is created.
296291
"postCreateCommand": "./.devcontainer/scripts/post-create.sh",
297-
"initializeCommand": ["./.devcontainer/scripts/initialize"]
292+
"initializeCommand": [
293+
"./.devcontainer/scripts/initialize"
294+
]
298295
}

.github/actions/devcontainer_run_command/action.yml

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -178,9 +178,19 @@ runs:
178178
- name: Run command in DevContainer
179179
shell: bash
180180
run: |
181+
# Write command to a command.sh script file
182+
cat <<EOF >> ./command.sh
183+
#!/bin/bash
184+
set -x
185+
${{ inputs.COMMAND }}
186+
EOF
187+
188+
chmod +x ./command.sh
189+
181190
docker run --rm --mount \
182191
"type=bind,src=${{ github.workspace }},dst=/workspaces/tre" \
183192
-v /var/run/docker.sock:/var/run/docker.sock \
193+
-v "./command.sh:/workspaces/tre/command.sh" \
184194
--workdir /workspaces/tre \
185195
--user vscode \
186196
-e TF_INPUT="0" \
@@ -246,4 +256,7 @@ runs:
246256
-e TF_VAR_app_gateway_sku=${{ inputs.APP_GATEWAY_SKU }} \
247257
-e E2E_TESTS_NUMBER_PROCESSES="${{ inputs.E2E_TESTS_NUMBER_PROCESSES }}" \
248258
'${{ inputs.CI_CACHE_ACR_NAME }}${{ env.ACR_DOMAIN_SUFFIX }}/tredev:${{ inputs.DEVCONTAINER_TAG }}' \
249-
bash -c "${{ inputs.COMMAND }}"
259+
bash -c -x "./command.sh"
260+
261+
# Clean up temporary script file
262+
rm ./command.sh

.github/workflows/deploy_tre_reusable.yml

Lines changed: 40 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -424,9 +424,14 @@ jobs:
424424
uses: ./.github/actions/devcontainer_run_command
425425
with:
426426
# Although porter publish will build automatically, our makefile build target includes logic that should run
427-
COMMAND: >-
428-
for i in {1..3}; do make bundle-build bundle-publish DIR=${{ matrix.BUNDLE_DIR }}
429-
&& ec=0 && break || ec=\$? && sleep 30; done; (exit \$ec)
427+
COMMAND: |
428+
# Loop to retry the make command up to 3 times
429+
for i in {1..3}; do
430+
make bundle-build bundle-publish DIR=${{ matrix.BUNDLE_DIR }} && ec=0 && break || ec=\$? && sleep 30;
431+
done;
432+
433+
# Exit with the last status code
434+
(exit \$ec)
430435
DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }}
431436
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
432437
AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }}
@@ -470,9 +475,14 @@ jobs:
470475
uses: ./.github/actions/devcontainer_run_command
471476
with:
472477
# Although porter publish will build automatically, our makefile build target includes logic that should run
473-
COMMAND: >-
474-
for i in {1..3}; do make bundle-build bundle-publish DIR=${{ matrix.BUNDLE_DIR }}
475-
&& ec=0 && break || ec=\$? && sleep 30; done; (exit \$ec)
478+
COMMAND: |
479+
# Loop to retry the make command up to 3 times
480+
for i in {1..3}; do
481+
make bundle-build bundle-publish DIR=${{ matrix.BUNDLE_DIR }} && ec=0 && break || ec=\$? && sleep 30;
482+
done
483+
484+
# Exit with the last status code
485+
(exit \$ec)
476486
DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }}
477487
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
478488
AZURE_ENVIRONMENT: ${{ vars.AZURE_ENVIRONMENT }}
@@ -514,9 +524,14 @@ jobs:
514524
- name: Register bundle
515525
uses: ./.github/actions/devcontainer_run_command
516526
with:
517-
COMMAND: >-
518-
for i in {1..3}; do make bundle-register DIR=${{ matrix.BUNDLE_DIR }}
519-
&& ec=0 && break || ec=\$? && sleep 10; done; (exit \$ec)
527+
COMMAND: |
528+
# Loop to retry the make command up to 3 times
529+
for i in {1..3}; do
530+
make bundle-register DIR=${{ matrix.BUNDLE_DIR }} && ec=0 && break || ec=\$? && sleep 10;
531+
done
532+
533+
# Exit with the last status code
534+
(exit \$ec)
520535
DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }}
521536
CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}}
522537
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
@@ -574,9 +589,14 @@ jobs:
574589
- name: Register bundle
575590
uses: ./.github/actions/devcontainer_run_command
576591
with:
577-
COMMAND: >-
578-
for i in {1..3}; do make bundle-register DIR=${{ matrix.BUNDLE_DIR }}
579-
&& ec=0 && break || ec=\$? && sleep 10; done; (exit \$ec)
592+
COMMAND: |
593+
# Loop to retry the make command up to 3 times
594+
for i in {1..3}; do
595+
make bundle-register DIR=${{ matrix.BUNDLE_DIR }} && ec=0 && break || ec=\$? && sleep 10;
596+
done;
597+
598+
# Exit with the last status code
599+
(exit \$ec)
580600
DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }}
581601
CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}}
582602
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
@@ -623,9 +643,14 @@ jobs:
623643
- name: Register bundle
624644
uses: ./.github/actions/devcontainer_run_command
625645
with:
626-
COMMAND: >-
627-
for i in {1..3}; do make bundle-register DIR=${{ matrix.BUNDLE_DIR }}
628-
&& ec=0 && break || ec=\$? && sleep 10; done; (exit \$ec)
646+
COMMAND: |
647+
# Loop to retry the make command up to 3 times
648+
for i in {1..3}; do
649+
make bundle-register DIR=${{ matrix.BUNDLE_DIR }} && ec=0 && break || ec=\$? && sleep 10;
650+
done;
651+
652+
# Exit with the last status code
653+
(exit \$ec)
629654
DEVCONTAINER_TAG: ${{ inputs.DEVCONTAINER_TAG }}
630655
CI_CACHE_ACR_NAME: ${{ secrets.CI_CACHE_ACR_NAME}}
631656
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}

CHANGELOG.md

Lines changed: 78 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,33 @@
11
<!-- markdownlint-disable MD041 -->
2-
## 0.20.0 (Unreleased)
2+
## 0.21.0 (Unreleased)
33

44
**BREAKING CHANGES & MIGRATIONS**:
5-
* InnerEye and MLFlow bundles depreciated and removed from main. If you wish to update and deploy these worksapce services they can be retrieved from release 0.19.1. ([#4127](https://github.com/microsoft/AzureTRE/issues/4127))
6-
* This released removed support for Porter v0.*. If you're upgrading from a much earlier verion you can't go directly to this one. ([#4228](https://github.com/microsoft/AzureTRE/issues/4228))
5+
6+
ENHANCEMENTS:
7+
* Core key vault firewall should not be set to "Allow public access from all networks" ([#4250](https://github.com/microsoft/AzureTRE/issues/4250))
8+
* Allow workspace App Service Plan SKU to be updated ([#4331](https://github.com/microsoft/AzureTRE/issues/4331))
9+
* Add core requests endpoint and UI to enable requests to be managed TRE wide. ([[#2510](https://github.com/microsoft/AzureTRE/issues/2510)])
10+
* Remove public IP from TRE's firewall when forced tunneling is configured ([#4346](https://github.com/microsoft/AzureTRE/pull/4346))
11+
* Upgrade AzureRM Terraform provider from `3.117.0` to `4.14.0`. ([[#4255](https://github.com/microsoft/AzureTRE/pull/4255/)])
12+
* Subnet definitions are now inline in the `azurerm_virtual_network` resource, and NSG associations are set using `security_group` in each subnet block (no separate `azurerm_subnet_network_security_group_association` needed). ([[#4255](https://github.com/microsoft/AzureTRE/pull/4255/)])
13+
* Azure Cosmos DB should disable public network access ([#4322](https://github.com/microsoft/AzureTRE/issues/4322))
14+
* Add bundle target to Makefile for handling different bundle types in single command ([#4372](https://github.com/microsoft/AzureTRE/issues/4372))
15+
* Migrate UI to Vite build engine and update dependencies ([#4368](https://github.com/microsoft/AzureTRE/pull/4368))
16+
* Add Windows image field to the Admin VM template ([#4274](https://github.com/microsoft/AzureTRE/pull/4274))
17+
* Update TLS to the latest version for web apps / function apps (([#4351](https://github.com/microsoft/AzureTRE/issues/4351))
18+
19+
BUG FIXES:
20+
* Fix upgrade when porter install has failed ([#4338](https://github.com/microsoft/AzureTRE/pull/4338))
21+
* Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state ([#4294](https://github.com/microsoft/AzureTRE/issues/4294)])
22+
* Fix Cosmos DB local debugging configuration ([#4340](https://github.com/microsoft/AzureTRE/pull/4340))
23+
24+
COMPONENTS:
25+
26+
## 0.20.0 (Feburary 9, 2025)
27+
28+
**BREAKING CHANGES & MIGRATIONS**:
29+
* InnerEye and MLFlow bundles depreciated and removed from main. If you wish to update and deploy these workspace services they can be retrieved from release 0.19.1. ([#4127](https://github.com/microsoft/AzureTRE/issues/4127))
30+
* This release removed support for Porter v0.*. If you're upgrading from a much earlier version you can't go directly to this one. ([#4228](https://github.com/microsoft/AzureTRE/issues/4228))
731

832
FEATURES:
933
* Add support for customer-managed keys encryption. Core support ([#4141](https://github.com/microsoft/AzureTRE/issues/4142), [#4144](https://github.com/microsoft/AzureTRE/issues/4144)), Base workspace ([#4161](https://github.com/microsoft/AzureTRE/pull/4161)), other templates ([#4145](https://github.com/microsoft/AzureTRE/issues/4145))
@@ -34,13 +58,15 @@ ENHANCEMENTS:
3458
* Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)])
3559
* Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237))
3660
* Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258))
61+
* Disable local authentication in ServiceBus ([#4259](https://github.com/microsoft/AzureTRE/issues/4259))
3762
* Allow enablement of Secure Boot and vTPM for Guacamole VMs ([#4235](https://github.com/microsoft/AzureTRE/issues/4235))
3863
* Surface the server-layout parameter of Guacamole [server-layout](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings) ([#4234](https://github.com/microsoft/AzureTRE/issues/4234))
3964
* Add encryption at host for VMs ([#4263](https://github.com/microsoft/AzureTRE/pull/4263))
4065
* Downgrade certs shared service App Gateway to Basic SKU ([#4300](https://github.com/microsoft/AzureTRE/issues/4300))
4166
* Airlock function host storage to use the user-assigned managed identity ([#4276](https://github.com/microsoft/AzureTRE/issues/4276))
4267
* Disable local authentication in EventGrid ([#4254](https://github.com/microsoft/AzureTRE/issues/4254))
4368

69+
4470
BUG FIXES:
4571
* Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))
4672
* Template images are showing CVEs ([#4153](https://github.com/microsoft/AzureTRE/issues/4153))
@@ -53,16 +79,48 @@ BUG FIXES:
5379
* Fix failing tests, .env missing and storage logs ([#4207](https://github.com/microsoft/AzureTRE/issues/4207))
5480
* Unable to delete virtual machines, add skip_shutdown_and_force_delete = true ([#4135](https://github.com/microsoft/AzureTRE/issues/4135))
5581
* Bump terraform version in windows VM template ([#4212](https://github.com/microsoft/AzureTRE/issues/4212))
56-
* Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitiagte storage account deployment issue ([#4004](https://github.com/microsoft/AzureTRE/issues/4004))
82+
* Upgrade azurerm terraform provider from v3.112.0 to v3.117.0 to mitigate storage account deployment issue ([#4004](https://github.com/microsoft/AzureTRE/issues/4004))
5783
* Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222))
5884
* Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)])
5985
* Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)])
6086
* Windows R version must be 4.1.2 otherwise post install script doesn't update package mirror URL ([#4288](https://github.com/microsoft/AzureTRE/issues/4288))
6187
* Recreate tre_output.json if empty. ([[#4292](https://github.com/microsoft/AzureTRE/issues/4292)])
6288
* Ensure R directory is present before attempting to update package mirror URL ([#4332](https://github.com/microsoft/AzureTRE/pull/4332))
6389

90+
6491
COMPONENTS:
6592

93+
| name | version |
94+
| ----- | ----- |
95+
| devops | 0.5.5 |
96+
| core | 0.11.23 |
97+
| ui | 0.6.3 |
98+
| tre-shared-service-databricks-private-auth | 0.1.11 |
99+
| tre-shared-service-gitea | 1.1.4 |
100+
| tre-shared-service-sonatype-nexus | 3.3.2 |
101+
| tre-shared-service-firewall | 1.3.0 |
102+
| tre-shared-service-admin-vm | 0.5.2 |
103+
| tre-shared-service-certs | 0.7.3 |
104+
| tre-shared-service-airlock-notifier | 1.0.8 |
105+
| tre-shared-service-cyclecloud | 0.7.2 |
106+
| tre-workspace-airlock-import-review | 0.14.2 |
107+
| tre-workspace-base | 1.9.2 |
108+
| tre-workspace-unrestricted | 0.13.2 |
109+
| tre-workspace-service-gitea | 1.2.2 |
110+
| tre-workspace-service-mysql | 1.0.9 |
111+
| tre-workspace-service-health | 0.2.11 |
112+
| tre-workspace-service-openai | 1.0.6 |
113+
| tre-service-azureml | 0.9.2 |
114+
| tre-user-resource-aml-compute-instance | 0.5.11 |
115+
| tre-service-databricks | 1.0.10 |
116+
| tre-workspace-service-azuresql | 1.0.15 |
117+
| tre-service-guacamole | 0.12.7 |
118+
| tre-service-guacamole-export-reviewvm | 0.2.2 |
119+
| tre-service-guacamole-linuxvm | 1.2.4 |
120+
| tre-service-guacamole-import-reviewvm | 0.3.2 |
121+
| tre-service-guacamole-windowsvm | 1.2.6 |
122+
| tre-workspace-service-ohdsi | 0.3.2 |
123+
66124
## 0.19.1
67125

68126
**BREAKING CHANGES & MIGRATIONS**:
@@ -78,6 +136,7 @@ BUG FIXES:
78136
* Workspace creation blocked due to Azure API depreciation ([#4095](https://github.com/microsoft/AzureTRE/issues/4095))
79137

80138
COMPONENTS:
139+
81140
| name | version |
82141
| ----- | ----- |
83142
| devops | 0.5.2 |
@@ -136,6 +195,7 @@ BUG FIXES:
136195
* Update .NET version on Linux VMs ([#4067](https://github.com/microsoft/AzureTRE/issues/4067))
137196

138197
COMPONENTS:
198+
139199
| name | version |
140200
| ----- | ----- |
141201
| devops | 0.5.1 |
@@ -199,6 +259,7 @@ BUG FIXES:
199259
* Add lifecycle rule to the Gitea Shared Service template for the MySQL resource to stop it recreating on `update` ([#4006](https://github.com/microsoft/AzureTRE/issues/4006))
200260

201261
COMPONENTS:
262+
202263
| name | version |
203264
| ----- | ----- |
204265
| devops | 0.5.1 |
@@ -253,6 +314,7 @@ BUG FIXES:
253314
* Fix issue with firewall failing to deploy on a new TRE deploy ([#3775](https://github.com/microsoft/AzureTRE/issues/3775))
254315

255316
COMPONENTS:
317+
256318
| name | version |
257319
| ----- | ----- |
258320
| devops | 0.5.1 |
@@ -302,6 +364,7 @@ BUG FIXES:
302364
* Airlock Import Review workspace uses dedicated DNS zone to prevent conflict with core ([#3767](https://github.com/microsoft/AzureTRE/pull/3767))
303365

304366
COMPONENTS:
367+
305368
| name | version |
306369
| ----- | ----- |
307370
| devops | 0.5.1 |
@@ -344,6 +407,7 @@ BUG FIXES:
344407
* Fix workspace not loading fails if operation or history roles are not loaded ([#3755](https://github.com/microsoft/AzureTRE/issues/3755))
345408

346409
COMPONENTS:
410+
347411
| name | version |
348412
| ----- | ----- |
349413
| devops | 0.5.1 |
@@ -382,6 +446,7 @@ BUG FIXES:
382446
* SecuredByRole failing if roles are null ([#3740](https://github.com/microsoft/AzureTRE/issues/3740 ))
383447

384448
COMPONENTS:
449+
385450
| name | version |
386451
| ----- | ----- |
387452
| devops | 0.5.1 |
@@ -431,6 +496,7 @@ BUG FIXES:
431496
* Fix issue with cost tags not displaying correctly for some user roles ([#3721](https://github.com/microsoft/AzureTRE/issues/3721))
432497

433498
COMPONENTS:
499+
434500
| name | version |
435501
| ----- | ----- |
436502
| devops | 0.5.1 |
@@ -467,6 +533,7 @@ BUG FIXES:
467533
* Fix firewall config related to Nexus so that `pypi.org` is added to the allow-list ([#3694](https://github.com/microsoft/AzureTRE/issues/3694))
468534

469535
COMPONENTS:
536+
470537
| name | version |
471538
| ----- | ----- |
472539
| devops | 0.5.1 |
@@ -516,6 +583,7 @@ BUG FIXES:
516583
* Added missing region entries in `databricks-udr.json` ([[#3688](https://github.com/microsoft/AzureTRE/pull/3688))
517584

518585
COMPONENTS:
586+
519587
| name | version |
520588
| ----- | ----- |
521589
| devops | 0.5.1 |
@@ -555,6 +623,7 @@ BUG FIXES:
555623
* Upgrade airlock and unrestricted workspaces to base workspace version 0.12.0 ([#3659](https://github.com/microsoft/AzureTRE/pull/3659))
556624

557625
COMPONENTS:
626+
558627
| name | version |
559628
| ----- | ----- |
560629
| devops | 0.5.1 |
@@ -614,6 +683,7 @@ BUG FIXES:
614683

615684

616685
COMPONENTS:
686+
617687
| name | version |
618688
| ----- | ----- |
619689
| devops | 0.5.1 |
@@ -655,6 +725,7 @@ BUG FIXES:
655725
* Nexus fails to install due to `az login` and firewall rules ([#3453](https://github.com/microsoft/AzureTRE/issues/3453))
656726

657727
COMPONENTS:
728+
658729
| name | version |
659730
| ----- | ----- |
660731
| devops | 0.5.1 |
@@ -857,6 +928,7 @@ BUG FIXES:
857928
* Fix KeyVault purge error on MLFlow uninstall ([#3082](https://github.com/microsoft/AzureTRE/pull/3082))
858929

859930
COMPONENTS:
931+
860932
| name | version |
861933
| ----- | ----- |
862934
| devops | 0.4.4 |
@@ -933,6 +1005,7 @@ BUG FIXES:
9331005
* Handle 429 TooManyRequests and 503 ServiceUnavailable which might return from Azure Cost Management in TRE Cost API ([#2835](https://github.com/microsoft/AzureTRE/issues/2835))
9341006
9351007
COMPONENTS:
1008+
9361009
| name | version |
9371010
| ----- | ----- |
9381011
| devops | 0.4.2 |
@@ -980,6 +1053,7 @@ BUG FIXES:
9801053
* Fix issues with AML workspace service deployment ([#2768](https://github.com/microsoft/AzureTRE/pull/2768))
9811054
9821055
COMPONENTS:
1056+
9831057
| name | version |
9841058
| ----- | ----- |
9851059
| devops | 0.4.2 |

0 commit comments

Comments
 (0)