Skip to content

Commit

Permalink
Add firewall rule to allow AAD for health services (#3081)
Browse files Browse the repository at this point in the history 
* Add firewall rule.

* Fix tf

* Move to pipeline

* Add rule to pipeline

* Change template name

* Change FW rule name

* Use different ids for stepid
  • Loading branch information
@LizaShak
LizaShak authored Jan 15, 2023
1 parent f489957 commit abac309
Show file tree
Hide file tree
Showing 3 changed files with 166 additions and 1 deletion.
7 changes: 7 additions & 0 deletions templates/workspace_services/health-services/porter.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,11 @@ outputs:
type: string
applyTo:
- install
- name: workspace_address_space
type: string
applyTo:
- install
- upgrade

mixins:
- exec
Expand All @@ -85,6 +90,7 @@ install:
outputs:
- name: fhir_url
- name: dicom_url
- name: workspace_address_space

upgrade:
- terraform:
Expand All @@ -104,6 +110,7 @@ upgrade:
outputs:
- name: fhir_url
- name: dicom_url
- name: workspace_address_space

uninstall:
- terraform:
Expand Down
156 changes: 155 additions & 1 deletion templates/workspace_services/health-services/template_schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,5 +50,159 @@
}
}
}
]
],
"pipeline": {
"install": [
{
"stepId": "main"
},
{
"stepId": "d5504764-94cd-11ed-a1eb-0242ac120002",
"stepTitle": "Add network firewall rules for health services",
"resourceTemplateName": "tre-shared-service-firewall",
"resourceType": "shared-service",
"resourceAction": "upgrade",
"properties": [
{
"name": "network_rule_collections",
"type": "array",
"arraySubstitutionAction": "replace",
"arrayMatchField": "name",
"value": {
"name": "nrc_svc_{{ resource.id }}_health_services",
"action": "Allow",
"rules": [
{
"name": "AzureAD",
"description": "AAD access",
"source_addresses": "{{ resource.properties.workspace_address_space }}",
"destination_addresses": ["AzureActiveDirectory"],
"destination_ports": ["*"],
"protocols": ["TCP"]
}
]
}
},
{
"name": "rule_collections",
"type": "array",
"arraySubstitutionAction": "replace",
"arrayMatchField": "name",
"value": {
"name": "arc_svc_{{ resource.id }}_health_services",
"action": "Allow",
"rules": [
{
"name": "AAD CDN",
"description": "AAD CDN",
"source_addresses": "{{ resource.properties.workspace_address_space }}",
"target_fqdns": [
"aadcdn.msftauth.net"
],
"protocols": [
{
"port": "443",
"type": "Https"
}
]
}
]
}
}
]
}
],
"upgrade": [
{
"stepId": "main"
},
{
"stepId": "12c0cf8c-94f7-11ed-a1eb-0242ac120002",
"stepTitle": "Add network firewall rules for health services",
"resourceTemplateName": "tre-shared-service-firewall",
"resourceType": "shared-service",
"resourceAction": "upgrade",
"properties": [
{
"name": "network_rule_collections",
"type": "array",
"arraySubstitutionAction": "replace",
"arrayMatchField": "name",
"value": {
"name": "nrc_svc_{{ resource.id }}_health_services",
"action": "Allow",
"rules": [
{
"name": "AzureAD",
"description": "AAD access for authNZ",
"source_addresses": "{{ resource.properties.workspace_address_space }}",
"destination_addresses": ["AzureActiveDirectory"],
"destination_ports": ["*"],
"protocols": ["TCP"]
}
]
}
},
{
"name": "rule_collections",
"type": "array",
"arraySubstitutionAction": "replace",
"arrayMatchField": "name",
"value": {
"name": "arc_svc_{{ resource.id }}_health_services",
"action": "Allow",
"rules": [
{
"name": "AAD CDN",
"description": "AAD CDN",
"source_addresses": "{{ resource.properties.workspace_address_space }}",
"target_fqdns": [
"aadcdn.msftauth.net"
],
"protocols": [
{
"port": "443",
"type": "Https"
}
]
}
]
}
}
]
}
],
"uninstall": [
{
"stepId": "1fc155ee-94f7-11ed-a1eb-0242ac120002",
"stepTitle": "Add network firewall rules for health services",
"resourceTemplateName": "tre-shared-service-firewall",
"resourceType": "shared-service",
"resourceAction": "upgrade",
"properties": [
{
"name": "network_rule_collections",
"type": "array",
"arraySubstitutionAction": "remove",
"arrayMatchField": "name",
"value": {
"name": "nrc_svc_{{ resource.id }}_health_services"
}
},
{
"name": "rule_collections",
"type": "array",
"arraySubstitutionAction": "remove",
"arrayMatchField": "name",
"value": {
"name": "arc_svc_{{ resource.id }}_health_services"
}
}
]
},
{
"stepId": "main"
}
]
}
}
4 changes: 4 additions & 0 deletions templates/workspace_services/health-services/terraform/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,7 @@ output "fhir_url" {
output "dicom_url" {
value = var.deploy_dicom ? "https://hs${local.service_resource_name_suffix}-dicom${local.service_resource_name_suffix}.dicom.azurehealthcareapis.com" : ""
}

output "workspace_address_space" {
value = jsonencode(data.azurerm_virtual_network.ws.address_space)
}

0 comments on commit abac309

Please sign in to comment.